./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1989821597 <...> Warning: Permanently added '10.128.10.6' (ED25519) to the list of known hosts. execve("./syz-executor1989821597", ["./syz-executor1989821597"], 0x7ffe90b6d220 /* 10 vars */) = 0 brk(NULL) = 0x555556d1b000 brk(0x555556d1bd40) = 0x555556d1bd40 arch_prctl(ARCH_SET_FS, 0x555556d1b3c0) = 0 set_tid_address(0x555556d1b690) = 5015 set_robust_list(0x555556d1b6a0, 24) = 0 rseq(0x555556d1bce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1989821597", 4096) = 28 getrandom("\x9c\xc1\x32\xd4\xdb\x17\xb1\xe9", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556d1bd40 brk(0x555556d3cd40) = 0x555556d3cd40 brk(0x555556d3d000) = 0x555556d3d000 mprotect(0x7f012f7b3000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.hAkSdp", 0700) = 0 chmod("./syzkaller.hAkSdp", 0777) = 0 chdir("./syzkaller.hAkSdp") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5016 ./strace-static-x86_64: Process 5016 attached [pid 5016] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5016] chdir("./0") = 0 [pid 5016] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5016] setpgid(0, 0) = 0 [pid 5016] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5016] write(3, "1000", 4) = 4 [pid 5016] close(3) = 0 [pid 5016] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5016] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5016] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5016] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5016] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5016] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5016] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5016] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5018]}, 88) = 5018 [pid 5016] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5016] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5016] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5018 attached [pid 5018] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5018] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5018] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5018] memfd_create("syzkaller", 0) = 3 [pid 5018] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [ 57.367367][ T5018] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5018 'syz-executor198' [pid 5018] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5018] munmap(0x7f01272bc000, 16777216) = 0 [pid 5018] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5018] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5018] close(3) = 0 [pid 5018] mkdir("./file0", 0777) = 0 [ 57.573415][ T5018] loop0: detected capacity change from 0 to 32768 [ 57.588039][ T5018] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 57.596650][ T5018] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 57.610376][ T5018] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 57.620349][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 57.627358][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5018] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5018] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5018] chdir("./file0") = 0 [pid 5018] ioctl(4, LOOP_CLR_FD) = 0 [pid 5018] close(4) = 0 [pid 5018] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5018] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5016] <... futex resumed>) = 0 [pid 5016] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5016] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5018] <... futex resumed>) = 0 [ 57.668563][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 57.678367][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 57.684184][ T5018] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 57.704675][ T5018] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5018] open("./file0", O_RDWR [pid 5016] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5016] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5016] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5016] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5016] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5016] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5020]}, 88) = 5020 [pid 5016] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5016] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5016] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5020 attached [pid 5020] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5020] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5020] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 57.713431][ T5018] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 57.713431][ T5018] inode = 12 2341 [ 57.713431][ T5018] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 57.732634][ T5018] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 57.742111][ T5018] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5018 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 57.752332][ T5018] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 57.760930][ T5018] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5020] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5020] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5016] <... futex resumed>) = 0 [pid 5016] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5016] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5020] <... futex resumed>) = 1 [pid 5020] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5020] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5016] <... futex resumed>) = 0 [pid 5020] <... futex resumed>) = 1 [ 57.769719][ T5018] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 57.779071][ T5018] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 57.786961][ T5018] gfs2: fsid=syz:syz.0: File system withdrawn [ 57.793408][ T5018] CPU: 0 PID: 5018 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 57.803820][ T5018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 57.813865][ T5018] Call Trace: [ 57.817130][ T5018] [ 57.820050][ T5018] dump_stack_lvl+0x1e7/0x2d0 [ 57.824719][ T5018] ? nf_tcp_handle_invalid+0x650/0x650 [ 57.830165][ T5018] ? panic+0x770/0x770 [ 57.834278][ T5018] gfs2_withdraw+0xc94/0x11e0 [ 57.838955][ T5018] gfs2_dirent_scan+0x512/0x640 [ 57.843794][ T5018] ? gfs2_permission+0x268/0x3c0 [ 57.848804][ T5018] ? gfs2_dirent_search+0x8c0/0x8c0 [ 57.854165][ T5018] gfs2_dirent_search+0x30e/0x8c0 [ 57.859191][ T5018] ? gfs2_dirent_search+0x8c0/0x8c0 [ 57.864382][ T5018] ? generic_permission+0x1df/0x550 [ 57.869577][ T5018] ? gfs2_dir_search+0x2f0/0x2f0 [ 57.874524][ T5018] ? gfs2_permission+0x34a/0x3c0 [ 57.879457][ T5018] gfs2_dir_search+0xb2/0x2f0 [ 57.884413][ T5018] ? do_filldir_main+0x520/0x520 [ 57.889375][ T5018] ? inode_go_held+0xea/0x200 [ 57.894121][ T5018] ? gfs2_glock_wait+0x21a/0x2b0 [ 57.899055][ T5018] gfs2_lookupi+0x460/0x5d0 [ 57.903717][ T5018] ? gfs2_lookup_simple+0x180/0x180 [ 57.908929][ T5018] ? __gfs2_lookup+0xa4/0x270 [ 57.913624][ T5018] __gfs2_lookup+0xa4/0x270 [ 57.918241][ T5018] ? gfs2_atomic_open+0x230/0x230 [ 57.923309][ T5018] ? __d_lookup+0x675/0x730 [ 57.927818][ T5018] ? d_hash_and_lookup+0x1b0/0x1b0 [ 57.932962][ T5018] gfs2_atomic_open+0x9e/0x230 [ 57.937782][ T5018] path_openat+0x1044/0x3180 [ 57.942389][ T5018] ? gfs2_rename2+0x25a0/0x25a0 [ 57.947249][ T5018] ? do_filp_open+0x490/0x490 [ 57.951939][ T5018] do_filp_open+0x234/0x490 [ 57.956454][ T5018] ? vfs_tmpfile+0x4b0/0x4b0 [ 57.961073][ T5018] ? _raw_spin_unlock+0x28/0x40 [ 57.966039][ T5018] ? alloc_fd+0x59c/0x640 [ 57.970481][ T5018] do_sys_openat2+0x13e/0x1d0 [ 57.975237][ T5018] ? do_sys_open+0x230/0x230 [ 57.979969][ T5018] ? lockdep_hardirqs_on+0x98/0x140 [ 57.985180][ T5018] ? _raw_spin_unlock_irq+0x2e/0x50 [ 57.990382][ T5018] ? ptrace_notify+0x278/0x380 [ 57.995138][ T5018] __x64_sys_open+0x225/0x270 [ 57.999810][ T5018] ? do_sys_openat2+0x1d0/0x1d0 [ 58.004667][ T5018] ? syscall_enter_from_user_mode+0x32/0x230 [ 58.010690][ T5018] ? syscall_enter_from_user_mode+0x8c/0x230 [ 58.016674][ T5018] do_syscall_64+0x41/0xc0 [ 58.021095][ T5018] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.026997][ T5018] RIP: 0033:0x7f012f71fa59 [ 58.031674][ T5018] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.051282][ T5018] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 58.059725][ T5018] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5020] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5018] <... open resumed>) = -1 EIO (Input/output error) [pid 5018] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5016] exit_group(0 [pid 5020] <... futex resumed>) = ? [pid 5016] <... exit_group resumed>) = ? [pid 5020] +++ exited with 0 +++ [pid 5018] <... futex resumed>) = ? [pid 5018] +++ exited with 0 +++ [pid 5016] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5016, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 58.067789][ T5018] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 58.075911][ T5018] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 58.083886][ T5018] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 58.091855][ T5018] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 58.099884][ T5018] umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5021 ./strace-static-x86_64: Process 5021 attached [pid 5021] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5021] chdir("./1") = 0 [pid 5021] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5021] setpgid(0, 0) = 0 [pid 5021] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "1000", 4) = 4 [pid 5021] close(3) = 0 [pid 5021] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5021] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5021] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5021] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5021] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5021] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5021] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5022]}, 88) = 5022 [pid 5021] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5021] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5022 attached [pid 5022] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5022] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5022] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5022] memfd_create("syzkaller", 0) = 3 [pid 5022] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5022] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5022] munmap(0x7f01272bc000, 16777216) = 0 [pid 5022] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5022] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5022] close(3) = 0 [pid 5022] mkdir("./file0", 0777) = 0 [ 58.423859][ T5022] loop0: detected capacity change from 0 to 32768 [ 58.435383][ T5022] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 58.443758][ T5022] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 58.453615][ T5022] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 58.462622][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 58.469935][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5022] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5022] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5022] chdir("./file0") = 0 [pid 5022] ioctl(4, LOOP_CLR_FD) = 0 [pid 5022] close(4) = 0 [pid 5022] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5021] <... futex resumed>) = 0 [pid 5021] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5022] <... futex resumed>) = 1 [ 58.506243][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 58.515839][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 58.521296][ T5022] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 58.542467][ T5022] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5022] open("./file0", O_RDWR [pid 5021] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5021] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5021] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5021] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5021] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5024]}, 88) = 5024 [pid 5021] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5021] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5024 attached [pid 5024] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5024] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5024] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5024] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5024] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5021] <... futex resumed>) = 0 [pid 5021] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5024] <... futex resumed>) = 1 [pid 5024] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5024] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5021] <... futex resumed>) = 0 [pid 5024] <... futex resumed>) = 1 [ 58.551366][ T5022] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 58.551366][ T5022] inode = 12 2341 [ 58.551366][ T5022] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 58.570368][ T5022] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 58.579513][ T5022] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5022 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 58.589760][ T5022] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 58.598914][ T5022] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 58.606981][ T5022] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 58.616123][ T5022] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 58.623177][ T5022] gfs2: fsid=syz:syz.0: File system withdrawn [ 58.629462][ T5022] CPU: 1 PID: 5022 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 58.639997][ T5022] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 58.650160][ T5022] Call Trace: [ 58.653448][ T5022] [ 58.656464][ T5022] dump_stack_lvl+0x1e7/0x2d0 [ 58.661238][ T5022] ? nf_tcp_handle_invalid+0x650/0x650 [ 58.666801][ T5022] ? panic+0x770/0x770 [ 58.670898][ T5022] gfs2_withdraw+0xc94/0x11e0 [ 58.675795][ T5022] gfs2_dirent_scan+0x512/0x640 [ 58.680663][ T5022] ? gfs2_permission+0x268/0x3c0 [ 58.685713][ T5022] ? gfs2_dirent_search+0x8c0/0x8c0 [ 58.690909][ T5022] gfs2_dirent_search+0x30e/0x8c0 [ 58.695947][ T5022] ? gfs2_dirent_search+0x8c0/0x8c0 [ 58.701164][ T5022] ? generic_permission+0x1df/0x550 [pid 5024] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5021] exit_group(0 [pid 5024] <... futex resumed>) = ? [pid 5021] <... exit_group resumed>) = ? [pid 5024] +++ exited with 0 +++ [ 58.706359][ T5022] ? gfs2_dir_search+0x2f0/0x2f0 [ 58.711305][ T5022] ? gfs2_permission+0x34a/0x3c0 [ 58.716356][ T5022] gfs2_dir_search+0xb2/0x2f0 [ 58.721152][ T5022] ? do_filldir_main+0x520/0x520 [ 58.726121][ T5022] ? inode_go_held+0xea/0x200 [ 58.730817][ T5022] ? gfs2_glock_wait+0x21a/0x2b0 [ 58.735780][ T5022] gfs2_lookupi+0x460/0x5d0 [ 58.740286][ T5022] ? gfs2_lookup_simple+0x180/0x180 [ 58.745493][ T5022] ? __gfs2_lookup+0xa4/0x270 [ 58.750183][ T5022] __gfs2_lookup+0xa4/0x270 [ 58.754699][ T5022] ? gfs2_atomic_open+0x230/0x230 [ 58.759728][ T5022] ? __d_lookup+0x675/0x730 [ 58.764234][ T5022] ? d_hash_and_lookup+0x1b0/0x1b0 [ 58.769348][ T5022] gfs2_atomic_open+0x9e/0x230 [ 58.774114][ T5022] path_openat+0x1044/0x3180 [ 58.778719][ T5022] ? gfs2_rename2+0x25a0/0x25a0 [ 58.783587][ T5022] ? do_filp_open+0x490/0x490 [ 58.788276][ T5022] do_filp_open+0x234/0x490 [ 58.792782][ T5022] ? vfs_tmpfile+0x4b0/0x4b0 [ 58.797379][ T5022] ? _raw_spin_unlock+0x28/0x40 [ 58.802234][ T5022] ? alloc_fd+0x59c/0x640 [ 58.806583][ T5022] do_sys_openat2+0x13e/0x1d0 [ 58.811281][ T5022] ? do_sys_open+0x230/0x230 [ 58.815870][ T5022] ? lockdep_hardirqs_on+0x98/0x140 [ 58.821065][ T5022] ? _raw_spin_unlock_irq+0x2e/0x50 [ 58.827312][ T5022] ? ptrace_notify+0x278/0x380 [ 58.832082][ T5022] __x64_sys_open+0x225/0x270 [ 58.836772][ T5022] ? do_sys_openat2+0x1d0/0x1d0 [ 58.841651][ T5022] ? syscall_enter_from_user_mode+0x32/0x230 [ 58.847643][ T5022] ? syscall_enter_from_user_mode+0x8c/0x230 [ 58.853645][ T5022] do_syscall_64+0x41/0xc0 [ 58.858058][ T5022] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.863969][ T5022] RIP: 0033:0x7f012f71fa59 [ 58.868400][ T5022] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.888126][ T5022] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 58.896551][ T5022] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5022] <... open resumed>) = ? [pid 5022] +++ exited with 0 +++ [pid 5021] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5021, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 [ 58.904720][ T5022] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 58.912709][ T5022] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 58.920685][ T5022] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 58.928748][ T5022] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 58.936731][ T5022] umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5025 ./strace-static-x86_64: Process 5025 attached [pid 5025] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5025] chdir("./2") = 0 [pid 5025] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5025] setpgid(0, 0) = 0 [pid 5025] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5025] write(3, "1000", 4) = 4 [pid 5025] close(3) = 0 [pid 5025] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5025] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5025] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5025] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5025] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5025] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5025] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5025] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5026]}, 88) = 5026 [pid 5025] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5025] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5025] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5026 attached [pid 5026] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5026] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5026] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5026] memfd_create("syzkaller", 0) = 3 [pid 5026] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5026] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5026] munmap(0x7f01272bc000, 16777216) = 0 [pid 5026] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5026] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5026] close(3) = 0 [pid 5026] mkdir("./file0", 0777) = 0 [ 59.249996][ T5026] loop0: detected capacity change from 0 to 32768 [ 59.262041][ T5026] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 59.270518][ T5026] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 59.281121][ T5026] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 59.289785][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 59.296580][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5026] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5026] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5026] chdir("./file0") = 0 [pid 5026] ioctl(4, LOOP_CLR_FD) = 0 [pid 5026] close(4) = 0 [pid 5026] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5025] <... futex resumed>) = 0 [pid 5026] open("./file0", O_RDWR [pid 5025] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 59.337090][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 59.345197][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 59.350522][ T5026] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 59.364735][ T5026] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 59.373637][ T5026] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 59.373637][ T5026] inode = 12 2341 [pid 5025] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5025] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5025] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [ 59.373637][ T5026] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 59.392418][ T5026] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 59.401600][ T5026] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5026 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 59.411773][ T5026] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 59.420291][ T5026] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 59.427576][ T5026] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5025] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5025] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5025] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5028]}, 88) = 5028 [pid 5025] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5025] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5025] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5028 attached [pid 5028] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5028] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5028] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5028] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5028] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5025] <... futex resumed>) = 0 [pid 5025] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5025] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5028] <... futex resumed>) = 1 [pid 5028] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5028] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5025] <... futex resumed>) = 0 [pid 5028] <... futex resumed>) = 1 [ 59.436524][ T5026] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 59.443266][ T5026] gfs2: fsid=syz:syz.0: File system withdrawn [ 59.449433][ T5026] CPU: 0 PID: 5026 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 59.459859][ T5026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 59.469911][ T5026] Call Trace: [ 59.473197][ T5026] [ 59.476135][ T5026] dump_stack_lvl+0x1e7/0x2d0 [ 59.480814][ T5026] ? nf_tcp_handle_invalid+0x650/0x650 [ 59.486281][ T5026] ? panic+0x770/0x770 [ 59.490441][ T5026] gfs2_withdraw+0xc94/0x11e0 [ 59.495144][ T5026] gfs2_dirent_scan+0x512/0x640 [ 59.500022][ T5026] ? gfs2_permission+0x268/0x3c0 [ 59.504983][ T5026] ? gfs2_dirent_search+0x8c0/0x8c0 [ 59.510212][ T5026] gfs2_dirent_search+0x30e/0x8c0 [ 59.515256][ T5026] ? gfs2_dirent_search+0x8c0/0x8c0 [ 59.520491][ T5026] ? generic_permission+0x1df/0x550 [ 59.525702][ T5026] ? gfs2_dir_search+0x2f0/0x2f0 [ 59.530665][ T5026] ? gfs2_permission+0x34a/0x3c0 [ 59.535637][ T5026] gfs2_dir_search+0xb2/0x2f0 [ 59.540424][ T5026] ? do_filldir_main+0x520/0x520 [ 59.545472][ T5026] ? inode_go_held+0xea/0x200 [ 59.550173][ T5026] ? gfs2_glock_wait+0x21a/0x2b0 [ 59.555131][ T5026] gfs2_lookupi+0x460/0x5d0 [ 59.559642][ T5026] ? gfs2_lookup_simple+0x180/0x180 [ 59.564847][ T5026] ? __gfs2_lookup+0xa4/0x270 [ 59.569534][ T5026] __gfs2_lookup+0xa4/0x270 [ 59.574038][ T5026] ? gfs2_atomic_open+0x230/0x230 [ 59.579064][ T5026] ? __d_lookup+0x675/0x730 [ 59.583565][ T5026] ? d_hash_and_lookup+0x1b0/0x1b0 [ 59.588937][ T5026] gfs2_atomic_open+0x9e/0x230 [ 59.593703][ T5026] path_openat+0x1044/0x3180 [ 59.598381][ T5026] ? gfs2_rename2+0x25a0/0x25a0 [ 59.603698][ T5026] ? do_filp_open+0x490/0x490 [ 59.608573][ T5026] do_filp_open+0x234/0x490 [ 59.613263][ T5026] ? vfs_tmpfile+0x4b0/0x4b0 [ 59.617927][ T5026] ? _raw_spin_unlock+0x28/0x40 [ 59.622780][ T5026] ? alloc_fd+0x59c/0x640 [ 59.627120][ T5026] do_sys_openat2+0x13e/0x1d0 [ 59.631804][ T5026] ? do_sys_open+0x230/0x230 [ 59.636396][ T5026] ? lockdep_hardirqs_on+0x98/0x140 [ 59.641597][ T5026] ? _raw_spin_unlock_irq+0x2e/0x50 [ 59.646804][ T5026] ? ptrace_notify+0x278/0x380 [ 59.651564][ T5026] __x64_sys_open+0x225/0x270 [ 59.656242][ T5026] ? do_sys_openat2+0x1d0/0x1d0 [ 59.661286][ T5026] ? syscall_enter_from_user_mode+0x32/0x230 [ 59.667303][ T5026] ? syscall_enter_from_user_mode+0x8c/0x230 [ 59.673389][ T5026] do_syscall_64+0x41/0xc0 [ 59.677985][ T5026] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.683935][ T5026] RIP: 0033:0x7f012f71fa59 [ 59.688416][ T5026] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 59.708139][ T5026] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 59.716561][ T5026] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 59.724622][ T5026] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5028] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5026] <... open resumed>) = -1 EIO (Input/output error) [pid 5026] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5025] exit_group(0 [pid 5028] <... futex resumed>) = ? [pid 5026] <... futex resumed>) = ? [pid 5025] <... exit_group resumed>) = ? [pid 5028] +++ exited with 0 +++ [pid 5026] +++ exited with 0 +++ [pid 5025] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5025, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 [ 59.732592][ T5026] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 59.740556][ T5026] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 59.748522][ T5026] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 59.756589][ T5026] umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5029 ./strace-static-x86_64: Process 5029 attached [pid 5029] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5029] chdir("./3") = 0 [pid 5029] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5029] setpgid(0, 0) = 0 [pid 5029] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5029] write(3, "1000", 4) = 4 [pid 5029] close(3) = 0 [pid 5029] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5029] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5029] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5029] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5029] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5029] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5029] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5030]}, 88) = 5030 [pid 5029] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5029] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5030 attached [pid 5030] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5030] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5030] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5030] memfd_create("syzkaller", 0) = 3 [pid 5030] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5030] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5030] munmap(0x7f01272bc000, 16777216) = 0 [pid 5030] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5030] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5030] close(3) = 0 [pid 5030] mkdir("./file0", 0777) = 0 [ 60.076588][ T5030] loop0: detected capacity change from 0 to 32768 [ 60.087811][ T5030] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 60.096145][ T5030] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 60.106749][ T5030] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 60.115301][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 60.122440][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5030] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5030] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5030] chdir("./file0") = 0 [pid 5030] ioctl(4, LOOP_CLR_FD) = 0 [pid 5030] close(4) = 0 [pid 5030] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5030] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5029] <... futex resumed>) = 0 [pid 5029] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5030] <... futex resumed>) = 0 [pid 5029] <... futex resumed>) = 1 [pid 5030] open("./file0", O_RDWR [ 60.162687][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 60.170929][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 60.176203][ T5030] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 60.196193][ T5030] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 60.205321][ T5030] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5029] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5029] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5029] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [ 60.205321][ T5030] inode = 12 2341 [ 60.205321][ T5030] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 60.224615][ T5030] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 60.234332][ T5030] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5030 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 60.244392][ T5030] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 60.252862][ T5030] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5029] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5029] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5032]}, 88) = 5032 [pid 5029] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5029] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5032 attached [pid 5032] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5032] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5032] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5032] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5032] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5029] <... futex resumed>) = 0 [pid 5029] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5032] <... futex resumed>) = 1 [pid 5032] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5032] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5029] <... futex resumed>) = 0 [pid 5032] <... futex resumed>) = 1 [ 60.260141][ T5030] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 60.268936][ T5030] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 60.275638][ T5030] gfs2: fsid=syz:syz.0: File system withdrawn [ 60.281799][ T5030] CPU: 0 PID: 5030 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 60.292402][ T5030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 60.302466][ T5030] Call Trace: [ 60.305754][ T5030] [ 60.308770][ T5030] dump_stack_lvl+0x1e7/0x2d0 [ 60.313456][ T5030] ? nf_tcp_handle_invalid+0x650/0x650 [ 60.319003][ T5030] ? panic+0x770/0x770 [ 60.323079][ T5030] gfs2_withdraw+0xc94/0x11e0 [ 60.327776][ T5030] gfs2_dirent_scan+0x512/0x640 [ 60.332666][ T5030] ? gfs2_permission+0x268/0x3c0 [ 60.337635][ T5030] ? gfs2_dirent_search+0x8c0/0x8c0 [ 60.342870][ T5030] gfs2_dirent_search+0x30e/0x8c0 [ 60.347930][ T5030] ? gfs2_dirent_search+0x8c0/0x8c0 [ 60.353128][ T5030] ? generic_permission+0x1df/0x550 [ 60.358335][ T5030] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5032] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5029] exit_group(0 [pid 5032] <... futex resumed>) = ? [pid 5029] <... exit_group resumed>) = ? [pid 5032] +++ exited with 0 +++ [ 60.363886][ T5030] ? gfs2_permission+0x34a/0x3c0 [ 60.368824][ T5030] gfs2_dir_search+0xb2/0x2f0 [ 60.373504][ T5030] ? do_filldir_main+0x520/0x520 [ 60.378453][ T5030] ? inode_go_held+0xea/0x200 [ 60.383144][ T5030] ? gfs2_glock_wait+0x21a/0x2b0 [ 60.388081][ T5030] gfs2_lookupi+0x460/0x5d0 [ 60.392586][ T5030] ? gfs2_lookup_simple+0x180/0x180 [ 60.397795][ T5030] ? __gfs2_lookup+0xa4/0x270 [ 60.402507][ T5030] __gfs2_lookup+0xa4/0x270 [ 60.407007][ T5030] ? gfs2_atomic_open+0x230/0x230 [ 60.412050][ T5030] ? __d_lookup+0x675/0x730 [ 60.416578][ T5030] ? d_hash_and_lookup+0x1b0/0x1b0 [ 60.421705][ T5030] gfs2_atomic_open+0x9e/0x230 [ 60.426496][ T5030] path_openat+0x1044/0x3180 [ 60.431104][ T5030] ? gfs2_rename2+0x25a0/0x25a0 [ 60.435979][ T5030] ? do_filp_open+0x490/0x490 [ 60.440683][ T5030] do_filp_open+0x234/0x490 [ 60.445203][ T5030] ? vfs_tmpfile+0x4b0/0x4b0 [ 60.449799][ T5030] ? _raw_spin_unlock+0x28/0x40 [ 60.454647][ T5030] ? alloc_fd+0x59c/0x640 [ 60.458982][ T5030] do_sys_openat2+0x13e/0x1d0 [ 60.463903][ T5030] ? do_sys_open+0x230/0x230 [ 60.468506][ T5030] ? lockdep_hardirqs_on+0x98/0x140 [ 60.473712][ T5030] ? _raw_spin_unlock_irq+0x2e/0x50 [ 60.478935][ T5030] ? ptrace_notify+0x278/0x380 [ 60.483708][ T5030] __x64_sys_open+0x225/0x270 [ 60.488401][ T5030] ? do_sys_openat2+0x1d0/0x1d0 [ 60.493294][ T5030] ? syscall_enter_from_user_mode+0x32/0x230 [ 60.499288][ T5030] ? syscall_enter_from_user_mode+0x8c/0x230 [ 60.505281][ T5030] do_syscall_64+0x41/0xc0 [ 60.509695][ T5030] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 60.515586][ T5030] RIP: 0033:0x7f012f71fa59 [ 60.520085][ T5030] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 60.539685][ T5030] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 60.548093][ T5030] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 60.556059][ T5030] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5030] <... open resumed>) = ? [pid 5030] +++ exited with 0 +++ [pid 5029] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5029, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 [ 60.564118][ T5030] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 60.572172][ T5030] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 60.580225][ T5030] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 60.588208][ T5030] umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5033 ./strace-static-x86_64: Process 5033 attached [pid 5033] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5033] chdir("./4") = 0 [pid 5033] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5033] setpgid(0, 0) = 0 [pid 5033] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5033] write(3, "1000", 4) = 4 [pid 5033] close(3) = 0 [pid 5033] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5033] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5033] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5033] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5033] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5033] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5033] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5034]}, 88) = 5034 [pid 5033] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5033] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5034 attached [pid 5034] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5034] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5034] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5034] memfd_create("syzkaller", 0) = 3 [pid 5034] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5034] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5034] munmap(0x7f01272bc000, 16777216) = 0 [pid 5034] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5034] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5034] close(3) = 0 [pid 5034] mkdir("./file0", 0777) = 0 [ 60.894279][ T5034] loop0: detected capacity change from 0 to 32768 [ 60.906851][ T5034] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 60.915255][ T5034] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 60.925939][ T5034] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 60.934826][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 60.941955][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5034] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5034] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5034] chdir("./file0") = 0 [pid 5034] ioctl(4, LOOP_CLR_FD) = 0 [pid 5034] close(4) = 0 [pid 5034] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5033] <... futex resumed>) = 0 [pid 5034] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5033] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5033] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5034] <... futex resumed>) = 0 [ 60.980219][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 60.988914][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 60.994453][ T5034] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 61.011988][ T5034] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 61.021053][ T5034] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5034] open("./file0", O_RDWR [pid 5033] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5033] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5033] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5033] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5033] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5036]}, 88) = 5036 [pid 5033] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5033] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5036 attached [pid 5036] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5036] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5036] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5036] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5036] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5033] <... futex resumed>) = 0 [pid 5033] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5036] <... futex resumed>) = 1 [pid 5036] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5036] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5033] <... futex resumed>) = 0 [pid 5036] <... futex resumed>) = 1 [ 61.021053][ T5034] inode = 12 2341 [ 61.021053][ T5034] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 61.039884][ T5034] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 61.048960][ T5034] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5034 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 61.059944][ T5034] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 61.069222][ T5034] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 61.077969][ T5034] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 61.087114][ T5034] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 61.094678][ T5034] gfs2: fsid=syz:syz.0: File system withdrawn [ 61.101264][ T5034] CPU: 0 PID: 5034 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 61.111681][ T5034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 61.121733][ T5034] Call Trace: [ 61.125003][ T5034] [ 61.127949][ T5034] dump_stack_lvl+0x1e7/0x2d0 [ 61.132623][ T5034] ? nf_tcp_handle_invalid+0x650/0x650 [ 61.138076][ T5034] ? panic+0x770/0x770 [ 61.142147][ T5034] gfs2_withdraw+0xc94/0x11e0 [ 61.146825][ T5034] gfs2_dirent_scan+0x512/0x640 [ 61.151674][ T5034] ? gfs2_permission+0x268/0x3c0 [ 61.156600][ T5034] ? gfs2_dirent_search+0x8c0/0x8c0 [ 61.161794][ T5034] gfs2_dirent_search+0x30e/0x8c0 [ 61.166823][ T5034] ? gfs2_dirent_search+0x8c0/0x8c0 [ 61.172126][ T5034] ? generic_permission+0x1df/0x550 [ 61.177314][ T5034] ? gfs2_dir_search+0x2f0/0x2f0 [ 61.182243][ T5034] ? gfs2_permission+0x34a/0x3c0 [ 61.187172][ T5034] gfs2_dir_search+0xb2/0x2f0 [ 61.191851][ T5034] ? do_filldir_main+0x520/0x520 [ 61.196808][ T5034] ? inode_go_held+0xea/0x200 [ 61.201591][ T5034] ? gfs2_glock_wait+0x21a/0x2b0 [ 61.206544][ T5034] gfs2_lookupi+0x460/0x5d0 [ 61.211143][ T5034] ? gfs2_lookup_simple+0x180/0x180 [ 61.216349][ T5034] ? __gfs2_lookup+0xa4/0x270 [ 61.221217][ T5034] __gfs2_lookup+0xa4/0x270 [ 61.225728][ T5034] ? gfs2_atomic_open+0x230/0x230 [ 61.230853][ T5034] ? __d_lookup+0x675/0x730 [ 61.235394][ T5034] ? d_hash_and_lookup+0x1b0/0x1b0 [ 61.240514][ T5034] gfs2_atomic_open+0x9e/0x230 [ 61.245295][ T5034] path_openat+0x1044/0x3180 [ 61.250012][ T5034] ? gfs2_rename2+0x25a0/0x25a0 [ 61.254873][ T5034] ? do_filp_open+0x490/0x490 [ 61.259820][ T5034] do_filp_open+0x234/0x490 [ 61.264342][ T5034] ? vfs_tmpfile+0x4b0/0x4b0 [ 61.268941][ T5034] ? _raw_spin_unlock+0x28/0x40 [ 61.273880][ T5034] ? alloc_fd+0x59c/0x640 [ 61.278213][ T5034] do_sys_openat2+0x13e/0x1d0 [ 61.283674][ T5034] ? do_sys_open+0x230/0x230 [ 61.288258][ T5034] ? lockdep_hardirqs_on+0x98/0x140 [ 61.293468][ T5034] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.298676][ T5034] ? ptrace_notify+0x278/0x380 [ 61.303452][ T5034] __x64_sys_open+0x225/0x270 [ 61.308233][ T5034] ? do_sys_openat2+0x1d0/0x1d0 [ 61.313265][ T5034] ? syscall_enter_from_user_mode+0x32/0x230 [ 61.319362][ T5034] ? syscall_enter_from_user_mode+0x8c/0x230 [ 61.325369][ T5034] do_syscall_64+0x41/0xc0 [ 61.329787][ T5034] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.335696][ T5034] RIP: 0033:0x7f012f71fa59 [ 61.340123][ T5034] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 61.360375][ T5034] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 61.370099][ T5034] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5036] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5034] <... open resumed>) = -1 EIO (Input/output error) [pid 5034] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5033] exit_group(0 [pid 5036] <... futex resumed>) = ? [pid 5033] <... exit_group resumed>) = ? [pid 5036] +++ exited with 0 +++ [pid 5034] <... futex resumed>) = ? [pid 5034] +++ exited with 0 +++ [pid 5033] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5033, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=27 /* 0.27 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 [ 61.378071][ T5034] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 61.386120][ T5034] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 61.394518][ T5034] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 61.402478][ T5034] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 61.410450][ T5034] umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5037 ./strace-static-x86_64: Process 5037 attached [pid 5037] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5037] chdir("./5") = 0 [pid 5037] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5037] setpgid(0, 0) = 0 [pid 5037] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5037] write(3, "1000", 4) = 4 [pid 5037] close(3) = 0 [pid 5037] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5037] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5037] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5037] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5037] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5037] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5037] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5038]}, 88) = 5038 [pid 5037] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5037] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5038 attached [pid 5038] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5038] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5038] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5038] memfd_create("syzkaller", 0) = 3 [pid 5038] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5038] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5038] munmap(0x7f01272bc000, 16777216) = 0 [pid 5038] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5038] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5038] close(3) = 0 [pid 5038] mkdir("./file0", 0777) = 0 [ 61.722307][ T5038] loop0: detected capacity change from 0 to 32768 [ 61.733570][ T5038] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 61.742040][ T5038] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 61.752295][ T5038] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 61.761029][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 61.767913][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5038] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5038] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5038] chdir("./file0") = 0 [pid 5038] ioctl(4, LOOP_CLR_FD) = 0 [pid 5038] close(4) = 0 [pid 5038] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5037] <... futex resumed>) = 0 [pid 5038] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5037] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5038] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5037] <... futex resumed>) = 0 [pid 5038] open("./file0", O_RDWR [ 61.807830][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 61.816588][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 61.821917][ T5038] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 61.839557][ T5038] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5037] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5037] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 61.860250][ T5038] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 61.860250][ T5038] inode = 12 2341 [ 61.860250][ T5038] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 61.879376][ T5038] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 61.888531][ T5038] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5038 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 61.899469][ T5038] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5037] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5037] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5037] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5037] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5040]}, 88) = 5040 [pid 5037] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5037] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5040 attached [pid 5040] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5040] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5040] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5040] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5040] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5037] <... futex resumed>) = 0 [pid 5037] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5040] <... futex resumed>) = 1 [pid 5040] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5040] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5037] <... futex resumed>) = 0 [pid 5040] <... futex resumed>) = 1 [ 61.907960][ T5038] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 61.917278][ T5038] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 61.927058][ T5038] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 61.934277][ T5038] gfs2: fsid=syz:syz.0: File system withdrawn [ 61.940914][ T5038] CPU: 0 PID: 5038 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 61.951334][ T5038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 61.961379][ T5038] Call Trace: [ 61.964659][ T5038] [ 61.967579][ T5038] dump_stack_lvl+0x1e7/0x2d0 [ 61.972250][ T5038] ? nf_tcp_handle_invalid+0x650/0x650 [ 61.977698][ T5038] ? panic+0x770/0x770 [ 61.981760][ T5038] gfs2_withdraw+0xc94/0x11e0 [ 61.986435][ T5038] gfs2_dirent_scan+0x512/0x640 [ 61.991310][ T5038] ? gfs2_permission+0x268/0x3c0 [ 61.996242][ T5038] ? gfs2_dirent_search+0x8c0/0x8c0 [ 62.001443][ T5038] gfs2_dirent_search+0x30e/0x8c0 [ 62.006466][ T5038] ? gfs2_dirent_search+0x8c0/0x8c0 [ 62.011683][ T5038] ? generic_permission+0x1df/0x550 [ 62.016904][ T5038] ? gfs2_dir_search+0x2f0/0x2f0 [ 62.021862][ T5038] ? gfs2_permission+0x34a/0x3c0 [ 62.026815][ T5038] gfs2_dir_search+0xb2/0x2f0 [ 62.031582][ T5038] ? do_filldir_main+0x520/0x520 [ 62.036519][ T5038] ? inode_go_held+0xea/0x200 [ 62.041198][ T5038] ? gfs2_glock_wait+0x21a/0x2b0 [ 62.046170][ T5038] gfs2_lookupi+0x460/0x5d0 [ 62.050678][ T5038] ? gfs2_lookup_simple+0x180/0x180 [ 62.055873][ T5038] ? __gfs2_lookup+0xa4/0x270 [ 62.060565][ T5038] __gfs2_lookup+0xa4/0x270 [ 62.065069][ T5038] ? gfs2_atomic_open+0x230/0x230 [ 62.070093][ T5038] ? __d_lookup+0x675/0x730 [ 62.074682][ T5038] ? d_hash_and_lookup+0x1b0/0x1b0 [ 62.079814][ T5038] gfs2_atomic_open+0x9e/0x230 [ 62.084578][ T5038] path_openat+0x1044/0x3180 [ 62.089171][ T5038] ? gfs2_rename2+0x25a0/0x25a0 [ 62.094132][ T5038] ? do_filp_open+0x490/0x490 [ 62.098831][ T5038] do_filp_open+0x234/0x490 [ 62.103333][ T5038] ? vfs_tmpfile+0x4b0/0x4b0 [ 62.107934][ T5038] ? _raw_spin_unlock+0x28/0x40 [ 62.112802][ T5038] ? alloc_fd+0x59c/0x640 [ 62.117137][ T5038] do_sys_openat2+0x13e/0x1d0 [ 62.121817][ T5038] ? do_sys_open+0x230/0x230 [ 62.126406][ T5038] ? lockdep_hardirqs_on+0x98/0x140 [ 62.131691][ T5038] ? _raw_spin_unlock_irq+0x2e/0x50 [ 62.136973][ T5038] ? ptrace_notify+0x278/0x380 [ 62.141738][ T5038] __x64_sys_open+0x225/0x270 [ 62.146413][ T5038] ? do_sys_openat2+0x1d0/0x1d0 [ 62.151261][ T5038] ? syscall_enter_from_user_mode+0x32/0x230 [ 62.158326][ T5038] ? syscall_enter_from_user_mode+0x8c/0x230 [ 62.164586][ T5038] do_syscall_64+0x41/0xc0 [ 62.169013][ T5038] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.174910][ T5038] RIP: 0033:0x7f012f71fa59 [ 62.179320][ T5038] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 62.199275][ T5038] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [pid 5040] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5038] <... open resumed>) = -1 EIO (Input/output error) [pid 5038] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] exit_group(0 [pid 5038] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5037] <... exit_group resumed>) = ? [pid 5040] <... futex resumed>) = ? [pid 5040] +++ exited with 0 +++ [pid 5038] <... futex resumed>) = ? [pid 5038] +++ exited with 0 +++ [pid 5037] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5037, si_uid=0, si_status=0, si_utime=0, si_stime=30 /* 0.30 s */} --- umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 [ 62.208150][ T5038] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 62.216142][ T5038] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 62.224140][ T5038] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 62.232135][ T5038] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 62.240131][ T5038] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 62.248309][ T5038] umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5041 ./strace-static-x86_64: Process 5041 attached [pid 5041] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5041] chdir("./6") = 0 [pid 5041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5041] setpgid(0, 0) = 0 [pid 5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5041] write(3, "1000", 4) = 4 [pid 5041] close(3) = 0 [pid 5041] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5041] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5041] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5041] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5041] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5041] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5042]}, 88) = 5042 [pid 5041] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5041] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5042 attached [pid 5042] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5042] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5042] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5042] memfd_create("syzkaller", 0) = 3 [pid 5042] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5042] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5042] munmap(0x7f01272bc000, 16777216) = 0 [pid 5042] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5042] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5042] close(3) = 0 [pid 5042] mkdir("./file0", 0777) = 0 [ 62.578103][ T5042] loop0: detected capacity change from 0 to 32768 [ 62.590027][ T5042] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 62.598512][ T5042] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 62.609101][ T5042] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 62.618056][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 62.625026][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5042] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5042] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5042] chdir("./file0") = 0 [pid 5042] ioctl(4, LOOP_CLR_FD) = 0 [pid 5042] close(4) = 0 [pid 5042] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5041] <... futex resumed>) = 0 [pid 5041] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5042] <... futex resumed>) = 1 [ 62.663717][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 62.673099][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 62.678606][ T5042] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 62.692616][ T5042] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 62.701555][ T5042] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 62.701555][ T5042] inode = 12 2341 [pid 5042] open("./file0", O_RDWR [pid 5041] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5041] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5041] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5041] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5041] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5044]}, 88) = 5044 [pid 5041] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5041] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5044 attached [pid 5044] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5044] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5044] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5044] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5044] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5041] <... futex resumed>) = 0 [pid 5044] write(-1, NULL, 0 [ 62.701555][ T5042] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 62.720829][ T5042] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 62.730129][ T5042] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5042 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 62.740186][ T5042] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 62.748678][ T5042] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5041] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5044] <... write resumed>) = -1 EBADF (Bad file descriptor) [pid 5041] <... futex resumed>) = 0 [pid 5044] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5041] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5044] <... futex resumed>) = 0 [pid 5041] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 62.755973][ T5042] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 62.764895][ T5042] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 62.771580][ T5042] gfs2: fsid=syz:syz.0: File system withdrawn [ 62.777814][ T5042] CPU: 0 PID: 5042 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 62.788248][ T5042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 62.798303][ T5042] Call Trace: [ 62.801620][ T5042] [ 62.804576][ T5042] dump_stack_lvl+0x1e7/0x2d0 [ 62.809283][ T5042] ? nf_tcp_handle_invalid+0x650/0x650 [ 62.814848][ T5042] ? panic+0x770/0x770 [ 62.818933][ T5042] gfs2_withdraw+0xc94/0x11e0 [ 62.823618][ T5042] gfs2_dirent_scan+0x512/0x640 [ 62.828570][ T5042] ? gfs2_permission+0x268/0x3c0 [ 62.833510][ T5042] ? gfs2_dirent_search+0x8c0/0x8c0 [ 62.838972][ T5042] gfs2_dirent_search+0x30e/0x8c0 [ 62.844025][ T5042] ? gfs2_dirent_search+0x8c0/0x8c0 [ 62.849252][ T5042] ? generic_permission+0x1df/0x550 [ 62.854477][ T5042] ? gfs2_dir_search+0x2f0/0x2f0 [ 62.859434][ T5042] ? gfs2_permission+0x34a/0x3c0 [pid 5044] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5041] exit_group(0 [pid 5044] <... futex resumed>) = ? [pid 5041] <... exit_group resumed>) = ? [pid 5044] +++ exited with 0 +++ [ 62.864380][ T5042] gfs2_dir_search+0xb2/0x2f0 [ 62.869074][ T5042] ? do_filldir_main+0x520/0x520 [ 62.874034][ T5042] ? inode_go_held+0xea/0x200 [ 62.878737][ T5042] ? gfs2_glock_wait+0x21a/0x2b0 [ 62.883705][ T5042] gfs2_lookupi+0x460/0x5d0 [ 62.888496][ T5042] ? gfs2_lookup_simple+0x180/0x180 [ 62.893855][ T5042] ? __gfs2_lookup+0xa4/0x270 [ 62.898561][ T5042] __gfs2_lookup+0xa4/0x270 [ 62.903090][ T5042] ? gfs2_atomic_open+0x230/0x230 [ 62.908214][ T5042] ? __d_lookup+0x675/0x730 [ 62.912819][ T5042] ? d_hash_and_lookup+0x1b0/0x1b0 [ 62.917954][ T5042] gfs2_atomic_open+0x9e/0x230 [ 62.922762][ T5042] path_openat+0x1044/0x3180 [ 62.927376][ T5042] ? gfs2_rename2+0x25a0/0x25a0 [ 62.932288][ T5042] ? do_filp_open+0x490/0x490 [ 62.937020][ T5042] do_filp_open+0x234/0x490 [ 62.941536][ T5042] ? vfs_tmpfile+0x4b0/0x4b0 [ 62.946180][ T5042] ? _raw_spin_unlock+0x28/0x40 [ 62.951064][ T5042] ? alloc_fd+0x59c/0x640 [ 62.955513][ T5042] do_sys_openat2+0x13e/0x1d0 [ 62.960504][ T5042] ? do_sys_open+0x230/0x230 [ 62.966010][ T5042] ? lockdep_hardirqs_on+0x98/0x140 [ 62.971239][ T5042] ? _raw_spin_unlock_irq+0x2e/0x50 [ 62.976508][ T5042] ? ptrace_notify+0x278/0x380 [ 62.981306][ T5042] __x64_sys_open+0x225/0x270 [ 62.986010][ T5042] ? do_sys_openat2+0x1d0/0x1d0 [ 62.990941][ T5042] ? syscall_enter_from_user_mode+0x32/0x230 [ 62.997033][ T5042] ? syscall_enter_from_user_mode+0x8c/0x230 [ 63.003023][ T5042] do_syscall_64+0x41/0xc0 [ 63.007452][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 63.013370][ T5042] RIP: 0033:0x7f012f71fa59 [ 63.017781][ T5042] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 63.037653][ T5042] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 63.046089][ T5042] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 63.054073][ T5042] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5042] <... open resumed>) = ? [pid 5042] +++ exited with 0 +++ [pid 5041] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5041, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=29 /* 0.29 s */} --- umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 [ 63.062211][ T5042] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 63.070198][ T5042] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 63.078179][ T5042] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 63.086249][ T5042] umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5045 ./strace-static-x86_64: Process 5045 attached [pid 5045] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5045] chdir("./7") = 0 [pid 5045] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5045] setpgid(0, 0) = 0 [pid 5045] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5045] write(3, "1000", 4) = 4 [pid 5045] close(3) = 0 [pid 5045] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5045] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5045] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5045] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5045] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5045] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5045] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5046]}, 88) = 5046 [pid 5045] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5045] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5046 attached [pid 5046] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5046] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5046] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5046] memfd_create("syzkaller", 0) = 3 [pid 5046] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5046] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5046] munmap(0x7f01272bc000, 16777216) = 0 [pid 5046] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5046] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5046] close(3) = 0 [pid 5046] mkdir("./file0", 0777) = 0 [ 63.398472][ T5046] loop0: detected capacity change from 0 to 32768 [ 63.411081][ T5046] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 63.419522][ T5046] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 63.428706][ T5046] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 63.437304][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 63.444421][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5046] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5046] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5046] chdir("./file0") = 0 [pid 5046] ioctl(4, LOOP_CLR_FD) = 0 [pid 5046] close(4) = 0 [pid 5046] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5045] <... futex resumed>) = 0 [pid 5045] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5046] <... futex resumed>) = 1 [ 63.483837][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 63.492108][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 63.497662][ T5046] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 63.512783][ T5046] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 63.521340][ T5046] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 63.521340][ T5046] inode = 12 2341 [pid 5046] open("./file0", O_RDWR [pid 5045] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5045] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5045] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5045] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5045] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5048]}, 88) = 5048 [pid 5045] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5045] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5048 attached [pid 5048] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5048] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5048] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5048] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5048] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5045] <... futex resumed>) = 0 [pid 5045] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5048] <... futex resumed>) = 1 [pid 5048] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [ 63.521340][ T5046] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 63.540435][ T5046] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 63.549975][ T5046] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5046 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 63.560182][ T5046] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 63.568680][ T5046] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5048] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5045] <... futex resumed>) = 0 [ 63.576470][ T5046] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 63.585754][ T5046] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 63.594547][ T5046] gfs2: fsid=syz:syz.0: File system withdrawn [ 63.600785][ T5046] CPU: 1 PID: 5046 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 63.611235][ T5046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 63.621402][ T5046] Call Trace: [ 63.624691][ T5046] [ 63.627620][ T5046] dump_stack_lvl+0x1e7/0x2d0 [ 63.632303][ T5046] ? nf_tcp_handle_invalid+0x650/0x650 [ 63.637774][ T5046] ? panic+0x770/0x770 [ 63.641855][ T5046] gfs2_withdraw+0xc94/0x11e0 [ 63.646552][ T5046] gfs2_dirent_scan+0x512/0x640 [ 63.651406][ T5046] ? gfs2_permission+0x268/0x3c0 [ 63.656357][ T5046] ? gfs2_dirent_search+0x8c0/0x8c0 [ 63.661590][ T5046] gfs2_dirent_search+0x30e/0x8c0 [ 63.666633][ T5046] ? gfs2_dirent_search+0x8c0/0x8c0 [ 63.671838][ T5046] ? generic_permission+0x1df/0x550 [ 63.677130][ T5046] ? gfs2_dir_search+0x2f0/0x2f0 [ 63.682257][ T5046] ? gfs2_permission+0x34a/0x3c0 [ 63.687302][ T5046] gfs2_dir_search+0xb2/0x2f0 [ 63.692085][ T5046] ? do_filldir_main+0x520/0x520 [ 63.697226][ T5046] ? inode_go_held+0xea/0x200 [ 63.701907][ T5046] ? gfs2_glock_wait+0x21a/0x2b0 [ 63.706852][ T5046] gfs2_lookupi+0x460/0x5d0 [ 63.711360][ T5046] ? gfs2_lookup_simple+0x180/0x180 [ 63.716561][ T5046] ? __gfs2_lookup+0xa4/0x270 [ 63.721347][ T5046] __gfs2_lookup+0xa4/0x270 [ 63.725968][ T5046] ? gfs2_atomic_open+0x230/0x230 [ 63.731061][ T5046] ? __d_lookup+0x675/0x730 [ 63.735578][ T5046] ? d_hash_and_lookup+0x1b0/0x1b0 [ 63.740699][ T5046] gfs2_atomic_open+0x9e/0x230 [ 63.745470][ T5046] path_openat+0x1044/0x3180 [ 63.750069][ T5046] ? gfs2_rename2+0x25a0/0x25a0 [ 63.754929][ T5046] ? do_filp_open+0x490/0x490 [ 63.759615][ T5046] do_filp_open+0x234/0x490 [ 63.764117][ T5046] ? vfs_tmpfile+0x4b0/0x4b0 [ 63.768718][ T5046] ? _raw_spin_unlock+0x28/0x40 [ 63.773571][ T5046] ? alloc_fd+0x59c/0x640 [ 63.777911][ T5046] do_sys_openat2+0x13e/0x1d0 [ 63.782590][ T5046] ? do_sys_open+0x230/0x230 [ 63.787181][ T5046] ? lockdep_hardirqs_on+0x98/0x140 [ 63.792398][ T5046] ? _raw_spin_unlock_irq+0x2e/0x50 [ 63.797815][ T5046] ? ptrace_notify+0x278/0x380 [ 63.802679][ T5046] __x64_sys_open+0x225/0x270 [ 63.807464][ T5046] ? do_sys_openat2+0x1d0/0x1d0 [ 63.812321][ T5046] ? syscall_enter_from_user_mode+0x32/0x230 [ 63.818392][ T5046] ? syscall_enter_from_user_mode+0x8c/0x230 [ 63.824375][ T5046] do_syscall_64+0x41/0xc0 [ 63.828975][ T5046] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 63.834875][ T5046] RIP: 0033:0x7f012f71fa59 [ 63.839549][ T5046] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 63.859276][ T5046] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 63.867803][ T5046] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 63.875782][ T5046] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5048] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5046] <... open resumed>) = -1 EIO (Input/output error) [pid 5046] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5045] exit_group(0 [pid 5048] <... futex resumed>) = ? [pid 5046] <... futex resumed>) = ? [pid 5045] <... exit_group resumed>) = ? [pid 5048] +++ exited with 0 +++ [pid 5046] +++ exited with 0 +++ [pid 5045] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5045, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 [ 63.883754][ T5046] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 63.891729][ T5046] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 63.899715][ T5046] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 63.907729][ T5046] umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5049 ./strace-static-x86_64: Process 5049 attached [pid 5049] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5049] chdir("./8") = 0 [pid 5049] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5049] setpgid(0, 0) = 0 [pid 5049] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5049] write(3, "1000", 4) = 4 [pid 5049] close(3) = 0 [pid 5049] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5049] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5049] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5049] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5049] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5049] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5049] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5050]}, 88) = 5050 [pid 5049] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5049] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5050 attached [pid 5050] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5050] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5050] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5050] memfd_create("syzkaller", 0) = 3 [pid 5050] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5050] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5050] munmap(0x7f01272bc000, 16777216) = 0 [pid 5050] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5050] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5050] close(3) = 0 [pid 5050] mkdir("./file0", 0777) = 0 [ 64.232757][ T5050] loop0: detected capacity change from 0 to 32768 [ 64.243473][ T5050] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 64.251760][ T5050] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 64.262280][ T5050] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 64.271227][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 64.278018][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5050] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5050] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5050] chdir("./file0") = 0 [pid 5050] ioctl(4, LOOP_CLR_FD) = 0 [pid 5050] close(4) = 0 [pid 5050] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5049] <... futex resumed>) = 0 [pid 5049] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 64.321442][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 64.329957][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 64.335407][ T5050] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 64.353522][ T5050] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 64.362654][ T5050] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5050] open("./file0", O_RDWR [pid 5049] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5049] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5049] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5049] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5049] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5052]}, 88) = 5052 [pid 5049] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5049] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5052 attached [pid 5052] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5052] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5052] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 64.362654][ T5050] inode = 12 2341 [ 64.362654][ T5050] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 64.381560][ T5050] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 64.390978][ T5050] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5050 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 64.401826][ T5050] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 64.410602][ T5050] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5052] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5052] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5049] <... futex resumed>) = 0 [pid 5049] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5052] <... futex resumed>) = 1 [pid 5052] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5052] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5049] <... futex resumed>) = 0 [pid 5052] <... futex resumed>) = 1 [ 64.417844][ T5050] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 64.426775][ T5050] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 64.433477][ T5050] gfs2: fsid=syz:syz.0: File system withdrawn [ 64.439803][ T5050] CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 64.450334][ T5050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 64.460391][ T5050] Call Trace: [ 64.463667][ T5050] [ 64.466596][ T5050] dump_stack_lvl+0x1e7/0x2d0 [ 64.471291][ T5050] ? nf_tcp_handle_invalid+0x650/0x650 [ 64.476788][ T5050] ? panic+0x770/0x770 [ 64.480896][ T5050] gfs2_withdraw+0xc94/0x11e0 [ 64.485694][ T5050] gfs2_dirent_scan+0x512/0x640 [ 64.490584][ T5050] ? gfs2_permission+0x268/0x3c0 [ 64.495563][ T5050] ? gfs2_dirent_search+0x8c0/0x8c0 [ 64.500790][ T5050] gfs2_dirent_search+0x30e/0x8c0 [ 64.505863][ T5050] ? gfs2_dirent_search+0x8c0/0x8c0 [ 64.511257][ T5050] ? generic_permission+0x1df/0x550 [ 64.516455][ T5050] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5052] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5049] exit_group(0) = ? [pid 5052] <... futex resumed>) = ? [pid 5052] +++ exited with 0 +++ [ 64.521515][ T5050] ? gfs2_permission+0x34a/0x3c0 [ 64.526498][ T5050] gfs2_dir_search+0xb2/0x2f0 [ 64.531288][ T5050] ? do_filldir_main+0x520/0x520 [ 64.536227][ T5050] ? inode_go_held+0xea/0x200 [ 64.540905][ T5050] ? gfs2_glock_wait+0x21a/0x2b0 [ 64.545924][ T5050] gfs2_lookupi+0x460/0x5d0 [ 64.550429][ T5050] ? gfs2_lookup_simple+0x180/0x180 [ 64.555828][ T5050] ? __gfs2_lookup+0xa4/0x270 [ 64.560540][ T5050] __gfs2_lookup+0xa4/0x270 [ 64.565060][ T5050] ? gfs2_atomic_open+0x230/0x230 [ 64.570099][ T5050] ? __d_lookup+0x675/0x730 [ 64.574620][ T5050] ? d_hash_and_lookup+0x1b0/0x1b0 [ 64.579742][ T5050] gfs2_atomic_open+0x9e/0x230 [ 64.584533][ T5050] path_openat+0x1044/0x3180 [ 64.589220][ T5050] ? gfs2_rename2+0x25a0/0x25a0 [ 64.594091][ T5050] ? do_filp_open+0x490/0x490 [ 64.598781][ T5050] do_filp_open+0x234/0x490 [ 64.603295][ T5050] ? vfs_tmpfile+0x4b0/0x4b0 [ 64.607906][ T5050] ? _raw_spin_unlock+0x28/0x40 [ 64.612753][ T5050] ? alloc_fd+0x59c/0x640 [ 64.617101][ T5050] do_sys_openat2+0x13e/0x1d0 [ 64.621794][ T5050] ? do_sys_open+0x230/0x230 [ 64.626384][ T5050] ? lockdep_hardirqs_on+0x98/0x140 [ 64.631583][ T5050] ? _raw_spin_unlock_irq+0x2e/0x50 [ 64.636777][ T5050] ? ptrace_notify+0x278/0x380 [ 64.641537][ T5050] __x64_sys_open+0x225/0x270 [ 64.646226][ T5050] ? do_sys_openat2+0x1d0/0x1d0 [ 64.651089][ T5050] ? syscall_enter_from_user_mode+0x32/0x230 [ 64.657172][ T5050] ? syscall_enter_from_user_mode+0x8c/0x230 [ 64.663414][ T5050] do_syscall_64+0x41/0xc0 [ 64.667847][ T5050] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.673761][ T5050] RIP: 0033:0x7f012f71fa59 [ 64.678175][ T5050] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 64.697974][ T5050] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 64.706515][ T5050] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 64.714508][ T5050] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5050] <... open resumed>) = ? [pid 5050] +++ exited with 0 +++ [pid 5049] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5049, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 [ 64.722476][ T5050] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 64.730464][ T5050] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 64.738440][ T5050] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 64.746507][ T5050] umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5053 ./strace-static-x86_64: Process 5053 attached [pid 5053] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5053] chdir("./9") = 0 [pid 5053] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5053] setpgid(0, 0) = 0 [pid 5053] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5053] write(3, "1000", 4) = 4 [pid 5053] close(3) = 0 [pid 5053] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5053] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5053] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5053] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5053] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5053] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5053] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5053] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5054]}, 88) = 5054 ./strace-static-x86_64: Process 5054 attached [pid 5053] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5053] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5053] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5054] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5054] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5054] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5054] memfd_create("syzkaller", 0) = 3 [pid 5054] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5054] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5054] munmap(0x7f01272bc000, 16777216) = 0 [pid 5054] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5054] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5054] close(3) = 0 [pid 5054] mkdir("./file0", 0777) = 0 [ 65.067875][ T5054] loop0: detected capacity change from 0 to 32768 [ 65.080466][ T5054] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 65.088906][ T5054] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 65.098572][ T5054] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 65.107193][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 65.114246][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5054] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5054] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5054] chdir("./file0") = 0 [pid 5054] ioctl(4, LOOP_CLR_FD) = 0 [pid 5054] close(4) = 0 [pid 5054] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5054] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5053] <... futex resumed>) = 0 [pid 5054] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5053] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5054] open("./file0", O_RDWR [pid 5053] <... futex resumed>) = 0 [ 65.151968][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 65.161014][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 65.166374][ T5054] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 65.182013][ T5054] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 65.191550][ T5054] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5053] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5053] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5053] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5053] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5053] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5053] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5056]}, 88) = 5056 [pid 5053] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 65.191550][ T5054] inode = 12 2341 [ 65.191550][ T5054] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 65.210599][ T5054] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 65.220260][ T5054] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5054 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 65.231176][ T5054] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 65.239934][ T5054] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5053] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5053] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5056 attached [pid 5056] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5056] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5056] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5056] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5056] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5053] <... futex resumed>) = 0 [pid 5053] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5053] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5056] <... futex resumed>) = 1 [pid 5056] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5056] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5053] <... futex resumed>) = 0 [pid 5056] <... futex resumed>) = 1 [ 65.247175][ T5054] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 65.256318][ T5054] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 65.263270][ T5054] gfs2: fsid=syz:syz.0: File system withdrawn [ 65.269694][ T5054] CPU: 0 PID: 5054 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 65.280133][ T5054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 65.290286][ T5054] Call Trace: [ 65.293567][ T5054] [ 65.296496][ T5054] dump_stack_lvl+0x1e7/0x2d0 [ 65.301219][ T5054] ? nf_tcp_handle_invalid+0x650/0x650 [ 65.306777][ T5054] ? panic+0x770/0x770 [ 65.311027][ T5054] gfs2_withdraw+0xc94/0x11e0 [ 65.315751][ T5054] gfs2_dirent_scan+0x512/0x640 [ 65.320680][ T5054] ? gfs2_permission+0x268/0x3c0 [ 65.325638][ T5054] ? gfs2_dirent_search+0x8c0/0x8c0 [ 65.330853][ T5054] gfs2_dirent_search+0x30e/0x8c0 [ 65.335920][ T5054] ? gfs2_dirent_search+0x8c0/0x8c0 [ 65.341293][ T5054] ? generic_permission+0x1df/0x550 [ 65.346665][ T5054] ? gfs2_dir_search+0x2f0/0x2f0 [ 65.351614][ T5054] ? gfs2_permission+0x34a/0x3c0 [ 65.356566][ T5054] gfs2_dir_search+0xb2/0x2f0 [ 65.361245][ T5054] ? do_filldir_main+0x520/0x520 [ 65.366291][ T5054] ? inode_go_held+0xea/0x200 [ 65.370970][ T5054] ? gfs2_glock_wait+0x21a/0x2b0 [ 65.375992][ T5054] gfs2_lookupi+0x460/0x5d0 [ 65.380495][ T5054] ? gfs2_lookup_simple+0x180/0x180 [ 65.385729][ T5054] ? __gfs2_lookup+0xa4/0x270 [ 65.390435][ T5054] __gfs2_lookup+0xa4/0x270 [ 65.394956][ T5054] ? gfs2_atomic_open+0x230/0x230 [ 65.400090][ T5054] ? __d_lookup+0x675/0x730 [ 65.404604][ T5054] ? d_hash_and_lookup+0x1b0/0x1b0 [ 65.409728][ T5054] gfs2_atomic_open+0x9e/0x230 [ 65.414507][ T5054] path_openat+0x1044/0x3180 [ 65.419112][ T5054] ? gfs2_rename2+0x25a0/0x25a0 [ 65.423975][ T5054] ? do_filp_open+0x490/0x490 [ 65.428669][ T5054] do_filp_open+0x234/0x490 [ 65.433257][ T5054] ? vfs_tmpfile+0x4b0/0x4b0 [ 65.437858][ T5054] ? _raw_spin_unlock+0x28/0x40 [ 65.442711][ T5054] ? alloc_fd+0x59c/0x640 [ 65.447053][ T5054] do_sys_openat2+0x13e/0x1d0 [ 65.451750][ T5054] ? do_sys_open+0x230/0x230 [ 65.456369][ T5054] ? lockdep_hardirqs_on+0x98/0x140 [ 65.461569][ T5054] ? _raw_spin_unlock_irq+0x2e/0x50 [ 65.466769][ T5054] ? ptrace_notify+0x278/0x380 [ 65.471531][ T5054] __x64_sys_open+0x225/0x270 [ 65.476300][ T5054] ? do_sys_openat2+0x1d0/0x1d0 [ 65.481153][ T5054] ? syscall_enter_from_user_mode+0x32/0x230 [ 65.487162][ T5054] ? syscall_enter_from_user_mode+0x8c/0x230 [ 65.493159][ T5054] do_syscall_64+0x41/0xc0 [ 65.497602][ T5054] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.503530][ T5054] RIP: 0033:0x7f012f71fa59 [ 65.507960][ T5054] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 65.528195][ T5054] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 65.536644][ T5054] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 65.544613][ T5054] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5056] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5054] <... open resumed>) = -1 EIO (Input/output error) [pid 5054] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5053] exit_group(0) = ? [pid 5054] <... futex resumed>) = ? [pid 5054] +++ exited with 0 +++ [pid 5056] <... futex resumed>) = ? [pid 5056] +++ exited with 0 +++ [pid 5053] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5053, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/binderfs") = 0 [ 65.552578][ T5054] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 65.560549][ T5054] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 65.568521][ T5054] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 65.576511][ T5054] umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5057 ./strace-static-x86_64: Process 5057 attached [pid 5057] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5057] chdir("./10") = 0 [pid 5057] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5057] setpgid(0, 0) = 0 [pid 5057] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1000", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5057] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5057] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5057] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5057] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5057] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5057] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5058 attached => {parent_tid=[5058]}, 88) = 5058 [pid 5057] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5057] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5058] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5057] <... futex resumed>) = 0 [pid 5057] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5058] <... rseq resumed>) = 0 [pid 5058] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5058] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5058] memfd_create("syzkaller", 0) = 3 [pid 5058] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5058] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5058] munmap(0x7f01272bc000, 16777216) = 0 [pid 5058] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5058] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5058] close(3) = 0 [pid 5058] mkdir("./file0", 0777) = 0 [ 65.897889][ T5058] loop0: detected capacity change from 0 to 32768 [ 65.909789][ T5058] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 65.917991][ T5058] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 65.927683][ T5058] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 65.937316][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 65.944503][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5058] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5058] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5058] chdir("./file0") = 0 [pid 5058] ioctl(4, LOOP_CLR_FD) = 0 [pid 5058] close(4) = 0 [pid 5058] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5057] <... futex resumed>) = 0 [pid 5057] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5058] <... futex resumed>) = 1 [ 65.983083][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 65.992018][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 65.997564][ T5058] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 66.012719][ T5058] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 66.021388][ T5058] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 66.021388][ T5058] inode = 12 2341 [pid 5058] open("./file0", O_RDWR [pid 5057] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5057] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5057] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5057] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5057] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5060]}, 88) = 5060 [pid 5057] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5057] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5060 attached [pid 5060] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5060] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5060] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5060] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5060] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5057] <... futex resumed>) = 0 [pid 5057] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5060] <... futex resumed>) = 1 [pid 5060] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5060] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5057] <... futex resumed>) = 0 [ 66.021388][ T5058] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 66.040510][ T5058] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 66.049942][ T5058] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5058 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 66.060288][ T5058] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 66.068790][ T5058] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5060] <... futex resumed>) = 1 [ 66.076868][ T5058] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 66.086639][ T5058] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 66.093382][ T5058] gfs2: fsid=syz:syz.0: File system withdrawn [ 66.099591][ T5058] CPU: 1 PID: 5058 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 66.111331][ T5058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 66.121391][ T5058] Call Trace: [ 66.124682][ T5058] [ 66.127624][ T5058] dump_stack_lvl+0x1e7/0x2d0 [ 66.132327][ T5058] ? nf_tcp_handle_invalid+0x650/0x650 [ 66.137795][ T5058] ? panic+0x770/0x770 [ 66.141891][ T5058] gfs2_withdraw+0xc94/0x11e0 [ 66.146604][ T5058] gfs2_dirent_scan+0x512/0x640 [ 66.151471][ T5058] ? gfs2_permission+0x268/0x3c0 [ 66.156433][ T5058] ? gfs2_dirent_search+0x8c0/0x8c0 [ 66.161643][ T5058] gfs2_dirent_search+0x30e/0x8c0 [ 66.166675][ T5058] ? gfs2_dirent_search+0x8c0/0x8c0 [ 66.171875][ T5058] ? generic_permission+0x1df/0x550 [ 66.177072][ T5058] ? gfs2_dir_search+0x2f0/0x2f0 [ 66.182010][ T5058] ? gfs2_permission+0x34a/0x3c0 [ 66.186947][ T5058] gfs2_dir_search+0xb2/0x2f0 [ 66.191635][ T5058] ? do_filldir_main+0x520/0x520 [ 66.196593][ T5058] ? inode_go_held+0xea/0x200 [ 66.201334][ T5058] ? gfs2_glock_wait+0x21a/0x2b0 [ 66.206281][ T5058] gfs2_lookupi+0x460/0x5d0 [ 66.210801][ T5058] ? gfs2_lookup_simple+0x180/0x180 [ 66.216009][ T5058] ? __gfs2_lookup+0xa4/0x270 [ 66.220697][ T5058] __gfs2_lookup+0xa4/0x270 [ 66.225197][ T5058] ? gfs2_atomic_open+0x230/0x230 [ 66.230237][ T5058] ? __d_lookup+0x675/0x730 [ 66.234749][ T5058] ? d_hash_and_lookup+0x1b0/0x1b0 [ 66.239859][ T5058] gfs2_atomic_open+0x9e/0x230 [ 66.244624][ T5058] path_openat+0x1044/0x3180 [ 66.249221][ T5058] ? gfs2_rename2+0x25a0/0x25a0 [ 66.254087][ T5058] ? do_filp_open+0x490/0x490 [ 66.258773][ T5058] do_filp_open+0x234/0x490 [ 66.263278][ T5058] ? vfs_tmpfile+0x4b0/0x4b0 [ 66.267906][ T5058] ? _raw_spin_unlock+0x28/0x40 [ 66.272781][ T5058] ? alloc_fd+0x59c/0x640 [ 66.277143][ T5058] do_sys_openat2+0x13e/0x1d0 [ 66.281838][ T5058] ? do_sys_open+0x230/0x230 [ 66.286518][ T5058] ? lockdep_hardirqs_on+0x98/0x140 [ 66.291719][ T5058] ? _raw_spin_unlock_irq+0x2e/0x50 [ 66.296917][ T5058] ? ptrace_notify+0x278/0x380 [ 66.301691][ T5058] __x64_sys_open+0x225/0x270 [ 66.306372][ T5058] ? do_sys_openat2+0x1d0/0x1d0 [ 66.311228][ T5058] ? syscall_enter_from_user_mode+0x32/0x230 [ 66.317296][ T5058] ? syscall_enter_from_user_mode+0x8c/0x230 [ 66.323279][ T5058] do_syscall_64+0x41/0xc0 [ 66.327701][ T5058] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.333596][ T5058] RIP: 0033:0x7f012f71fa59 [ 66.338023][ T5058] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 66.358165][ T5058] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 66.366684][ T5058] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 66.374652][ T5058] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5060] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5058] <... open resumed>) = -1 EIO (Input/output error) [pid 5058] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5057] exit_group(0 [pid 5060] <... futex resumed>) = ? [pid 5058] <... futex resumed>) = ? [pid 5057] <... exit_group resumed>) = ? [pid 5060] +++ exited with 0 +++ [pid 5058] +++ exited with 0 +++ [pid 5057] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5057, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/binderfs") = 0 [ 66.382615][ T5058] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 66.390579][ T5058] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 66.398630][ T5058] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 66.406697][ T5058] umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5061 ./strace-static-x86_64: Process 5061 attached [pid 5061] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5061] chdir("./11") = 0 [pid 5061] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5061] setpgid(0, 0) = 0 [pid 5061] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5061] write(3, "1000", 4) = 4 [pid 5061] close(3) = 0 [pid 5061] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5061] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5061] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5061] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5061] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5061] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5061] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5062 attached => {parent_tid=[5062]}, 88) = 5062 [pid 5061] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5061] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5062] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5062] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5062] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5062] memfd_create("syzkaller", 0) = 3 [pid 5062] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5062] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5062] munmap(0x7f01272bc000, 16777216) = 0 [pid 5062] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5062] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5062] close(3) = 0 [pid 5062] mkdir("./file0", 0777) = 0 [ 66.719161][ T5062] loop0: detected capacity change from 0 to 32768 [ 66.730787][ T5062] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 66.739199][ T5062] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 66.750055][ T5062] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 66.758784][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 66.765628][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5062] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5062] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5062] chdir("./file0") = 0 [pid 5062] ioctl(4, LOOP_CLR_FD) = 0 [pid 5062] close(4) = 0 [pid 5062] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5061] <... futex resumed>) = 0 [pid 5061] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5062] <... futex resumed>) = 1 [ 66.798990][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 66.808037][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 66.814313][ T5062] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 66.827912][ T5062] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 66.836748][ T5062] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 66.836748][ T5062] inode = 12 2341 [pid 5062] open("./file0", O_RDWR [pid 5061] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5061] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5061] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5061] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5061] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5064]}, 88) = 5064 [pid 5061] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5061] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5064 attached [pid 5064] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5064] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5064] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5064] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [ 66.836748][ T5062] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 66.855924][ T5062] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 66.865164][ T5062] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5062 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 66.875448][ T5062] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 66.884188][ T5062] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5064] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5061] <... futex resumed>) = 0 [pid 5061] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5064] <... futex resumed>) = 1 [pid 5064] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5064] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5061] <... futex resumed>) = 0 [pid 5064] <... futex resumed>) = 1 [ 66.891765][ T5062] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 66.901123][ T5062] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 66.908163][ T5062] gfs2: fsid=syz:syz.0: File system withdrawn [ 66.914517][ T5062] CPU: 0 PID: 5062 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 66.925037][ T5062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 66.935197][ T5062] Call Trace: [ 66.938670][ T5062] [ 66.941601][ T5062] dump_stack_lvl+0x1e7/0x2d0 [ 66.946280][ T5062] ? nf_tcp_handle_invalid+0x650/0x650 [ 66.951924][ T5062] ? panic+0x770/0x770 [ 66.956019][ T5062] gfs2_withdraw+0xc94/0x11e0 [ 66.960720][ T5062] gfs2_dirent_scan+0x512/0x640 [ 66.965579][ T5062] ? gfs2_permission+0x268/0x3c0 [ 66.970525][ T5062] ? gfs2_dirent_search+0x8c0/0x8c0 [ 66.975752][ T5062] gfs2_dirent_search+0x30e/0x8c0 [ 66.980797][ T5062] ? gfs2_dirent_search+0x8c0/0x8c0 [ 66.985995][ T5062] ? generic_permission+0x1df/0x550 [ 66.991201][ T5062] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5064] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5061] exit_group(0 [pid 5064] <... futex resumed>) = ? [pid 5061] <... exit_group resumed>) = ? [pid 5064] +++ exited with 0 +++ [ 66.996155][ T5062] ? gfs2_permission+0x34a/0x3c0 [ 67.001109][ T5062] gfs2_dir_search+0xb2/0x2f0 [ 67.005809][ T5062] ? do_filldir_main+0x520/0x520 [ 67.010778][ T5062] ? inode_go_held+0xea/0x200 [ 67.015473][ T5062] ? gfs2_glock_wait+0x21a/0x2b0 [ 67.020417][ T5062] gfs2_lookupi+0x460/0x5d0 [ 67.024943][ T5062] ? gfs2_lookup_simple+0x180/0x180 [ 67.030159][ T5062] ? __gfs2_lookup+0xa4/0x270 [ 67.034869][ T5062] __gfs2_lookup+0xa4/0x270 [ 67.039386][ T5062] ? gfs2_atomic_open+0x230/0x230 [ 67.044414][ T5062] ? __d_lookup+0x675/0x730 [ 67.049000][ T5062] ? d_hash_and_lookup+0x1b0/0x1b0 [ 67.054110][ T5062] gfs2_atomic_open+0x9e/0x230 [ 67.058890][ T5062] path_openat+0x1044/0x3180 [ 67.063498][ T5062] ? gfs2_rename2+0x25a0/0x25a0 [ 67.068374][ T5062] ? do_filp_open+0x490/0x490 [ 67.073075][ T5062] do_filp_open+0x234/0x490 [ 67.077582][ T5062] ? vfs_tmpfile+0x4b0/0x4b0 [ 67.082203][ T5062] ? _raw_spin_unlock+0x28/0x40 [ 67.087069][ T5062] ? alloc_fd+0x59c/0x640 [ 67.091404][ T5062] do_sys_openat2+0x13e/0x1d0 [ 67.096086][ T5062] ? do_sys_open+0x230/0x230 [ 67.100674][ T5062] ? lockdep_hardirqs_on+0x98/0x140 [ 67.105875][ T5062] ? _raw_spin_unlock_irq+0x2e/0x50 [ 67.111082][ T5062] ? ptrace_notify+0x278/0x380 [ 67.115843][ T5062] __x64_sys_open+0x225/0x270 [ 67.120538][ T5062] ? do_sys_openat2+0x1d0/0x1d0 [ 67.125414][ T5062] ? syscall_enter_from_user_mode+0x32/0x230 [ 67.131408][ T5062] ? syscall_enter_from_user_mode+0x8c/0x230 [ 67.137411][ T5062] do_syscall_64+0x41/0xc0 [ 67.141828][ T5062] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.147739][ T5062] RIP: 0033:0x7f012f71fa59 [ 67.152165][ T5062] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 67.171773][ T5062] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 67.180187][ T5062] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 67.188166][ T5062] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5062] <... open resumed>) = ? [pid 5062] +++ exited with 0 +++ [pid 5061] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5061, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/binderfs") = 0 [ 67.196249][ T5062] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 67.204249][ T5062] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 67.212235][ T5062] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 67.220215][ T5062] umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./11/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5065 ./strace-static-x86_64: Process 5065 attached [pid 5065] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5065] chdir("./12") = 0 [pid 5065] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5065] setpgid(0, 0) = 0 [pid 5065] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5065] write(3, "1000", 4) = 4 [pid 5065] close(3) = 0 [pid 5065] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5065] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5065] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5065] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5065] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5065] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5065] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5065] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5066]}, 88) = 5066 ./strace-static-x86_64: Process 5066 attached [pid 5065] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5065] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5066] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5066] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5066] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5065] <... futex resumed>) = 0 [pid 5065] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5066] memfd_create("syzkaller", 0) = 3 [pid 5066] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5066] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5066] munmap(0x7f01272bc000, 16777216) = 0 [pid 5066] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5066] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5066] close(3) = 0 [pid 5066] mkdir("./file0", 0777) = 0 [ 67.532005][ T5066] loop0: detected capacity change from 0 to 32768 [ 67.542517][ T5066] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 67.551108][ T5066] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 67.560683][ T5066] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 67.569122][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 67.576063][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5066] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5066] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5066] chdir("./file0") = 0 [pid 5066] ioctl(4, LOOP_CLR_FD) = 0 [pid 5066] close(4) = 0 [pid 5066] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5065] <... futex resumed>) = 0 [pid 5066] open("./file0", O_RDWR [pid 5065] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 67.617388][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 67.624996][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 67.630336][ T5066] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 67.644120][ T5066] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 67.653322][ T5066] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 67.653322][ T5066] inode = 12 2341 [pid 5065] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5065] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5065] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5065] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5065] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5065] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5068]}, 88) = 5068 [pid 5065] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5065] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5065] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5068 attached [pid 5068] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5068] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5068] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5068] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5068] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5065] <... futex resumed>) = 0 [ 67.653322][ T5066] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 67.672428][ T5066] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 67.682127][ T5066] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5066 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 67.692347][ T5066] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 67.701105][ T5066] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 67.708364][ T5066] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5065] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5065] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5068] <... futex resumed>) = 1 [pid 5068] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5068] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5065] <... futex resumed>) = 0 [pid 5068] <... futex resumed>) = 1 [ 67.718523][ T5066] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 67.725712][ T5066] gfs2: fsid=syz:syz.0: File system withdrawn [ 67.731909][ T5066] CPU: 1 PID: 5066 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 67.742333][ T5066] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 67.752410][ T5066] Call Trace: [ 67.755700][ T5066] [ 67.758631][ T5066] dump_stack_lvl+0x1e7/0x2d0 [ 67.763349][ T5066] ? nf_tcp_handle_invalid+0x650/0x650 [ 67.768825][ T5066] ? panic+0x770/0x770 [ 67.772915][ T5066] gfs2_withdraw+0xc94/0x11e0 [ 67.777614][ T5066] gfs2_dirent_scan+0x512/0x640 [ 67.782506][ T5066] ? gfs2_permission+0x268/0x3c0 [ 67.787446][ T5066] ? gfs2_dirent_search+0x8c0/0x8c0 [ 67.792659][ T5066] gfs2_dirent_search+0x30e/0x8c0 [ 67.797710][ T5066] ? gfs2_dirent_search+0x8c0/0x8c0 [ 67.802993][ T5066] ? generic_permission+0x1df/0x550 [ 67.808214][ T5066] ? gfs2_dir_search+0x2f0/0x2f0 [ 67.813170][ T5066] ? gfs2_permission+0x34a/0x3c0 [pid 5068] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5065] exit_group(0 [pid 5068] <... futex resumed>) = ? [pid 5065] <... exit_group resumed>) = ? [pid 5068] +++ exited with 0 +++ [ 67.818108][ T5066] gfs2_dir_search+0xb2/0x2f0 [ 67.823066][ T5066] ? do_filldir_main+0x520/0x520 [ 67.828912][ T5066] ? inode_go_held+0xea/0x200 [ 67.833658][ T5066] ? gfs2_glock_wait+0x21a/0x2b0 [ 67.838614][ T5066] gfs2_lookupi+0x460/0x5d0 [ 67.843154][ T5066] ? gfs2_lookup_simple+0x180/0x180 [ 67.848385][ T5066] ? __gfs2_lookup+0xa4/0x270 [ 67.853086][ T5066] __gfs2_lookup+0xa4/0x270 [ 67.857613][ T5066] ? gfs2_atomic_open+0x230/0x230 [ 67.862638][ T5066] ? __d_lookup+0x675/0x730 [ 67.867142][ T5066] ? d_hash_and_lookup+0x1b0/0x1b0 [ 67.872254][ T5066] gfs2_atomic_open+0x9e/0x230 [ 67.877033][ T5066] path_openat+0x1044/0x3180 [ 67.881641][ T5066] ? gfs2_rename2+0x25a0/0x25a0 [ 67.886618][ T5066] ? do_filp_open+0x490/0x490 [ 67.891323][ T5066] do_filp_open+0x234/0x490 [ 67.895822][ T5066] ? vfs_tmpfile+0x4b0/0x4b0 [ 67.900431][ T5066] ? _raw_spin_unlock+0x28/0x40 [ 67.905293][ T5066] ? alloc_fd+0x59c/0x640 [ 67.909628][ T5066] do_sys_openat2+0x13e/0x1d0 [ 67.914332][ T5066] ? do_sys_open+0x230/0x230 [ 67.918952][ T5066] ? lockdep_hardirqs_on+0x98/0x140 [ 67.924166][ T5066] ? _raw_spin_unlock_irq+0x2e/0x50 [ 67.929380][ T5066] ? ptrace_notify+0x278/0x380 [ 67.934161][ T5066] __x64_sys_open+0x225/0x270 [ 67.938862][ T5066] ? do_sys_openat2+0x1d0/0x1d0 [ 67.943732][ T5066] ? syscall_enter_from_user_mode+0x32/0x230 [ 67.949740][ T5066] ? syscall_enter_from_user_mode+0x8c/0x230 [ 67.955734][ T5066] do_syscall_64+0x41/0xc0 [ 67.960153][ T5066] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.966160][ T5066] RIP: 0033:0x7f012f71fa59 [ 67.970588][ T5066] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 67.990213][ T5066] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 67.998662][ T5066] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 68.006674][ T5066] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5066] <... open resumed>) = ? [pid 5066] +++ exited with 0 +++ [pid 5065] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5065, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./12/binderfs") = 0 [ 68.014663][ T5066] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 68.022631][ T5066] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 68.030598][ T5066] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 68.038576][ T5066] umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./12/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5070 ./strace-static-x86_64: Process 5070 attached [pid 5070] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5070] chdir("./13") = 0 [pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5070] setpgid(0, 0) = 0 [pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5070] write(3, "1000", 4) = 4 [pid 5070] close(3) = 0 [pid 5070] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5070] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5070] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5070] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5070] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5070] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5070] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5071]}, 88) = 5071 ./strace-static-x86_64: Process 5071 attached [pid 5070] rt_sigprocmask(SIG_SETMASK, [], [pid 5071] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5070] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5070] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] <... rseq resumed>) = 0 [pid 5070] <... futex resumed>) = 0 [pid 5071] set_robust_list(0x7f012f6dc9a0, 24 [pid 5070] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5071] <... set_robust_list resumed>) = 0 [pid 5071] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5071] memfd_create("syzkaller", 0) = 3 [pid 5071] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5071] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5071] munmap(0x7f01272bc000, 16777216) = 0 [pid 5071] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5071] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5071] close(3) = 0 [pid 5071] mkdir("./file0", 0777) = 0 [ 68.361794][ T5071] loop0: detected capacity change from 0 to 32768 [ 68.373450][ T5071] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 68.381940][ T5071] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 68.391484][ T5071] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 68.400132][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 68.406919][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5071] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5071] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5071] chdir("./file0") = 0 [pid 5071] ioctl(4, LOOP_CLR_FD) = 0 [pid 5071] close(4) = 0 [pid 5071] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5070] <... futex resumed>) = 0 [pid 5070] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5071] <... futex resumed>) = 1 [ 68.447646][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 68.455971][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 68.461417][ T5071] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 68.480745][ T5071] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 68.489641][ T5071] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5071] open("./file0", O_RDWR [pid 5070] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5070] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5070] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5070] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5070] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5073]}, 88) = 5073 [pid 5070] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5070] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5073 attached [pid 5073] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5073] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5073] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5073] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5073] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5070] <... futex resumed>) = 0 [pid 5070] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5073] <... futex resumed>) = 1 [pid 5073] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5073] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5070] <... futex resumed>) = 0 [pid 5073] <... futex resumed>) = 1 [ 68.489641][ T5071] inode = 12 2341 [ 68.489641][ T5071] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 68.508827][ T5071] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 68.518410][ T5071] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5071 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 68.528643][ T5071] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 68.538136][ T5071] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 68.546320][ T5071] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 68.555199][ T5071] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 68.562784][ T5071] gfs2: fsid=syz:syz.0: File system withdrawn [ 68.568943][ T5071] CPU: 0 PID: 5071 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 68.579374][ T5071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 68.589435][ T5071] Call Trace: [ 68.592718][ T5071] [ 68.595642][ T5071] dump_stack_lvl+0x1e7/0x2d0 [ 68.600325][ T5071] ? nf_tcp_handle_invalid+0x650/0x650 [ 68.605784][ T5071] ? panic+0x770/0x770 [ 68.610031][ T5071] gfs2_withdraw+0xc94/0x11e0 [ 68.614713][ T5071] gfs2_dirent_scan+0x512/0x640 [ 68.619562][ T5071] ? gfs2_permission+0x268/0x3c0 [ 68.624494][ T5071] ? gfs2_dirent_search+0x8c0/0x8c0 [ 68.629690][ T5071] gfs2_dirent_search+0x30e/0x8c0 [ 68.634809][ T5071] ? gfs2_dirent_search+0x8c0/0x8c0 [ 68.640005][ T5071] ? generic_permission+0x1df/0x550 [ 68.645201][ T5071] ? gfs2_dir_search+0x2f0/0x2f0 [ 68.650147][ T5071] ? gfs2_permission+0x34a/0x3c0 [ 68.655086][ T5071] gfs2_dir_search+0xb2/0x2f0 [ 68.659762][ T5071] ? do_filldir_main+0x520/0x520 [ 68.664694][ T5071] ? inode_go_held+0xea/0x200 [ 68.669369][ T5071] ? gfs2_glock_wait+0x21a/0x2b0 [ 68.674300][ T5071] gfs2_lookupi+0x460/0x5d0 [ 68.678809][ T5071] ? gfs2_lookup_simple+0x180/0x180 [ 68.684008][ T5071] ? __gfs2_lookup+0xa4/0x270 [ 68.688696][ T5071] __gfs2_lookup+0xa4/0x270 [ 68.693197][ T5071] ? gfs2_atomic_open+0x230/0x230 [ 68.698228][ T5071] ? __d_lookup+0x675/0x730 [ 68.702727][ T5071] ? d_hash_and_lookup+0x1b0/0x1b0 [ 68.707848][ T5071] gfs2_atomic_open+0x9e/0x230 [ 68.712612][ T5071] path_openat+0x1044/0x3180 [ 68.717203][ T5071] ? gfs2_rename2+0x25a0/0x25a0 [ 68.722058][ T5071] ? do_filp_open+0x490/0x490 [ 68.726740][ T5071] do_filp_open+0x234/0x490 [ 68.731328][ T5071] ? vfs_tmpfile+0x4b0/0x4b0 [ 68.735924][ T5071] ? _raw_spin_unlock+0x28/0x40 [ 68.740772][ T5071] ? alloc_fd+0x59c/0x640 [ 68.745890][ T5071] do_sys_openat2+0x13e/0x1d0 [ 68.750582][ T5071] ? do_sys_open+0x230/0x230 [ 68.755167][ T5071] ? lockdep_hardirqs_on+0x98/0x140 [ 68.760359][ T5071] ? _raw_spin_unlock_irq+0x2e/0x50 [ 68.765639][ T5071] ? ptrace_notify+0x278/0x380 [ 68.770399][ T5071] __x64_sys_open+0x225/0x270 [ 68.775071][ T5071] ? do_sys_openat2+0x1d0/0x1d0 [ 68.779920][ T5071] ? syscall_enter_from_user_mode+0x32/0x230 [ 68.785900][ T5071] ? syscall_enter_from_user_mode+0x8c/0x230 [ 68.791880][ T5071] do_syscall_64+0x41/0xc0 [ 68.796295][ T5071] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 68.802192][ T5071] RIP: 0033:0x7f012f71fa59 [ 68.806601][ T5071] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 68.826464][ T5071] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 68.835051][ T5071] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5073] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5071] <... open resumed>) = -1 EIO (Input/output error) [pid 5071] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5071] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5070] exit_group(0 [pid 5073] <... futex resumed>) = ? [pid 5071] <... futex resumed>) = ? [pid 5073] +++ exited with 0 +++ [pid 5071] +++ exited with 0 +++ [pid 5070] <... exit_group resumed>) = ? [pid 5070] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./13/binderfs") = 0 [ 68.843018][ T5071] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 68.850980][ T5071] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 68.858941][ T5071] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 68.866990][ T5071] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 68.874967][ T5071] umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5074 ./strace-static-x86_64: Process 5074 attached [pid 5074] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5074] chdir("./14") = 0 [pid 5074] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5074] setpgid(0, 0) = 0 [pid 5074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5074] write(3, "1000", 4) = 4 [pid 5074] close(3) = 0 [pid 5074] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5074] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5074] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5074] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5074] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5074] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5075 attached => {parent_tid=[5075]}, 88) = 5075 [pid 5074] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5075] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5074] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5075] <... rseq resumed>) = 0 [pid 5074] <... futex resumed>) = 0 [pid 5074] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5075] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5075] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5075] memfd_create("syzkaller", 0) = 3 [pid 5075] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5075] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5075] munmap(0x7f01272bc000, 16777216) = 0 [pid 5075] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5075] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5075] close(3) = 0 [pid 5075] mkdir("./file0", 0777) = 0 [ 69.182258][ T5075] loop0: detected capacity change from 0 to 32768 [ 69.194553][ T5075] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 69.202843][ T5075] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 69.212200][ T5075] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 69.221165][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 69.227940][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5075] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5075] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5075] chdir("./file0") = 0 [pid 5075] ioctl(4, LOOP_CLR_FD) = 0 [pid 5075] close(4) = 0 [pid 5075] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] <... futex resumed>) = 0 [pid 5074] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5075] <... futex resumed>) = 1 [ 69.259432][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 31ms [ 69.266926][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 69.272282][ T5075] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 69.289059][ T5075] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 69.300698][ T5075] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5075] open("./file0", O_RDWR [pid 5074] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5074] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5074] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5074] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5074] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5077]}, 88) = 5077 [pid 5074] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5074] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5077 attached [pid 5077] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5077] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5077] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5077] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5077] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] <... futex resumed>) = 0 [pid 5074] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5077] <... futex resumed>) = 1 [pid 5077] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5077] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] <... futex resumed>) = 0 [pid 5077] <... futex resumed>) = 1 [ 69.300698][ T5075] inode = 12 2341 [ 69.300698][ T5075] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 69.319460][ T5075] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 69.328599][ T5075] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5075 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 69.338676][ T5075] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 69.348652][ T5075] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 69.356012][ T5075] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 69.364811][ T5075] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 69.371430][ T5075] gfs2: fsid=syz:syz.0: File system withdrawn [ 69.377604][ T5075] CPU: 0 PID: 5075 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 69.388030][ T5075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 69.398118][ T5075] Call Trace: [ 69.401412][ T5075] [ 69.404356][ T5075] dump_stack_lvl+0x1e7/0x2d0 [ 69.409054][ T5075] ? nf_tcp_handle_invalid+0x650/0x650 [ 69.414562][ T5075] ? panic+0x770/0x770 [ 69.418653][ T5075] gfs2_withdraw+0xc94/0x11e0 [ 69.423346][ T5075] gfs2_dirent_scan+0x512/0x640 [ 69.428205][ T5075] ? gfs2_permission+0x268/0x3c0 [ 69.433157][ T5075] ? gfs2_dirent_search+0x8c0/0x8c0 [ 69.438349][ T5075] gfs2_dirent_search+0x30e/0x8c0 [ 69.443470][ T5075] ? gfs2_dirent_search+0x8c0/0x8c0 [ 69.448680][ T5075] ? generic_permission+0x1df/0x550 [ 69.453985][ T5075] ? gfs2_dir_search+0x2f0/0x2f0 [ 69.458941][ T5075] ? gfs2_permission+0x34a/0x3c0 [ 69.463977][ T5075] gfs2_dir_search+0xb2/0x2f0 [ 69.468662][ T5075] ? do_filldir_main+0x520/0x520 [ 69.473689][ T5075] ? inode_go_held+0xea/0x200 [ 69.478456][ T5075] ? gfs2_glock_wait+0x21a/0x2b0 [ 69.483414][ T5075] gfs2_lookupi+0x460/0x5d0 [ 69.487916][ T5075] ? gfs2_lookup_simple+0x180/0x180 [ 69.493108][ T5075] ? __gfs2_lookup+0xa4/0x270 [ 69.497784][ T5075] __gfs2_lookup+0xa4/0x270 [ 69.502307][ T5075] ? gfs2_atomic_open+0x230/0x230 [ 69.507337][ T5075] ? __d_lookup+0x675/0x730 [ 69.511840][ T5075] ? d_hash_and_lookup+0x1b0/0x1b0 [ 69.517037][ T5075] gfs2_atomic_open+0x9e/0x230 [ 69.521806][ T5075] path_openat+0x1044/0x3180 [ 69.526403][ T5075] ? gfs2_rename2+0x25a0/0x25a0 [ 69.531262][ T5075] ? do_filp_open+0x490/0x490 [ 69.535945][ T5075] do_filp_open+0x234/0x490 [ 69.540533][ T5075] ? vfs_tmpfile+0x4b0/0x4b0 [ 69.545668][ T5075] ? _raw_spin_unlock+0x28/0x40 [ 69.550536][ T5075] ? alloc_fd+0x59c/0x640 [ 69.554885][ T5075] do_sys_openat2+0x13e/0x1d0 [ 69.559571][ T5075] ? do_sys_open+0x230/0x230 [ 69.564165][ T5075] ? lockdep_hardirqs_on+0x98/0x140 [ 69.569371][ T5075] ? _raw_spin_unlock_irq+0x2e/0x50 [ 69.574568][ T5075] ? ptrace_notify+0x278/0x380 [ 69.579329][ T5075] __x64_sys_open+0x225/0x270 [ 69.584007][ T5075] ? do_sys_openat2+0x1d0/0x1d0 [ 69.588853][ T5075] ? syscall_enter_from_user_mode+0x32/0x230 [ 69.594833][ T5075] ? syscall_enter_from_user_mode+0x8c/0x230 [ 69.600819][ T5075] do_syscall_64+0x41/0xc0 [ 69.605232][ T5075] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 69.611216][ T5075] RIP: 0033:0x7f012f71fa59 [ 69.615628][ T5075] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 69.635317][ T5075] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 69.643729][ T5075] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 69.651700][ T5075] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5077] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] <... open resumed>) = -1 EIO (Input/output error) [pid 5075] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5074] exit_group(0) = ? [pid 5077] <... futex resumed>) = ? [pid 5075] <... futex resumed>) = ? [pid 5077] +++ exited with 0 +++ [pid 5075] +++ exited with 0 +++ [pid 5074] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5074, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./14/binderfs") = 0 [ 69.659668][ T5075] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.667632][ T5075] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 69.675600][ T5075] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 69.683673][ T5075] umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5078 ./strace-static-x86_64: Process 5078 attached [pid 5078] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5078] chdir("./15") = 0 [pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5078] setpgid(0, 0) = 0 [pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5078] write(3, "1000", 4) = 4 [pid 5078] close(3) = 0 [pid 5078] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5078] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5078] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5078] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5078] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5078] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5078] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5079]}, 88) = 5079 [pid 5078] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5078] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5079 attached [pid 5079] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5079] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5079] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5079] memfd_create("syzkaller", 0) = 3 [pid 5079] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5079] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5079] munmap(0x7f01272bc000, 16777216) = 0 [pid 5079] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5079] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5079] close(3) = 0 [pid 5079] mkdir("./file0", 0777) = 0 [ 69.986361][ T5079] loop0: detected capacity change from 0 to 32768 [ 69.998210][ T5079] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 70.006479][ T5079] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 70.015471][ T5079] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 70.024663][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 70.031806][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5079] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5079] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5079] chdir("./file0") = 0 [pid 5079] ioctl(4, LOOP_CLR_FD) = 0 [pid 5079] close(4) = 0 [pid 5079] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... futex resumed>) = 0 [pid 5078] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5079] <... futex resumed>) = 1 [ 70.070660][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 70.078939][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 70.084308][ T5079] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 70.097668][ T5079] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 70.106162][ T5079] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 70.106162][ T5079] inode = 12 2341 [pid 5079] open("./file0", O_RDWR [pid 5078] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5078] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 70.106162][ T5079] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 70.125157][ T5079] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 70.134731][ T5079] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5079 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 70.144902][ T5079] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 70.153573][ T5079] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 70.162586][ T5079] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5078] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5078] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5078] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5078] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5081]}, 88) = 5081 [pid 5078] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5078] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5081 attached [pid 5081] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5081] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5081] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5081] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5081] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... futex resumed>) = 0 [pid 5078] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5081] <... futex resumed>) = 1 [pid 5081] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5081] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... futex resumed>) = 0 [pid 5081] <... futex resumed>) = 1 [ 70.171500][ T5079] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 70.180045][ T5079] gfs2: fsid=syz:syz.0: File system withdrawn [ 70.186162][ T5079] CPU: 0 PID: 5079 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 70.196686][ T5079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 70.206741][ T5079] Call Trace: [ 70.210025][ T5079] [ 70.212972][ T5079] dump_stack_lvl+0x1e7/0x2d0 [ 70.217671][ T5079] ? nf_tcp_handle_invalid+0x650/0x650 [ 70.223136][ T5079] ? panic+0x770/0x770 [ 70.227213][ T5079] gfs2_withdraw+0xc94/0x11e0 [ 70.231897][ T5079] gfs2_dirent_scan+0x512/0x640 [ 70.236762][ T5079] ? gfs2_permission+0x268/0x3c0 [ 70.241709][ T5079] ? gfs2_dirent_search+0x8c0/0x8c0 [ 70.246904][ T5079] gfs2_dirent_search+0x30e/0x8c0 [ 70.251937][ T5079] ? gfs2_dirent_search+0x8c0/0x8c0 [ 70.257145][ T5079] ? generic_permission+0x1df/0x550 [ 70.262336][ T5079] ? gfs2_dir_search+0x2f0/0x2f0 [ 70.267279][ T5079] ? gfs2_permission+0x34a/0x3c0 [ 70.272235][ T5079] gfs2_dir_search+0xb2/0x2f0 [ 70.276923][ T5079] ? do_filldir_main+0x520/0x520 [ 70.281882][ T5079] ? inode_go_held+0xea/0x200 [ 70.286591][ T5079] ? gfs2_glock_wait+0x21a/0x2b0 [ 70.291533][ T5079] gfs2_lookupi+0x460/0x5d0 [ 70.296045][ T5079] ? gfs2_lookup_simple+0x180/0x180 [ 70.301243][ T5079] ? __gfs2_lookup+0xa4/0x270 [ 70.305917][ T5079] __gfs2_lookup+0xa4/0x270 [ 70.310414][ T5079] ? gfs2_atomic_open+0x230/0x230 [ 70.315460][ T5079] ? __d_lookup+0x675/0x730 [ 70.320071][ T5079] ? d_hash_and_lookup+0x1b0/0x1b0 [ 70.325191][ T5079] gfs2_atomic_open+0x9e/0x230 [ 70.329966][ T5079] path_openat+0x1044/0x3180 [ 70.334557][ T5079] ? gfs2_rename2+0x25a0/0x25a0 [ 70.339432][ T5079] ? do_filp_open+0x490/0x490 [ 70.344116][ T5079] do_filp_open+0x234/0x490 [ 70.348613][ T5079] ? vfs_tmpfile+0x4b0/0x4b0 [ 70.353236][ T5079] ? _raw_spin_unlock+0x28/0x40 [ 70.358084][ T5079] ? alloc_fd+0x59c/0x640 [ 70.362421][ T5079] do_sys_openat2+0x13e/0x1d0 [ 70.367099][ T5079] ? do_sys_open+0x230/0x230 [ 70.371688][ T5079] ? lockdep_hardirqs_on+0x98/0x140 [ 70.376902][ T5079] ? _raw_spin_unlock_irq+0x2e/0x50 [ 70.382199][ T5079] ? ptrace_notify+0x278/0x380 [ 70.386967][ T5079] __x64_sys_open+0x225/0x270 [ 70.391668][ T5079] ? do_sys_openat2+0x1d0/0x1d0 [ 70.396541][ T5079] ? syscall_enter_from_user_mode+0x32/0x230 [ 70.402535][ T5079] ? syscall_enter_from_user_mode+0x8c/0x230 [ 70.408524][ T5079] do_syscall_64+0x41/0xc0 [ 70.412938][ T5079] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 70.418830][ T5079] RIP: 0033:0x7f012f71fa59 [ 70.423238][ T5079] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 70.442856][ T5079] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 70.451272][ T5079] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 70.459263][ T5079] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5081] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] <... open resumed>) = -1 EIO (Input/output error) [pid 5079] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5078] exit_group(0 [pid 5079] <... futex resumed>) = ? [pid 5078] <... exit_group resumed>) = ? [pid 5079] +++ exited with 0 +++ [pid 5081] <... futex resumed>) = ? [pid 5081] +++ exited with 0 +++ [pid 5078] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5078, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./15/binderfs") = 0 [ 70.467252][ T5079] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.475382][ T5079] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 70.483351][ T5079] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 70.491346][ T5079] umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./15/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5082 ./strace-static-x86_64: Process 5082 attached [pid 5082] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5082] chdir("./16") = 0 [pid 5082] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5082] setpgid(0, 0) = 0 [pid 5082] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5082] write(3, "1000", 4) = 4 [pid 5082] close(3) = 0 [pid 5082] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5082] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5082] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5082] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5082] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5082] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5082] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5083]}, 88) = 5083 [pid 5082] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5082] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5083 attached [pid 5083] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5083] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5083] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5083] memfd_create("syzkaller", 0) = 3 [pid 5083] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5083] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5083] munmap(0x7f01272bc000, 16777216) = 0 [pid 5083] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5083] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5083] close(3) = 0 [pid 5083] mkdir("./file0", 0777) = 0 [ 70.801559][ T5083] loop0: detected capacity change from 0 to 32768 [ 70.812581][ T5083] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 70.820843][ T5083] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 70.830718][ T5083] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 70.839107][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 70.846356][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5083] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5083] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5083] chdir("./file0") = 0 [pid 5083] ioctl(4, LOOP_CLR_FD) = 0 [pid 5083] close(4) = 0 [pid 5083] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5082] <... futex resumed>) = 0 [pid 5082] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5083] <... futex resumed>) = 1 [ 70.885528][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 70.893082][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 70.898338][ T5083] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 70.910742][ T5083] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 70.919226][ T5083] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 70.919226][ T5083] inode = 12 2341 [pid 5083] open("./file0", O_RDWR [pid 5082] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5082] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5082] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5082] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5082] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5082] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5085]}, 88) = 5085 [pid 5082] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5082] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5085 attached [pid 5085] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5085] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5085] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5085] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5085] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5082] <... futex resumed>) = 0 [pid 5082] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5085] <... futex resumed>) = 1 [pid 5085] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5085] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5082] <... futex resumed>) = 0 [pid 5085] <... futex resumed>) = 1 [ 70.919226][ T5083] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 70.938398][ T5083] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 70.947785][ T5083] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5083 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 70.958509][ T5083] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 70.967808][ T5083] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 70.975760][ T5083] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 70.984635][ T5083] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 70.991665][ T5083] gfs2: fsid=syz:syz.0: File system withdrawn [ 70.998089][ T5083] CPU: 0 PID: 5083 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 71.008594][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 71.018641][ T5083] Call Trace: [ 71.021912][ T5083] [ 71.024837][ T5083] dump_stack_lvl+0x1e7/0x2d0 [ 71.029603][ T5083] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.035051][ T5083] ? panic+0x770/0x770 [ 71.039135][ T5083] gfs2_withdraw+0xc94/0x11e0 [ 71.043839][ T5083] gfs2_dirent_scan+0x512/0x640 [ 71.048699][ T5083] ? gfs2_permission+0x268/0x3c0 [ 71.053641][ T5083] ? gfs2_dirent_search+0x8c0/0x8c0 [ 71.058856][ T5083] gfs2_dirent_search+0x30e/0x8c0 [ 71.063880][ T5083] ? gfs2_dirent_search+0x8c0/0x8c0 [ 71.069069][ T5083] ? generic_permission+0x1df/0x550 [ 71.074258][ T5083] ? gfs2_dir_search+0x2f0/0x2f0 [ 71.079199][ T5083] ? gfs2_permission+0x34a/0x3c0 [ 71.084489][ T5083] gfs2_dir_search+0xb2/0x2f0 [ 71.089170][ T5083] ? do_filldir_main+0x520/0x520 [ 71.094103][ T5083] ? inode_go_held+0xea/0x200 [ 71.098774][ T5083] ? gfs2_glock_wait+0x21a/0x2b0 [ 71.103706][ T5083] gfs2_lookupi+0x460/0x5d0 [ 71.108340][ T5083] ? gfs2_lookup_simple+0x180/0x180 [ 71.113543][ T5083] ? __gfs2_lookup+0xa4/0x270 [ 71.118233][ T5083] __gfs2_lookup+0xa4/0x270 [ 71.122735][ T5083] ? gfs2_atomic_open+0x230/0x230 [ 71.127760][ T5083] ? __d_lookup+0x675/0x730 [ 71.132271][ T5083] ? d_hash_and_lookup+0x1b0/0x1b0 [ 71.137401][ T5083] gfs2_atomic_open+0x9e/0x230 [ 71.142159][ T5083] path_openat+0x1044/0x3180 [ 71.146742][ T5083] ? gfs2_rename2+0x25a0/0x25a0 [ 71.151593][ T5083] ? do_filp_open+0x490/0x490 [ 71.156357][ T5083] do_filp_open+0x234/0x490 [ 71.160849][ T5083] ? vfs_tmpfile+0x4b0/0x4b0 [ 71.165438][ T5083] ? _raw_spin_unlock+0x28/0x40 [ 71.170277][ T5083] ? alloc_fd+0x59c/0x640 [ 71.174602][ T5083] do_sys_openat2+0x13e/0x1d0 [ 71.179537][ T5083] ? do_sys_open+0x230/0x230 [ 71.184125][ T5083] ? lockdep_hardirqs_on+0x98/0x140 [ 71.189328][ T5083] ? _raw_spin_unlock_irq+0x2e/0x50 [ 71.194702][ T5083] ? ptrace_notify+0x278/0x380 [ 71.199455][ T5083] __x64_sys_open+0x225/0x270 [ 71.204127][ T5083] ? do_sys_openat2+0x1d0/0x1d0 [ 71.208966][ T5083] ? syscall_enter_from_user_mode+0x32/0x230 [ 71.214942][ T5083] ? syscall_enter_from_user_mode+0x8c/0x230 [ 71.220919][ T5083] do_syscall_64+0x41/0xc0 [ 71.225412][ T5083] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 71.231303][ T5083] RIP: 0033:0x7f012f71fa59 [ 71.235704][ T5083] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 71.261061][ T5083] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 71.275092][ T5083] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5085] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5083] <... open resumed>) = -1 EIO (Input/output error) [pid 5083] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5082] exit_group(0 [pid 5085] <... futex resumed>) = ? [pid 5082] <... exit_group resumed>) = ? [pid 5085] +++ exited with 0 +++ [pid 5083] <... futex resumed>) = ? [pid 5083] +++ exited with 0 +++ [pid 5082] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5082, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./16/binderfs") = 0 [ 71.284371][ T5083] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 71.292423][ T5083] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 71.300556][ T5083] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 71.308518][ T5083] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 71.316667][ T5083] umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./16/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5086 ./strace-static-x86_64: Process 5086 attached [pid 5086] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5086] chdir("./17") = 0 [pid 5086] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5086] setpgid(0, 0) = 0 [pid 5086] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5086] write(3, "1000", 4) = 4 [pid 5086] close(3) = 0 [pid 5086] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5086] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5086] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5086] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5086] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5086] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5086] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5087]}, 88) = 5087 [pid 5086] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5086] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5087 attached [pid 5087] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5087] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5087] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5087] memfd_create("syzkaller", 0) = 3 [pid 5087] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5087] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5087] munmap(0x7f01272bc000, 16777216) = 0 [pid 5087] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5087] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5087] close(3) = 0 [pid 5087] mkdir("./file0", 0777) = 0 [ 71.737265][ T5087] loop0: detected capacity change from 0 to 32768 [ 71.755035][ T5087] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 71.764227][ T5087] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 71.774996][ T5087] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 71.784112][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 71.791094][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5087] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5087] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5087] chdir("./file0") = 0 [pid 5087] ioctl(4, LOOP_CLR_FD) = 0 [pid 5087] close(4) = 0 [pid 5087] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5086] <... futex resumed>) = 0 [pid 5086] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 71.857708][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 66ms [ 71.867614][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 71.873478][ T5087] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5087] open("./file0", O_RDWR [pid 5086] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5086] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5086] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5086] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [ 71.903072][ T5087] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 71.932945][ T5087] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 71.932945][ T5087] inode = 12 2341 [ 71.932945][ T5087] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [pid 5086] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5089]}, 88) = 5089 [pid 5086] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5086] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5089 attached [pid 5089] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5089] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5089] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 71.953885][ T5087] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 71.964223][ T5087] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5087 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 71.964907][ T5089] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 71.975042][ T5087] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5089 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 71.993535][ T5087] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5089] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5086] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5086] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5086] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5086] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5086] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5090]}, 88) = 5090 [pid 5086] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5086] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5090 attached [pid 5090] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5090] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5090] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5090] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5090] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5086] <... futex resumed>) = 0 [ 71.999348][ T5089] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 71.999348][ T5089] inode = 12 2341 [ 71.999348][ T5089] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 72.022125][ T5087] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 72.034172][ T5087] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 72.043204][ T5089] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 72.055770][ T5087] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 72.062411][ T5089] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5087 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 72.075244][ T5087] gfs2: fsid=syz:syz.0: File system withdrawn [ 72.081895][ T5089] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5089 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 72.082121][ T5087] CPU: 0 PID: 5087 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 72.100845][ T5089] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 72.102290][ T5087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 72.120755][ T5087] Call Trace: [ 72.124026][ T5087] [ 72.126946][ T5087] dump_stack_lvl+0x1e7/0x2d0 [ 72.131620][ T5087] ? nf_tcp_handle_invalid+0x650/0x650 [ 72.137077][ T5087] ? panic+0x770/0x770 [ 72.141148][ T5087] gfs2_withdraw+0xc94/0x11e0 [ 72.145832][ T5087] gfs2_dirent_scan+0x512/0x640 [ 72.150691][ T5087] ? gfs2_permission+0x268/0x3c0 [ 72.155742][ T5087] ? gfs2_dirent_search+0x8c0/0x8c0 [ 72.160951][ T5087] gfs2_dirent_search+0x30e/0x8c0 [ 72.165972][ T5087] ? gfs2_dirent_search+0x8c0/0x8c0 [ 72.171164][ T5087] ? generic_permission+0x1df/0x550 [ 72.176456][ T5087] ? gfs2_dir_search+0x2f0/0x2f0 [ 72.181477][ T5087] ? gfs2_permission+0x34a/0x3c0 [ 72.186407][ T5087] gfs2_dir_search+0xb2/0x2f0 [ 72.191087][ T5087] ? do_filldir_main+0x520/0x520 [ 72.196021][ T5087] ? inode_go_held+0xea/0x200 [ 72.200705][ T5087] ? gfs2_glock_wait+0x21a/0x2b0 [pid 5090] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5086] exit_group(0 [pid 5090] <... futex resumed>) = ? [pid 5086] <... exit_group resumed>) = ? [pid 5090] +++ exited with 0 +++ [ 72.205667][ T5087] gfs2_lookupi+0x460/0x5d0 [ 72.210185][ T5087] ? gfs2_lookup_simple+0x180/0x180 [ 72.215378][ T5087] ? __gfs2_lookup+0xa4/0x270 [ 72.220093][ T5087] __gfs2_lookup+0xa4/0x270 [ 72.224604][ T5087] ? gfs2_atomic_open+0x230/0x230 [ 72.229653][ T5087] ? __d_lookup+0x675/0x730 [ 72.234163][ T5087] ? d_hash_and_lookup+0x1b0/0x1b0 [ 72.239276][ T5087] gfs2_atomic_open+0x9e/0x230 [ 72.244133][ T5087] path_openat+0x1044/0x3180 [ 72.248712][ T5087] ? gfs2_rename2+0x25a0/0x25a0 [ 72.253559][ T5087] ? do_filp_open+0x490/0x490 [ 72.258239][ T5087] do_filp_open+0x234/0x490 [ 72.262733][ T5087] ? vfs_tmpfile+0x4b0/0x4b0 [ 72.267320][ T5087] ? _raw_spin_unlock+0x28/0x40 [ 72.272190][ T5087] ? alloc_fd+0x59c/0x640 [ 72.276548][ T5087] do_sys_openat2+0x13e/0x1d0 [ 72.281216][ T5087] ? do_sys_open+0x230/0x230 [ 72.285815][ T5087] ? lockdep_hardirqs_on+0x98/0x140 [ 72.291020][ T5087] ? _raw_spin_unlock_irq+0x2e/0x50 [ 72.296232][ T5087] ? ptrace_notify+0x278/0x380 [ 72.300999][ T5087] __x64_sys_open+0x225/0x270 [ 72.305676][ T5087] ? do_sys_openat2+0x1d0/0x1d0 [ 72.310520][ T5087] ? syscall_enter_from_user_mode+0x32/0x230 [ 72.316685][ T5087] ? syscall_enter_from_user_mode+0x8c/0x230 [ 72.322855][ T5087] do_syscall_64+0x41/0xc0 [ 72.327300][ T5087] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.333251][ T5087] RIP: 0033:0x7f012f71fa59 [ 72.337872][ T5087] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 72.357581][ T5087] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 72.366185][ T5087] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 72.374170][ T5087] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 72.382222][ T5087] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 72.390178][ T5087] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 72.398129][ T5087] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [pid 5089] <... openat resumed>) = ? [pid 5087] <... open resumed>) = ? [pid 5087] +++ exited with 0 +++ [pid 5089] +++ exited with 0 +++ [pid 5086] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5086, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=48 /* 0.48 s */} --- umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./17/binderfs") = 0 [ 72.406096][ T5087] umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./17/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./17/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5091 ./strace-static-x86_64: Process 5091 attached [pid 5091] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5091] chdir("./18") = 0 [pid 5091] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5091] setpgid(0, 0) = 0 [pid 5091] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5091] write(3, "1000", 4) = 4 [pid 5091] close(3) = 0 [pid 5091] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5091] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5091] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5091] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5091] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5092]}, 88) = 5092 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5091] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5092 attached [pid 5092] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5092] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5092] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5092] memfd_create("syzkaller", 0) = 3 [pid 5092] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5092] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5092] munmap(0x7f01272bc000, 16777216) = 0 [pid 5092] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5092] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5092] close(3) = 0 [pid 5092] mkdir("./file0", 0777) = 0 [ 72.728004][ T5092] loop0: detected capacity change from 0 to 32768 [ 72.739875][ T5092] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 72.748159][ T5092] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 72.758138][ T5092] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 72.766727][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 72.773887][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5092] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5092] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5092] chdir("./file0") = 0 [pid 5092] ioctl(4, LOOP_CLR_FD) = 0 [pid 5092] close(4) = 0 [pid 5092] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] <... futex resumed>) = 0 [pid 5091] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5092] <... futex resumed>) = 1 [ 72.805846][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 31ms [ 72.814178][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 72.819522][ T5092] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 72.836740][ T5092] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 72.847138][ T5092] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5092] open("./file0", O_RDWR [pid 5091] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5091] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5091] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5091] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5094]}, 88) = 5094 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5091] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5094 attached [pid 5094] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5094] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5094] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 72.847138][ T5092] inode = 12 2341 [ 72.847138][ T5092] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 72.866561][ T5092] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 72.876065][ T5092] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5092 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 72.886768][ T5092] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 72.895482][ T5094] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5094] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5091] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 72.896137][ T5092] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 72.904578][ T5094] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 72.912830][ T5092] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 72.920779][ T5094] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5092 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 72.929666][ T5092] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 72.939713][ T5094] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5094 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5091] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5091] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5091] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5095]}, 88) = 5095 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5091] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5095 attached [pid 5095] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5095] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5095] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5095] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5095] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] <... futex resumed>) = 0 [pid 5095] <... futex resumed>) = 1 [ 72.946141][ T5092] gfs2: fsid=syz:syz.0: File system withdrawn [ 72.962905][ T5092] CPU: 1 PID: 5092 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 72.968962][ T5094] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 72.973442][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 72.973458][ T5092] Call Trace: [ 72.973466][ T5092] [ 72.973474][ T5092] dump_stack_lvl+0x1e7/0x2d0 [ 72.973502][ T5092] ? nf_tcp_handle_invalid+0x650/0x650 [ 72.973522][ T5092] ? panic+0x770/0x770 [ 72.973552][ T5092] gfs2_withdraw+0xc94/0x11e0 [ 72.973581][ T5092] gfs2_dirent_scan+0x512/0x640 [ 73.021945][ T5092] ? gfs2_permission+0x268/0x3c0 [ 73.026887][ T5092] ? gfs2_dirent_search+0x8c0/0x8c0 [ 73.032088][ T5092] gfs2_dirent_search+0x30e/0x8c0 [ 73.037111][ T5092] ? gfs2_dirent_search+0x8c0/0x8c0 [ 73.042305][ T5092] ? generic_permission+0x1df/0x550 [ 73.047497][ T5092] ? gfs2_dir_search+0x2f0/0x2f0 [ 73.052437][ T5092] ? gfs2_permission+0x34a/0x3c0 [ 73.057386][ T5092] gfs2_dir_search+0xb2/0x2f0 [ 73.062066][ T5092] ? do_filldir_main+0x520/0x520 [ 73.066998][ T5092] ? inode_go_held+0xea/0x200 [ 73.071674][ T5092] ? gfs2_glock_wait+0x21a/0x2b0 [ 73.076607][ T5092] gfs2_lookupi+0x460/0x5d0 [ 73.081113][ T5092] ? gfs2_lookup_simple+0x180/0x180 [ 73.086316][ T5092] ? __gfs2_lookup+0xa4/0x270 [ 73.091020][ T5092] __gfs2_lookup+0xa4/0x270 [ 73.095569][ T5092] ? gfs2_atomic_open+0x230/0x230 [ 73.100620][ T5092] ? __d_lookup+0x675/0x730 [ 73.105128][ T5092] ? d_hash_and_lookup+0x1b0/0x1b0 [ 73.110249][ T5092] gfs2_atomic_open+0x9e/0x230 [ 73.115026][ T5092] path_openat+0x1044/0x3180 [ 73.119620][ T5092] ? gfs2_rename2+0x25a0/0x25a0 [ 73.124476][ T5092] ? do_filp_open+0x490/0x490 [ 73.129259][ T5092] do_filp_open+0x234/0x490 [ 73.133780][ T5092] ? vfs_tmpfile+0x4b0/0x4b0 [ 73.138379][ T5092] ? _raw_spin_unlock+0x28/0x40 [ 73.143226][ T5092] ? alloc_fd+0x59c/0x640 [ 73.147559][ T5092] do_sys_openat2+0x13e/0x1d0 [ 73.152232][ T5092] ? do_sys_open+0x230/0x230 [ 73.156818][ T5092] ? lockdep_hardirqs_on+0x98/0x140 [ 73.162026][ T5092] ? _raw_spin_unlock_irq+0x2e/0x50 [ 73.167226][ T5092] ? ptrace_notify+0x278/0x380 [ 73.171988][ T5092] __x64_sys_open+0x225/0x270 [ 73.176668][ T5092] ? do_sys_openat2+0x1d0/0x1d0 [ 73.181520][ T5092] ? syscall_enter_from_user_mode+0x32/0x230 [ 73.187501][ T5092] ? syscall_enter_from_user_mode+0x8c/0x230 [ 73.193480][ T5092] do_syscall_64+0x41/0xc0 [ 73.197901][ T5092] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 73.203794][ T5092] RIP: 0033:0x7f012f71fa59 [ 73.208202][ T5092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 73.228160][ T5092] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 73.236571][ T5092] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 73.244548][ T5092] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5095] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5092] <... open resumed>) = -1 EIO (Input/output error) [pid 5092] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5092] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5094] <... openat resumed>) = -1 EIO (Input/output error) [pid 5094] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5094] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] exit_group(0 [pid 5095] <... futex resumed>) = ? [pid 5092] <... futex resumed>) = ? [pid 5091] <... exit_group resumed>) = ? [pid 5095] +++ exited with 0 +++ [pid 5092] +++ exited with 0 +++ [pid 5094] <... futex resumed>) = ? [pid 5094] +++ exited with 0 +++ [pid 5091] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5091, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 73.252516][ T5092] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 73.260479][ T5092] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 73.268441][ T5092] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 73.277727][ T5092] unlink("./18/binderfs") = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./18/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./18/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5096 ./strace-static-x86_64: Process 5096 attached [pid 5096] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5096] chdir("./19") = 0 [pid 5096] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5096] setpgid(0, 0) = 0 [pid 5096] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5096] write(3, "1000", 4) = 4 [pid 5096] close(3) = 0 [pid 5096] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5096] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5096] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5096] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5096] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5096] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5096] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5096] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5097 attached => {parent_tid=[5097]}, 88) = 5097 [pid 5096] rt_sigprocmask(SIG_SETMASK, [], [pid 5097] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5096] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5096] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5097] set_robust_list(0x7f012f6dc9a0, 24 [pid 5096] <... futex resumed>) = 0 [pid 5097] <... set_robust_list resumed>) = 0 [pid 5096] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5097] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5097] memfd_create("syzkaller", 0) = 3 [pid 5097] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5097] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5097] munmap(0x7f01272bc000, 16777216) = 0 [pid 5097] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5097] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5097] close(3) = 0 [pid 5097] mkdir("./file0", 0777) = 0 [ 73.623141][ T5097] loop0: detected capacity change from 0 to 32768 [ 73.634299][ T5097] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 73.642580][ T5097] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 73.651496][ T5097] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 73.660372][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 73.667398][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5097] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5097] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5097] chdir("./file0") = 0 [pid 5097] ioctl(4, LOOP_CLR_FD) = 0 [pid 5097] close(4) = 0 [pid 5097] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5096] <... futex resumed>) = 0 [pid 5096] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5096] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5097] <... futex resumed>) = 1 [ 73.705809][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 73.714780][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 73.720168][ T5097] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 73.737823][ T5097] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 73.746721][ T5097] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5097] open("./file0", O_RDWR [pid 5096] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5096] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5096] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5096] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5096] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5096] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5099]}, 88) = 5099 [pid 5096] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5096] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5096] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5099 attached [pid 5099] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5099] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5099] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5099] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5099] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5096] <... futex resumed>) = 0 [pid 5096] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5096] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5099] <... futex resumed>) = 1 [pid 5099] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5099] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5096] <... futex resumed>) = 0 [pid 5099] <... futex resumed>) = 1 [ 73.746721][ T5097] inode = 12 2341 [ 73.746721][ T5097] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 73.766030][ T5097] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 73.775580][ T5097] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5097 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 73.785739][ T5097] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 73.794295][ T5097] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 73.801573][ T5097] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 73.810385][ T5097] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 73.817829][ T5097] gfs2: fsid=syz:syz.0: File system withdrawn [ 73.824282][ T5097] CPU: 1 PID: 5097 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 73.834770][ T5097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 73.844982][ T5097] Call Trace: [ 73.848246][ T5097] [ 73.851168][ T5097] dump_stack_lvl+0x1e7/0x2d0 [ 73.855832][ T5097] ? nf_tcp_handle_invalid+0x650/0x650 [ 73.861319][ T5097] ? panic+0x770/0x770 [ 73.865397][ T5097] gfs2_withdraw+0xc94/0x11e0 [ 73.870066][ T5097] gfs2_dirent_scan+0x512/0x640 [ 73.874904][ T5097] ? gfs2_permission+0x268/0x3c0 [ 73.879830][ T5097] ? gfs2_dirent_search+0x8c0/0x8c0 [ 73.885016][ T5097] gfs2_dirent_search+0x30e/0x8c0 [ 73.890029][ T5097] ? gfs2_dirent_search+0x8c0/0x8c0 [ 73.895298][ T5097] ? generic_permission+0x1df/0x550 [ 73.900480][ T5097] ? gfs2_dir_search+0x2f0/0x2f0 [ 73.905400][ T5097] ? gfs2_permission+0x34a/0x3c0 [ 73.910322][ T5097] gfs2_dir_search+0xb2/0x2f0 [ 73.914996][ T5097] ? do_filldir_main+0x520/0x520 [ 73.919918][ T5097] ? inode_go_held+0xea/0x200 [ 73.924597][ T5097] ? gfs2_glock_wait+0x21a/0x2b0 [ 73.929518][ T5097] gfs2_lookupi+0x460/0x5d0 [ 73.934008][ T5097] ? gfs2_lookup_simple+0x180/0x180 [ 73.939287][ T5097] ? __gfs2_lookup+0xa4/0x270 [ 73.943956][ T5097] __gfs2_lookup+0xa4/0x270 [ 73.948447][ T5097] ? gfs2_atomic_open+0x230/0x230 [ 73.953466][ T5097] ? __d_lookup+0x675/0x730 [ 73.957952][ T5097] ? d_hash_and_lookup+0x1b0/0x1b0 [ 73.963060][ T5097] gfs2_atomic_open+0x9e/0x230 [ 73.967821][ T5097] path_openat+0x1044/0x3180 [ 73.972398][ T5097] ? gfs2_rename2+0x25a0/0x25a0 [ 73.977330][ T5097] ? do_filp_open+0x490/0x490 [ 73.982088][ T5097] do_filp_open+0x234/0x490 [ 73.986576][ T5097] ? vfs_tmpfile+0x4b0/0x4b0 [ 73.991160][ T5097] ? _raw_spin_unlock+0x28/0x40 [ 73.995998][ T5097] ? alloc_fd+0x59c/0x640 [ 74.000404][ T5097] do_sys_openat2+0x13e/0x1d0 [ 74.005071][ T5097] ? do_sys_open+0x230/0x230 [ 74.009645][ T5097] ? lockdep_hardirqs_on+0x98/0x140 [ 74.014831][ T5097] ? _raw_spin_unlock_irq+0x2e/0x50 [ 74.020026][ T5097] ? ptrace_notify+0x278/0x380 [ 74.024774][ T5097] __x64_sys_open+0x225/0x270 [ 74.029438][ T5097] ? do_sys_openat2+0x1d0/0x1d0 [ 74.034277][ T5097] ? syscall_enter_from_user_mode+0x32/0x230 [ 74.040244][ T5097] ? syscall_enter_from_user_mode+0x8c/0x230 [ 74.046240][ T5097] do_syscall_64+0x41/0xc0 [ 74.050658][ T5097] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 74.056547][ T5097] RIP: 0033:0x7f012f71fa59 [ 74.060953][ T5097] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 74.080545][ T5097] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 74.088946][ T5097] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 74.097077][ T5097] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5099] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5097] <... open resumed>) = -1 EIO (Input/output error) [pid 5097] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5096] exit_group(0 [pid 5099] <... futex resumed>) = ? [pid 5096] <... exit_group resumed>) = ? [pid 5099] +++ exited with 0 +++ [pid 5097] <... futex resumed>) = ? [pid 5097] +++ exited with 0 +++ [pid 5096] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5096, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./19/binderfs") = 0 [ 74.105041][ T5097] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 74.114213][ T5097] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 74.122266][ T5097] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 74.130236][ T5097] umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./19/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./19/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5100 ./strace-static-x86_64: Process 5100 attached [pid 5100] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5100] chdir("./20") = 0 [pid 5100] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5100] setpgid(0, 0) = 0 [pid 5100] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5100] write(3, "1000", 4) = 4 [pid 5100] close(3) = 0 [pid 5100] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5100] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5100] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5100] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5100] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5100] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5100] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5101]}, 88) = 5101 [pid 5100] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5100] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5101 attached [pid 5100] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5101] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5101] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5101] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5101] memfd_create("syzkaller", 0) = 3 [pid 5101] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5101] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5101] munmap(0x7f01272bc000, 16777216) = 0 [pid 5101] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5101] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5101] close(3) = 0 [pid 5101] mkdir("./file0", 0777) = 0 [ 74.435353][ T5101] loop0: detected capacity change from 0 to 32768 [ 74.447386][ T5101] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 74.456314][ T5101] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 74.466034][ T5101] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 74.474813][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 74.481894][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5101] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5101] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5101] chdir("./file0") = 0 [pid 5101] ioctl(4, LOOP_CLR_FD) = 0 [pid 5101] close(4) = 0 [pid 5101] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5100] <... futex resumed>) = 0 [pid 5100] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5101] <... futex resumed>) = 1 [ 74.521421][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 74.530058][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 74.535776][ T5101] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 74.553819][ T5101] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 74.562941][ T5101] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5101] open("./file0", O_RDWR [pid 5100] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5100] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5100] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5100] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5100] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0}./strace-static-x86_64: Process 5103 attached => {parent_tid=[5103]}, 88) = 5103 [pid 5100] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5100] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5103] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5103] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5103] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 74.562941][ T5101] inode = 12 2341 [ 74.562941][ T5101] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 74.581878][ T5101] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 74.591145][ T5101] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5101 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 74.605158][ T5101] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 74.612396][ T5103] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5103] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5100] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5100] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [ 74.613652][ T5101] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 74.622728][ T5103] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 74.629151][ T5101] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 74.629164][ T5101] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 74.631094][ T5101] gfs2: fsid=syz:syz.0: File system withdrawn [ 74.639131][ T5103] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5101 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5100] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5100] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5100] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5104]}, 88) = 5104 [pid 5100] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5100] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5104 attached [pid 5104] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5104] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5104] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5104] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5104] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5100] <... futex resumed>) = 0 [pid 5104] <... futex resumed>) = 1 [ 74.647166][ T5101] CPU: 0 PID: 5101 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 74.647186][ T5101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 74.654398][ T5103] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5103 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 74.659647][ T5101] Call Trace: [ 74.659656][ T5101] [ 74.659664][ T5101] dump_stack_lvl+0x1e7/0x2d0 [ 74.659686][ T5101] ? nf_tcp_handle_invalid+0x650/0x650 [ 74.659704][ T5101] ? panic+0x770/0x770 [ 74.659735][ T5101] gfs2_withdraw+0xc94/0x11e0 [ 74.659763][ T5101] gfs2_dirent_scan+0x512/0x640 [ 74.678011][ T5103] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 74.680119][ T5101] ? gfs2_permission+0x268/0x3c0 [ 74.680145][ T5101] ? gfs2_dirent_search+0x8c0/0x8c0 [ 74.680170][ T5101] gfs2_dirent_search+0x30e/0x8c0 [ 74.680192][ T5101] ? gfs2_dirent_search+0x8c0/0x8c0 [ 74.680212][ T5101] ? generic_permission+0x1df/0x550 [ 74.764261][ T5101] ? gfs2_dir_search+0x2f0/0x2f0 [ 74.769288][ T5101] ? gfs2_permission+0x34a/0x3c0 [ 74.774226][ T5101] gfs2_dir_search+0xb2/0x2f0 [ 74.778924][ T5101] ? do_filldir_main+0x520/0x520 [ 74.783855][ T5101] ? inode_go_held+0xea/0x200 [ 74.788531][ T5101] ? gfs2_glock_wait+0x21a/0x2b0 [ 74.793462][ T5101] gfs2_lookupi+0x460/0x5d0 [ 74.797962][ T5101] ? gfs2_lookup_simple+0x180/0x180 [ 74.803155][ T5101] ? __gfs2_lookup+0xa4/0x270 [ 74.807843][ T5101] __gfs2_lookup+0xa4/0x270 [ 74.812343][ T5101] ? gfs2_atomic_open+0x230/0x230 [ 74.817541][ T5101] ? __d_lookup+0x675/0x730 [ 74.822035][ T5101] ? d_hash_and_lookup+0x1b0/0x1b0 [ 74.827405][ T5101] gfs2_atomic_open+0x9e/0x230 [ 74.832250][ T5101] path_openat+0x1044/0x3180 [ 74.836842][ T5101] ? gfs2_rename2+0x25a0/0x25a0 [ 74.841783][ T5101] ? do_filp_open+0x490/0x490 [ 74.846475][ T5101] do_filp_open+0x234/0x490 [ 74.850978][ T5101] ? vfs_tmpfile+0x4b0/0x4b0 [ 74.855572][ T5101] ? _raw_spin_unlock+0x28/0x40 [ 74.860418][ T5101] ? alloc_fd+0x59c/0x640 [ 74.864751][ T5101] do_sys_openat2+0x13e/0x1d0 [ 74.869425][ T5101] ? do_sys_open+0x230/0x230 [ 74.874018][ T5101] ? lockdep_hardirqs_on+0x98/0x140 [ 74.879210][ T5101] ? _raw_spin_unlock_irq+0x2e/0x50 [ 74.884404][ T5101] ? ptrace_notify+0x278/0x380 [ 74.889162][ T5101] __x64_sys_open+0x225/0x270 [ 74.893835][ T5101] ? do_sys_openat2+0x1d0/0x1d0 [ 74.898682][ T5101] ? syscall_enter_from_user_mode+0x32/0x230 [ 74.904662][ T5101] ? syscall_enter_from_user_mode+0x8c/0x230 [ 74.910639][ T5101] do_syscall_64+0x41/0xc0 [ 74.915050][ T5101] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 74.920941][ T5101] RIP: 0033:0x7f012f71fa59 [ 74.925359][ T5101] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 74.944977][ T5101] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 74.953392][ T5101] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 74.961355][ T5101] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5104] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5101] <... open resumed>) = -1 EIO (Input/output error) [pid 5101] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5101] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5103] <... openat resumed>) = -1 EIO (Input/output error) [pid 5103] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5100] exit_group(0 [pid 5101] <... futex resumed>) = ? [pid 5100] <... exit_group resumed>) = ? [pid 5101] +++ exited with 0 +++ [pid 5103] <... futex resumed>) = ? [pid 5103] +++ exited with 0 +++ [pid 5104] <... futex resumed>) = ? [pid 5104] +++ exited with 0 +++ [pid 5100] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5100, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=40 /* 0.40 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./20/binderfs") = 0 [ 74.969327][ T5101] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 74.977292][ T5101] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 74.985255][ T5101] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 74.993236][ T5101] umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./20/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./20/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5105 ./strace-static-x86_64: Process 5105 attached [pid 5105] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5105] chdir("./21") = 0 [pid 5105] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5105] setpgid(0, 0) = 0 [pid 5105] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5105] write(3, "1000", 4) = 4 [pid 5105] close(3) = 0 [pid 5105] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5105] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5105] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5105] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5105] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5105] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5105] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5106]}, 88) = 5106 [pid 5105] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5105] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5106 attached [pid 5106] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5106] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5106] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5106] memfd_create("syzkaller", 0) = 3 [pid 5106] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5106] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5106] munmap(0x7f01272bc000, 16777216) = 0 [pid 5106] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5106] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5106] close(3) = 0 [pid 5106] mkdir("./file0", 0777) = 0 [ 75.301678][ T5106] loop0: detected capacity change from 0 to 32768 [ 75.314318][ T5106] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 75.322999][ T5106] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 75.332993][ T5106] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 75.342020][ T1133] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 75.348880][ T1133] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5106] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5106] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5106] chdir("./file0") = 0 [pid 5106] ioctl(4, LOOP_CLR_FD) = 0 [pid 5106] close(4) = 0 [pid 5106] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5106] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5105] <... futex resumed>) = 0 [pid 5105] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5105] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5106] <... futex resumed>) = 0 [ 75.382062][ T1133] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 75.391176][ T1133] gfs2: fsid=syz:syz.0: jid=0: Done [ 75.396748][ T5106] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 75.412011][ T5106] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 75.423298][ T5106] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5106] open("./file0", O_RDWR [pid 5105] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5105] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5105] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5105] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5105] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5108]}, 88) = 5108 [pid 5105] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5105] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5108 attached [pid 5108] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5108] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5108] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5108] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5108] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5105] <... futex resumed>) = 0 [pid 5105] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5108] <... futex resumed>) = 1 [pid 5108] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5108] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5105] <... futex resumed>) = 0 [pid 5108] <... futex resumed>) = 1 [ 75.423298][ T5106] inode = 12 2341 [ 75.423298][ T5106] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 75.442403][ T5106] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 75.452161][ T5106] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5106 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 75.462613][ T5106] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.471931][ T5106] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 75.479159][ T5106] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 75.488159][ T5106] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 75.495012][ T5106] gfs2: fsid=syz:syz.0: File system withdrawn [ 75.501598][ T5106] CPU: 1 PID: 5106 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 75.512004][ T5106] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 75.522051][ T5106] Call Trace: [ 75.525333][ T5106] [ 75.528253][ T5106] dump_stack_lvl+0x1e7/0x2d0 [ 75.532928][ T5106] ? nf_tcp_handle_invalid+0x650/0x650 [ 75.538373][ T5106] ? panic+0x770/0x770 [ 75.542435][ T5106] gfs2_withdraw+0xc94/0x11e0 [ 75.547102][ T5106] gfs2_dirent_scan+0x512/0x640 [ 75.551939][ T5106] ? gfs2_permission+0x268/0x3c0 [ 75.556865][ T5106] ? gfs2_dirent_search+0x8c0/0x8c0 [ 75.562062][ T5106] gfs2_dirent_search+0x30e/0x8c0 [ 75.567078][ T5106] ? gfs2_dirent_search+0x8c0/0x8c0 [ 75.572271][ T5106] ? generic_permission+0x1df/0x550 [ 75.577455][ T5106] ? gfs2_dir_search+0x2f0/0x2f0 [ 75.582379][ T5106] ? gfs2_permission+0x34a/0x3c0 [ 75.587322][ T5106] gfs2_dir_search+0xb2/0x2f0 [ 75.592009][ T5106] ? do_filldir_main+0x520/0x520 [ 75.596944][ T5106] ? inode_go_held+0xea/0x200 [ 75.601614][ T5106] ? gfs2_glock_wait+0x21a/0x2b0 [ 75.606561][ T5106] gfs2_lookupi+0x460/0x5d0 [ 75.611076][ T5106] ? gfs2_lookup_simple+0x180/0x180 [ 75.616279][ T5106] ? __gfs2_lookup+0xa4/0x270 [ 75.620964][ T5106] __gfs2_lookup+0xa4/0x270 [ 75.625465][ T5106] ? gfs2_atomic_open+0x230/0x230 [ 75.630490][ T5106] ? __d_lookup+0x675/0x730 [ 75.634998][ T5106] ? d_hash_and_lookup+0x1b0/0x1b0 [ 75.640104][ T5106] gfs2_atomic_open+0x9e/0x230 [ 75.644866][ T5106] path_openat+0x1044/0x3180 [ 75.649457][ T5106] ? gfs2_rename2+0x25a0/0x25a0 [ 75.654315][ T5106] ? do_filp_open+0x490/0x490 [ 75.659003][ T5106] do_filp_open+0x234/0x490 [ 75.663501][ T5106] ? vfs_tmpfile+0x4b0/0x4b0 [ 75.668104][ T5106] ? _raw_spin_unlock+0x28/0x40 [ 75.672955][ T5106] ? alloc_fd+0x59c/0x640 [ 75.677288][ T5106] do_sys_openat2+0x13e/0x1d0 [ 75.681970][ T5106] ? do_sys_open+0x230/0x230 [ 75.686567][ T5106] ? lockdep_hardirqs_on+0x98/0x140 [ 75.691787][ T5106] ? _raw_spin_unlock_irq+0x2e/0x50 [ 75.697036][ T5106] ? ptrace_notify+0x278/0x380 [ 75.701808][ T5106] __x64_sys_open+0x225/0x270 [ 75.706509][ T5106] ? do_sys_openat2+0x1d0/0x1d0 [ 75.711385][ T5106] ? syscall_enter_from_user_mode+0x32/0x230 [ 75.717382][ T5106] ? syscall_enter_from_user_mode+0x8c/0x230 [ 75.723375][ T5106] do_syscall_64+0x41/0xc0 [ 75.727799][ T5106] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 75.733726][ T5106] RIP: 0033:0x7f012f71fa59 [ 75.738137][ T5106] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 75.757832][ T5106] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 75.766241][ T5106] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 75.774216][ T5106] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5108] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5106] <... open resumed>) = -1 EIO (Input/output error) [pid 5106] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5105] exit_group(0 [pid 5108] <... futex resumed>) = ? [pid 5105] <... exit_group resumed>) = ? [pid 5108] +++ exited with 0 +++ [pid 5106] <... futex resumed>) = ? [pid 5106] +++ exited with 0 +++ [pid 5105] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5105, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./21/binderfs") = 0 [ 75.782183][ T5106] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 75.790144][ T5106] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 75.798109][ T5106] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 75.806083][ T5106] umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./21/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./21/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5109 ./strace-static-x86_64: Process 5109 attached [pid 5109] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5109] chdir("./22") = 0 [pid 5109] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5109] setpgid(0, 0) = 0 [pid 5109] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5109] write(3, "1000", 4) = 4 [pid 5109] close(3) = 0 [pid 5109] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5109] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5109] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5109] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5109] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5109] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5109] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5109] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5110]}, 88) = 5110 [pid 5109] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5109] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5109] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5110 attached [pid 5110] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5110] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5110] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5110] memfd_create("syzkaller", 0) = 3 [pid 5110] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5110] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5110] munmap(0x7f01272bc000, 16777216) = 0 [pid 5110] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5110] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5110] close(3) = 0 [pid 5110] mkdir("./file0", 0777) = 0 [ 76.107617][ T5110] loop0: detected capacity change from 0 to 32768 [ 76.118172][ T5110] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 76.126882][ T5110] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 76.136386][ T5110] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 76.145203][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 76.152082][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5110] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5110] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5110] chdir("./file0") = 0 [pid 5110] ioctl(4, LOOP_CLR_FD) = 0 [pid 5110] close(4) = 0 [pid 5110] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5110] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5109] <... futex resumed>) = 0 [pid 5109] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5109] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5110] <... futex resumed>) = 0 [ 76.186026][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 76.194559][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 76.199900][ T5110] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 76.216245][ T5110] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 76.225109][ T5110] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 76.225109][ T5110] inode = 12 2341 [pid 5110] open("./file0", O_RDWR [pid 5109] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5109] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5109] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5109] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5109] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5109] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5112]}, 88) = 5112 [pid 5109] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5109] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5109] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5112 attached [pid 5112] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5112] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5112] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5112] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5112] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5109] <... futex resumed>) = 0 [pid 5109] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5109] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5112] <... futex resumed>) = 1 [pid 5112] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5112] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5109] <... futex resumed>) = 0 [pid 5112] <... futex resumed>) = 1 [ 76.225109][ T5110] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 76.244244][ T5110] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 76.253708][ T5110] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5110 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 76.264143][ T5110] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 76.273480][ T5110] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 76.280877][ T5110] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 76.289873][ T5110] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 76.297881][ T5110] gfs2: fsid=syz:syz.0: File system withdrawn [ 76.304347][ T5110] CPU: 1 PID: 5110 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 76.314752][ T5110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 76.324796][ T5110] Call Trace: [ 76.328063][ T5110] [ 76.330995][ T5110] dump_stack_lvl+0x1e7/0x2d0 [ 76.335705][ T5110] ? nf_tcp_handle_invalid+0x650/0x650 [ 76.341164][ T5110] ? panic+0x770/0x770 [ 76.345227][ T5110] gfs2_withdraw+0xc94/0x11e0 [ 76.349900][ T5110] gfs2_dirent_scan+0x512/0x640 [ 76.354738][ T5110] ? gfs2_permission+0x268/0x3c0 [ 76.359737][ T5110] ? gfs2_dirent_search+0x8c0/0x8c0 [ 76.364951][ T5110] gfs2_dirent_search+0x30e/0x8c0 [ 76.369976][ T5110] ? gfs2_dirent_search+0x8c0/0x8c0 [ 76.375162][ T5110] ? generic_permission+0x1df/0x550 [ 76.380359][ T5110] ? gfs2_dir_search+0x2f0/0x2f0 [ 76.385306][ T5110] ? gfs2_permission+0x34a/0x3c0 [ 76.390250][ T5110] gfs2_dir_search+0xb2/0x2f0 [ 76.394961][ T5110] ? do_filldir_main+0x520/0x520 [ 76.399904][ T5110] ? inode_go_held+0xea/0x200 [ 76.404597][ T5110] ? gfs2_glock_wait+0x21a/0x2b0 [ 76.409537][ T5110] gfs2_lookupi+0x460/0x5d0 [ 76.414067][ T5110] ? gfs2_lookup_simple+0x180/0x180 [ 76.419279][ T5110] ? __gfs2_lookup+0xa4/0x270 [ 76.423965][ T5110] __gfs2_lookup+0xa4/0x270 [ 76.428472][ T5110] ? gfs2_atomic_open+0x230/0x230 [ 76.433503][ T5110] ? __d_lookup+0x675/0x730 [ 76.437999][ T5110] ? d_hash_and_lookup+0x1b0/0x1b0 [ 76.443104][ T5110] gfs2_atomic_open+0x9e/0x230 [ 76.447910][ T5110] path_openat+0x1044/0x3180 [ 76.452503][ T5110] ? gfs2_rename2+0x25a0/0x25a0 [ 76.457358][ T5110] ? do_filp_open+0x490/0x490 [ 76.462066][ T5110] do_filp_open+0x234/0x490 [ 76.466577][ T5110] ? vfs_tmpfile+0x4b0/0x4b0 [ 76.471187][ T5110] ? _raw_spin_unlock+0x28/0x40 [ 76.476059][ T5110] ? alloc_fd+0x59c/0x640 [ 76.480490][ T5110] do_sys_openat2+0x13e/0x1d0 [ 76.485198][ T5110] ? do_sys_open+0x230/0x230 [ 76.489804][ T5110] ? lockdep_hardirqs_on+0x98/0x140 [ 76.495015][ T5110] ? _raw_spin_unlock_irq+0x2e/0x50 [ 76.500220][ T5110] ? ptrace_notify+0x278/0x380 [ 76.504980][ T5110] __x64_sys_open+0x225/0x270 [ 76.509666][ T5110] ? do_sys_openat2+0x1d0/0x1d0 [ 76.514520][ T5110] ? syscall_enter_from_user_mode+0x32/0x230 [ 76.520515][ T5110] ? syscall_enter_from_user_mode+0x8c/0x230 [ 76.526506][ T5110] do_syscall_64+0x41/0xc0 [ 76.530931][ T5110] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 76.536858][ T5110] RIP: 0033:0x7f012f71fa59 [ 76.541452][ T5110] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 76.561157][ T5110] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 76.569658][ T5110] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 76.577620][ T5110] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5112] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5110] <... open resumed>) = -1 EIO (Input/output error) [pid 5110] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5109] exit_group(0 [pid 5112] <... futex resumed>) = ? [pid 5109] <... exit_group resumed>) = ? [pid 5112] +++ exited with 0 +++ [pid 5110] <... futex resumed>) = ? [pid 5110] +++ exited with 0 +++ [pid 5109] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5109, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./22/binderfs") = 0 [ 76.585583][ T5110] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 76.593546][ T5110] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 76.601505][ T5110] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 76.609494][ T5110] umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 76.651389][ T7] cfg80211: failed to load regulatory.db newfstatat(AT_FDCWD, "./22/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./22/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5114 ./strace-static-x86_64: Process 5114 attached [pid 5114] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5114] chdir("./23") = 0 [pid 5114] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5114] setpgid(0, 0) = 0 [pid 5114] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5114] write(3, "1000", 4) = 4 [pid 5114] close(3) = 0 [pid 5114] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5114] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5114] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5114] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5114] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5114] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5114] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5115]}, 88) = 5115 [pid 5114] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5114] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5115 attached [pid 5115] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5115] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5115] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5115] memfd_create("syzkaller", 0) = 3 [pid 5115] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5115] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5115] munmap(0x7f01272bc000, 16777216) = 0 [pid 5115] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5115] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5115] close(3) = 0 [pid 5115] mkdir("./file0", 0777) = 0 [ 76.925323][ T5115] loop0: detected capacity change from 0 to 32768 [ 76.936307][ T5115] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 76.944938][ T5115] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 76.955633][ T5115] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 76.964181][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 76.971286][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5115] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5115] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5115] chdir("./file0") = 0 [pid 5115] ioctl(4, LOOP_CLR_FD) = 0 [pid 5115] close(4) = 0 [pid 5115] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5114] <... futex resumed>) = 0 [pid 5114] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5115] <... futex resumed>) = 1 [ 77.011742][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 77.019435][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 77.024688][ T5115] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 77.040196][ T5115] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 77.048578][ T5115] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 77.048578][ T5115] inode = 12 2341 [pid 5115] open("./file0", O_RDWR [pid 5114] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5114] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5114] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5114] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5114] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5114] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5117]}, 88) = 5117 [pid 5114] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5114] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5117 attached [pid 5117] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5117] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5117] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5117] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5117] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5114] <... futex resumed>) = 0 [pid 5117] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5114] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5117] <... futex resumed>) = 0 [pid 5114] <... futex resumed>) = 1 [pid 5117] write(-1, NULL, 0 [pid 5114] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5117] <... write resumed>) = -1 EBADF (Bad file descriptor) [pid 5117] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5114] <... futex resumed>) = 0 [ 77.048578][ T5115] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 77.068226][ T5115] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 77.077814][ T5115] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5115 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 77.087940][ T5115] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 77.097464][ T5115] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 77.104781][ T5115] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 77.113612][ T5115] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 77.120843][ T5115] gfs2: fsid=syz:syz.0: File system withdrawn [ 77.127255][ T5115] CPU: 1 PID: 5115 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 77.137662][ T5115] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 77.147705][ T5115] Call Trace: [ 77.150978][ T5115] [ 77.153897][ T5115] dump_stack_lvl+0x1e7/0x2d0 [ 77.158674][ T5115] ? nf_tcp_handle_invalid+0x650/0x650 [ 77.164119][ T5115] ? panic+0x770/0x770 [ 77.168183][ T5115] gfs2_withdraw+0xc94/0x11e0 [ 77.172898][ T5115] gfs2_dirent_scan+0x512/0x640 [ 77.177737][ T5115] ? gfs2_permission+0x268/0x3c0 [ 77.182667][ T5115] ? gfs2_dirent_search+0x8c0/0x8c0 [ 77.187854][ T5115] gfs2_dirent_search+0x30e/0x8c0 [ 77.192895][ T5115] ? gfs2_dirent_search+0x8c0/0x8c0 [ 77.198080][ T5115] ? generic_permission+0x1df/0x550 [ 77.203266][ T5115] ? gfs2_dir_search+0x2f0/0x2f0 [ 77.208191][ T5115] ? gfs2_permission+0x34a/0x3c0 [ 77.213115][ T5115] gfs2_dir_search+0xb2/0x2f0 [ 77.217780][ T5115] ? do_filldir_main+0x520/0x520 [ 77.222794][ T5115] ? inode_go_held+0xea/0x200 [ 77.227550][ T5115] ? gfs2_glock_wait+0x21a/0x2b0 [ 77.232478][ T5115] gfs2_lookupi+0x460/0x5d0 [ 77.236977][ T5115] ? gfs2_lookup_simple+0x180/0x180 [ 77.242296][ T5115] ? __gfs2_lookup+0xa4/0x270 [ 77.246967][ T5115] __gfs2_lookup+0xa4/0x270 [ 77.251461][ T5115] ? gfs2_atomic_open+0x230/0x230 [ 77.256474][ T5115] ? __d_lookup+0x675/0x730 [ 77.260962][ T5115] ? d_hash_and_lookup+0x1b0/0x1b0 [ 77.266060][ T5115] gfs2_atomic_open+0x9e/0x230 [ 77.270815][ T5115] path_openat+0x1044/0x3180 [ 77.275395][ T5115] ? gfs2_rename2+0x25a0/0x25a0 [ 77.280241][ T5115] ? do_filp_open+0x490/0x490 [ 77.284914][ T5115] do_filp_open+0x234/0x490 [ 77.289406][ T5115] ? vfs_tmpfile+0x4b0/0x4b0 [ 77.293993][ T5115] ? _raw_spin_unlock+0x28/0x40 [ 77.298842][ T5115] ? alloc_fd+0x59c/0x640 [ 77.303165][ T5115] do_sys_openat2+0x13e/0x1d0 [ 77.307837][ T5115] ? do_sys_open+0x230/0x230 [ 77.312416][ T5115] ? lockdep_hardirqs_on+0x98/0x140 [ 77.317608][ T5115] ? _raw_spin_unlock_irq+0x2e/0x50 [ 77.322796][ T5115] ? ptrace_notify+0x278/0x380 [ 77.327547][ T5115] __x64_sys_open+0x225/0x270 [ 77.332213][ T5115] ? do_sys_openat2+0x1d0/0x1d0 [ 77.337055][ T5115] ? syscall_enter_from_user_mode+0x32/0x230 [ 77.343034][ T5115] ? syscall_enter_from_user_mode+0x8c/0x230 [ 77.349004][ T5115] do_syscall_64+0x41/0xc0 [ 77.353412][ T5115] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 77.359299][ T5115] RIP: 0033:0x7f012f71fa59 [ 77.363703][ T5115] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 77.383385][ T5115] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 77.391829][ T5115] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 77.399787][ T5115] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5117] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5115] <... open resumed>) = -1 EIO (Input/output error) [pid 5115] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5115] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5114] exit_group(0 [pid 5117] <... futex resumed>) = ? [pid 5114] <... exit_group resumed>) = ? [pid 5117] +++ exited with 0 +++ [pid 5115] <... futex resumed>) = ? [pid 5115] +++ exited with 0 +++ [pid 5114] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5114, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./23/binderfs") = 0 [ 77.407750][ T5115] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 77.415712][ T5115] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 77.423709][ T5115] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 77.431768][ T5115] umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./23/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./23/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5118 ./strace-static-x86_64: Process 5118 attached [pid 5118] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5118] chdir("./24") = 0 [pid 5118] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5118] setpgid(0, 0) = 0 [pid 5118] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5118] write(3, "1000", 4) = 4 [pid 5118] close(3) = 0 [pid 5118] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5118] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5118] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5118] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5118] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5118] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5118] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5119]}, 88) = 5119 [pid 5118] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5118] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5119 attached [pid 5119] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5119] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5119] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5119] memfd_create("syzkaller", 0) = 3 [pid 5119] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5119] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5119] munmap(0x7f01272bc000, 16777216) = 0 [pid 5119] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5119] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5119] close(3) = 0 [pid 5119] mkdir("./file0", 0777) = 0 [ 77.735066][ T5119] loop0: detected capacity change from 0 to 32768 [ 77.744916][ T5119] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 77.753226][ T5119] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 77.762110][ T5119] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 77.770674][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 77.777458][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5119] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5119] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5119] chdir("./file0") = 0 [pid 5119] ioctl(4, LOOP_CLR_FD) = 0 [pid 5119] close(4) = 0 [pid 5119] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5118] <... futex resumed>) = 0 [pid 5118] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5119] <... futex resumed>) = 1 [pid 5118] <... futex resumed>) = 0 [pid 5119] open("./file0", O_RDWR [ 77.811594][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 77.819095][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 77.824584][ T5119] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 77.837396][ T5119] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 77.845957][ T5119] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 77.845957][ T5119] inode = 12 2341 [pid 5118] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5118] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 77.845957][ T5119] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 77.864819][ T5119] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 77.874091][ T5119] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5119 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 77.884812][ T5119] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 77.893375][ T5119] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 77.900937][ T5119] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5118] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5118] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5118] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5118] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5121]}, 88) = 5121 [pid 5118] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5121 attached [pid 5118] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5121] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5121] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5121] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5121] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5121] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5118] <... futex resumed>) = 0 [pid 5118] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5121] <... futex resumed>) = 1 [pid 5121] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5121] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5118] <... futex resumed>) = 0 [pid 5121] <... futex resumed>) = 1 [ 77.910110][ T5119] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 77.917456][ T5119] gfs2: fsid=syz:syz.0: File system withdrawn [ 77.924298][ T5119] CPU: 1 PID: 5119 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 77.934747][ T5119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 77.944819][ T5119] Call Trace: [ 77.948099][ T5119] [ 77.951037][ T5119] dump_stack_lvl+0x1e7/0x2d0 [ 77.955747][ T5119] ? nf_tcp_handle_invalid+0x650/0x650 [ 77.961220][ T5119] ? panic+0x770/0x770 [ 77.965297][ T5119] gfs2_withdraw+0xc94/0x11e0 [ 77.969995][ T5119] gfs2_dirent_scan+0x512/0x640 [ 77.974864][ T5119] ? gfs2_permission+0x268/0x3c0 [ 77.979821][ T5119] ? gfs2_dirent_search+0x8c0/0x8c0 [ 77.985045][ T5119] gfs2_dirent_search+0x30e/0x8c0 [ 77.990066][ T5119] ? gfs2_dirent_search+0x8c0/0x8c0 [ 77.995268][ T5119] ? generic_permission+0x1df/0x550 [ 78.000489][ T5119] ? gfs2_dir_search+0x2f0/0x2f0 [ 78.005426][ T5119] ? gfs2_permission+0x34a/0x3c0 [ 78.010373][ T5119] gfs2_dir_search+0xb2/0x2f0 [ 78.015064][ T5119] ? do_filldir_main+0x520/0x520 [ 78.020011][ T5119] ? inode_go_held+0xea/0x200 [ 78.024790][ T5119] ? gfs2_glock_wait+0x21a/0x2b0 [ 78.029734][ T5119] gfs2_lookupi+0x460/0x5d0 [ 78.034242][ T5119] ? gfs2_lookup_simple+0x180/0x180 [ 78.039439][ T5119] ? __gfs2_lookup+0xa4/0x270 [ 78.044120][ T5119] __gfs2_lookup+0xa4/0x270 [ 78.048620][ T5119] ? gfs2_atomic_open+0x230/0x230 [ 78.053640][ T5119] ? __d_lookup+0x675/0x730 [ 78.058136][ T5119] ? d_hash_and_lookup+0x1b0/0x1b0 [ 78.063243][ T5119] gfs2_atomic_open+0x9e/0x230 [ 78.068011][ T5119] path_openat+0x1044/0x3180 [ 78.072601][ T5119] ? gfs2_rename2+0x25a0/0x25a0 [ 78.077467][ T5119] ? do_filp_open+0x490/0x490 [ 78.082148][ T5119] do_filp_open+0x234/0x490 [ 78.086646][ T5119] ? vfs_tmpfile+0x4b0/0x4b0 [ 78.091245][ T5119] ? _raw_spin_unlock+0x28/0x40 [ 78.096094][ T5119] ? alloc_fd+0x59c/0x640 [ 78.100430][ T5119] do_sys_openat2+0x13e/0x1d0 [ 78.106148][ T5119] ? do_sys_open+0x230/0x230 [ 78.110739][ T5119] ? lockdep_hardirqs_on+0x98/0x140 [ 78.115934][ T5119] ? _raw_spin_unlock_irq+0x2e/0x50 [ 78.121138][ T5119] ? ptrace_notify+0x278/0x380 [ 78.125897][ T5119] __x64_sys_open+0x225/0x270 [ 78.130575][ T5119] ? do_sys_openat2+0x1d0/0x1d0 [ 78.135431][ T5119] ? syscall_enter_from_user_mode+0x32/0x230 [ 78.141411][ T5119] ? syscall_enter_from_user_mode+0x8c/0x230 [ 78.147410][ T5119] do_syscall_64+0x41/0xc0 [ 78.151823][ T5119] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.157740][ T5119] RIP: 0033:0x7f012f71fa59 [ 78.162154][ T5119] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 78.181753][ T5119] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 78.190163][ T5119] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 78.198128][ T5119] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5121] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5119] <... open resumed>) = -1 EIO (Input/output error) [pid 5119] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5119] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5118] exit_group(0 [pid 5121] <... futex resumed>) = ? [pid 5119] <... futex resumed>) = ? [pid 5118] <... exit_group resumed>) = ? [pid 5119] +++ exited with 0 +++ [pid 5121] +++ exited with 0 +++ [pid 5118] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5118, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./24/binderfs") = 0 [ 78.206098][ T5119] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 78.214069][ T5119] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 78.222032][ T5119] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 78.230017][ T5119] umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./24/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./24/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5122 attached , child_tidptr=0x555556d1b690) = 5122 [pid 5122] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5122] chdir("./25") = 0 [pid 5122] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5122] setpgid(0, 0) = 0 [pid 5122] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5122] write(3, "1000", 4) = 4 [pid 5122] close(3) = 0 [pid 5122] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5122] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5122] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5122] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5122] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5122] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5122] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5123 attached [pid 5123] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5123] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5123] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5123] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] <... clone3 resumed> => {parent_tid=[5123]}, 88) = 5123 [pid 5122] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5122] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5123] <... futex resumed>) = 0 [pid 5122] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5123] memfd_create("syzkaller", 0) = 3 [pid 5123] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5123] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5123] munmap(0x7f01272bc000, 16777216) = 0 [pid 5123] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5123] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5123] close(3) = 0 [pid 5123] mkdir("./file0", 0777) = 0 [ 78.545127][ T5123] loop0: detected capacity change from 0 to 32768 [ 78.556202][ T5123] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 78.564513][ T5123] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 78.574107][ T5123] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 78.583057][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 78.589976][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5123] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5123] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5123] chdir("./file0") = 0 [pid 5123] ioctl(4, LOOP_CLR_FD) = 0 [pid 5123] close(4) = 0 [pid 5123] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5123] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] <... futex resumed>) = 0 [pid 5122] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5123] <... futex resumed>) = 0 [pid 5122] <... futex resumed>) = 1 [pid 5122] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 78.625630][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 78.634581][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 78.640005][ T5123] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 78.654882][ T5123] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 78.663690][ T5123] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 78.663690][ T5123] inode = 12 2341 [pid 5123] open("./file0", O_RDWR [pid 5122] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5122] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5122] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5122] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5122] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5125]}, 88) = 5125 [pid 5122] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5122] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5125 attached [pid 5125] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5125] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5125] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5125] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5125] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5122] <... futex resumed>) = 0 [pid 5122] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5125] <... futex resumed>) = 1 [pid 5125] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5125] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5122] <... futex resumed>) = 0 [pid 5125] <... futex resumed>) = 1 [ 78.663690][ T5123] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 78.682851][ T5123] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 78.692370][ T5123] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5123 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 78.702859][ T5123] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 78.711594][ T5123] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 78.719670][ T5123] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 78.728547][ T5123] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 78.735274][ T5123] gfs2: fsid=syz:syz.0: File system withdrawn [ 78.741407][ T5123] CPU: 0 PID: 5123 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 78.751830][ T5123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 78.761876][ T5123] Call Trace: [ 78.765161][ T5123] [ 78.768108][ T5123] dump_stack_lvl+0x1e7/0x2d0 [ 78.772792][ T5123] ? nf_tcp_handle_invalid+0x650/0x650 [ 78.778241][ T5123] ? panic+0x770/0x770 [ 78.782307][ T5123] gfs2_withdraw+0xc94/0x11e0 [ 78.786980][ T5123] gfs2_dirent_scan+0x512/0x640 [ 78.791835][ T5123] ? gfs2_permission+0x268/0x3c0 [ 78.796793][ T5123] ? gfs2_dirent_search+0x8c0/0x8c0 [ 78.802003][ T5123] gfs2_dirent_search+0x30e/0x8c0 [ 78.807026][ T5123] ? gfs2_dirent_search+0x8c0/0x8c0 [ 78.812303][ T5123] ? generic_permission+0x1df/0x550 [ 78.817522][ T5123] ? gfs2_dir_search+0x2f0/0x2f0 [ 78.822573][ T5123] ? gfs2_permission+0x34a/0x3c0 [ 78.827603][ T5123] gfs2_dir_search+0xb2/0x2f0 [ 78.832280][ T5123] ? do_filldir_main+0x520/0x520 [ 78.837300][ T5123] ? inode_go_held+0xea/0x200 [ 78.841969][ T5123] ? gfs2_glock_wait+0x21a/0x2b0 [ 78.846900][ T5123] gfs2_lookupi+0x460/0x5d0 [ 78.851400][ T5123] ? gfs2_lookup_simple+0x180/0x180 [ 78.856770][ T5123] ? __gfs2_lookup+0xa4/0x270 [ 78.861447][ T5123] __gfs2_lookup+0xa4/0x270 [ 78.865943][ T5123] ? gfs2_atomic_open+0x230/0x230 [ 78.870968][ T5123] ? __d_lookup+0x675/0x730 [ 78.875467][ T5123] ? d_hash_and_lookup+0x1b0/0x1b0 [ 78.880580][ T5123] gfs2_atomic_open+0x9e/0x230 [ 78.885342][ T5123] path_openat+0x1044/0x3180 [ 78.890018][ T5123] ? gfs2_rename2+0x25a0/0x25a0 [ 78.894897][ T5123] ? do_filp_open+0x490/0x490 [ 78.899579][ T5123] do_filp_open+0x234/0x490 [ 78.904096][ T5123] ? vfs_tmpfile+0x4b0/0x4b0 [ 78.908712][ T5123] ? _raw_spin_unlock+0x28/0x40 [ 78.913671][ T5123] ? alloc_fd+0x59c/0x640 [ 78.918015][ T5123] do_sys_openat2+0x13e/0x1d0 [ 78.922691][ T5123] ? do_sys_open+0x230/0x230 [ 78.927374][ T5123] ? lockdep_hardirqs_on+0x98/0x140 [ 78.932857][ T5123] ? _raw_spin_unlock_irq+0x2e/0x50 [ 78.938483][ T5123] ? ptrace_notify+0x278/0x380 [ 78.943242][ T5123] __x64_sys_open+0x225/0x270 [ 78.947933][ T5123] ? do_sys_openat2+0x1d0/0x1d0 [ 78.952783][ T5123] ? syscall_enter_from_user_mode+0x32/0x230 [ 78.958849][ T5123] ? syscall_enter_from_user_mode+0x8c/0x230 [ 78.964832][ T5123] do_syscall_64+0x41/0xc0 [ 78.969245][ T5123] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.975144][ T5123] RIP: 0033:0x7f012f71fa59 [ 78.979579][ T5123] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 78.999176][ T5123] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 79.007585][ T5123] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 79.015548][ T5123] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5125] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5123] <... open resumed>) = -1 EIO (Input/output error) [pid 5123] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5123] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] exit_group(0 [pid 5123] <... futex resumed>) = ? [pid 5122] <... exit_group resumed>) = ? [pid 5123] +++ exited with 0 +++ [pid 5125] <... futex resumed>) = ? [pid 5125] +++ exited with 0 +++ [pid 5122] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5122, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./25/binderfs") = 0 [ 79.023510][ T5123] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 79.031559][ T5123] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 79.039521][ T5123] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 79.047507][ T5123] umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./25/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./25/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 mkdir("./26", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5126 ./strace-static-x86_64: Process 5126 attached [pid 5126] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5126] chdir("./26") = 0 [pid 5126] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5126] setpgid(0, 0) = 0 [pid 5126] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5126] write(3, "1000", 4) = 4 [pid 5126] close(3) = 0 [pid 5126] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5126] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5126] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5126] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5126] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5126] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5126] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5127 attached => {parent_tid=[5127]}, 88) = 5127 [pid 5126] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5126] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5127] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5127] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5127] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5127] memfd_create("syzkaller", 0) = 3 [pid 5127] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5127] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5127] munmap(0x7f01272bc000, 16777216) = 0 [pid 5127] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5127] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5127] close(3) = 0 [pid 5127] mkdir("./file0", 0777) = 0 [ 79.369795][ T5127] loop0: detected capacity change from 0 to 32768 [ 79.380825][ T5127] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 79.389038][ T5127] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 79.398789][ T5127] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 79.407895][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 79.414978][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5127] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5127] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5127] chdir("./file0") = 0 [pid 5127] ioctl(4, LOOP_CLR_FD) = 0 [pid 5127] close(4) = 0 [pid 5127] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5126] <... futex resumed>) = 0 [pid 5127] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5126] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5126] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5127] <... futex resumed>) = 0 [ 79.448266][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 79.457054][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 79.462617][ T5127] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 79.478155][ T5127] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 79.487111][ T5127] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 79.487111][ T5127] inode = 12 2341 [pid 5127] open("./file0", O_RDWR [pid 5126] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5126] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5126] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5126] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5126] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5129]}, 88) = 5129 [pid 5126] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5126] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5129 attached [pid 5129] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5129] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5129] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5129] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5129] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5126] <... futex resumed>) = 0 [pid 5126] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5129] <... futex resumed>) = 1 [pid 5129] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5129] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5126] <... futex resumed>) = 0 [pid 5129] <... futex resumed>) = 1 [ 79.487111][ T5127] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 79.506212][ T5127] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 79.515714][ T5127] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5127 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 79.526085][ T5127] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 79.534914][ T5127] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 79.542673][ T5127] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 79.551510][ T5127] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 79.558667][ T5127] gfs2: fsid=syz:syz.0: File system withdrawn [ 79.565178][ T5127] CPU: 1 PID: 5127 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 79.575588][ T5127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 79.585731][ T5127] Call Trace: [ 79.589008][ T5127] [ 79.591928][ T5127] dump_stack_lvl+0x1e7/0x2d0 [ 79.596597][ T5127] ? nf_tcp_handle_invalid+0x650/0x650 [ 79.602043][ T5127] ? panic+0x770/0x770 [ 79.606103][ T5127] gfs2_withdraw+0xc94/0x11e0 [ 79.610771][ T5127] gfs2_dirent_scan+0x512/0x640 [ 79.615606][ T5127] ? gfs2_permission+0x268/0x3c0 [ 79.620531][ T5127] ? gfs2_dirent_search+0x8c0/0x8c0 [ 79.625732][ T5127] gfs2_dirent_search+0x30e/0x8c0 [ 79.630753][ T5127] ? gfs2_dirent_search+0x8c0/0x8c0 [ 79.635943][ T5127] ? generic_permission+0x1df/0x550 [ 79.641133][ T5127] ? gfs2_dir_search+0x2f0/0x2f0 [ 79.646067][ T5127] ? gfs2_permission+0x34a/0x3c0 [ 79.651191][ T5127] gfs2_dir_search+0xb2/0x2f0 [ 79.655884][ T5127] ? do_filldir_main+0x520/0x520 [ 79.660823][ T5127] ? inode_go_held+0xea/0x200 [ 79.665507][ T5127] ? gfs2_glock_wait+0x21a/0x2b0 [ 79.670445][ T5127] gfs2_lookupi+0x460/0x5d0 [ 79.674949][ T5127] ? gfs2_lookup_simple+0x180/0x180 [ 79.680228][ T5127] ? __gfs2_lookup+0xa4/0x270 [ 79.685077][ T5127] __gfs2_lookup+0xa4/0x270 [ 79.689574][ T5127] ? gfs2_atomic_open+0x230/0x230 [ 79.694592][ T5127] ? __d_lookup+0x675/0x730 [ 79.699092][ T5127] ? d_hash_and_lookup+0x1b0/0x1b0 [ 79.704199][ T5127] gfs2_atomic_open+0x9e/0x230 [ 79.708960][ T5127] path_openat+0x1044/0x3180 [ 79.713549][ T5127] ? gfs2_rename2+0x25a0/0x25a0 [ 79.718405][ T5127] ? do_filp_open+0x490/0x490 [ 79.723120][ T5127] do_filp_open+0x234/0x490 [ 79.727626][ T5127] ? vfs_tmpfile+0x4b0/0x4b0 [ 79.732223][ T5127] ? _raw_spin_unlock+0x28/0x40 [ 79.737065][ T5127] ? alloc_fd+0x59c/0x640 [ 79.741395][ T5127] do_sys_openat2+0x13e/0x1d0 [ 79.746067][ T5127] ? do_sys_open+0x230/0x230 [ 79.750654][ T5127] ? lockdep_hardirqs_on+0x98/0x140 [ 79.755847][ T5127] ? _raw_spin_unlock_irq+0x2e/0x50 [ 79.761034][ T5127] ? ptrace_notify+0x278/0x380 [ 79.765788][ T5127] __x64_sys_open+0x225/0x270 [ 79.770476][ T5127] ? do_sys_openat2+0x1d0/0x1d0 [ 79.775691][ T5127] ? syscall_enter_from_user_mode+0x32/0x230 [ 79.781678][ T5127] ? syscall_enter_from_user_mode+0x8c/0x230 [ 79.787657][ T5127] do_syscall_64+0x41/0xc0 [ 79.792070][ T5127] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.797962][ T5127] RIP: 0033:0x7f012f71fa59 [ 79.802377][ T5127] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 79.822145][ T5127] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 79.830561][ T5127] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 79.838523][ T5127] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5129] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5127] <... open resumed>) = -1 EIO (Input/output error) [pid 5127] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5126] exit_group(0 [pid 5129] <... futex resumed>) = ? [pid 5126] <... exit_group resumed>) = ? [pid 5129] +++ exited with 0 +++ [pid 5127] <... futex resumed>) = ? [pid 5127] +++ exited with 0 +++ [pid 5126] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5126, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=27 /* 0.27 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./26/binderfs") = 0 [ 79.846502][ T5127] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 79.854478][ T5127] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 79.862452][ T5127] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 79.870447][ T5127] umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./26/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./26/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5130 ./strace-static-x86_64: Process 5130 attached [pid 5130] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5130] chdir("./27") = 0 [pid 5130] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5130] setpgid(0, 0) = 0 [pid 5130] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5130] write(3, "1000", 4) = 4 [pid 5130] close(3) = 0 [pid 5130] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5130] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5130] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5130] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5130] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5130] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5130] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5131]}, 88) = 5131 ./strace-static-x86_64: Process 5131 attached [pid 5130] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5131] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5130] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5131] <... rseq resumed>) = 0 [pid 5131] set_robust_list(0x7f012f6dc9a0, 24 [pid 5130] <... futex resumed>) = 0 [pid 5131] <... set_robust_list resumed>) = 0 [pid 5130] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5131] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5131] memfd_create("syzkaller", 0) = 3 [pid 5131] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5131] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5131] munmap(0x7f01272bc000, 16777216) = 0 [pid 5131] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5131] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5131] close(3) = 0 [pid 5131] mkdir("./file0", 0777) = 0 [ 80.188535][ T5131] loop0: detected capacity change from 0 to 32768 [ 80.200440][ T5131] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 80.208886][ T5131] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 80.218972][ T5131] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 80.228252][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 80.235365][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5131] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5131] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5131] chdir("./file0") = 0 [pid 5131] ioctl(4, LOOP_CLR_FD) = 0 [pid 5131] close(4) = 0 [pid 5131] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5130] <... futex resumed>) = 0 [pid 5131] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5130] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5131] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5130] <... futex resumed>) = 0 [pid 5131] open("./file0", O_RDWR [ 80.269648][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 80.277185][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 80.282503][ T5131] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 80.300543][ T5131] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 80.309994][ T5131] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5130] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5130] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5130] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5130] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5130] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5133]}, 88) = 5133 [pid 5130] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5130] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5133 attached [pid 5133] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5133] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5133] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5133] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [ 80.309994][ T5131] inode = 12 2341 [ 80.309994][ T5131] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 80.329120][ T5131] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 80.338606][ T5131] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5131 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 80.349153][ T5131] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 80.357671][ T5131] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5133] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5130] <... futex resumed>) = 0 [pid 5130] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5133] <... futex resumed>) = 1 [pid 5133] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5133] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5130] <... futex resumed>) = 0 [pid 5133] <... futex resumed>) = 1 [ 80.365898][ T5131] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 80.375493][ T5131] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 80.383488][ T5131] gfs2: fsid=syz:syz.0: File system withdrawn [ 80.390158][ T5131] CPU: 0 PID: 5131 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 80.400750][ T5131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 80.410820][ T5131] Call Trace: [ 80.414085][ T5131] [ 80.417051][ T5131] dump_stack_lvl+0x1e7/0x2d0 [ 80.421733][ T5131] ? nf_tcp_handle_invalid+0x650/0x650 [ 80.427197][ T5131] ? panic+0x770/0x770 [ 80.431273][ T5131] gfs2_withdraw+0xc94/0x11e0 [ 80.435967][ T5131] gfs2_dirent_scan+0x512/0x640 [ 80.440823][ T5131] ? gfs2_permission+0x268/0x3c0 [ 80.445780][ T5131] ? gfs2_dirent_search+0x8c0/0x8c0 [ 80.450995][ T5131] gfs2_dirent_search+0x30e/0x8c0 [ 80.456225][ T5131] ? gfs2_dirent_search+0x8c0/0x8c0 [ 80.461434][ T5131] ? generic_permission+0x1df/0x550 [ 80.466738][ T5131] ? gfs2_dir_search+0x2f0/0x2f0 [ 80.471688][ T5131] ? gfs2_permission+0x34a/0x3c0 [ 80.476634][ T5131] gfs2_dir_search+0xb2/0x2f0 [ 80.481331][ T5131] ? do_filldir_main+0x520/0x520 [ 80.486297][ T5131] ? inode_go_held+0xea/0x200 [ 80.491171][ T5131] ? gfs2_glock_wait+0x21a/0x2b0 [ 80.496118][ T5131] gfs2_lookupi+0x460/0x5d0 [ 80.500627][ T5131] ? gfs2_lookup_simple+0x180/0x180 [ 80.505828][ T5131] ? __gfs2_lookup+0xa4/0x270 [ 80.510592][ T5131] __gfs2_lookup+0xa4/0x270 [ 80.515089][ T5131] ? gfs2_atomic_open+0x230/0x230 [ 80.520198][ T5131] ? __d_lookup+0x675/0x730 [ 80.524696][ T5131] ? d_hash_and_lookup+0x1b0/0x1b0 [ 80.529803][ T5131] gfs2_atomic_open+0x9e/0x230 [ 80.534607][ T5131] path_openat+0x1044/0x3180 [ 80.539198][ T5131] ? gfs2_rename2+0x25a0/0x25a0 [ 80.544225][ T5131] ? do_filp_open+0x490/0x490 [ 80.548909][ T5131] do_filp_open+0x234/0x490 [ 80.553413][ T5131] ? vfs_tmpfile+0x4b0/0x4b0 [ 80.558010][ T5131] ? _raw_spin_unlock+0x28/0x40 [ 80.562855][ T5131] ? alloc_fd+0x59c/0x640 [ 80.567187][ T5131] do_sys_openat2+0x13e/0x1d0 [ 80.571861][ T5131] ? do_sys_open+0x230/0x230 [ 80.576448][ T5131] ? lockdep_hardirqs_on+0x98/0x140 [ 80.581644][ T5131] ? _raw_spin_unlock_irq+0x2e/0x50 [ 80.586842][ T5131] ? ptrace_notify+0x278/0x380 [ 80.591604][ T5131] __x64_sys_open+0x225/0x270 [ 80.596368][ T5131] ? do_sys_openat2+0x1d0/0x1d0 [ 80.601219][ T5131] ? syscall_enter_from_user_mode+0x32/0x230 [ 80.607198][ T5131] ? syscall_enter_from_user_mode+0x8c/0x230 [ 80.613178][ T5131] do_syscall_64+0x41/0xc0 [ 80.617588][ T5131] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 80.623479][ T5131] RIP: 0033:0x7f012f71fa59 [ 80.627902][ T5131] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 80.647518][ T5131] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 80.655934][ T5131] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5133] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5131] <... open resumed>) = -1 EIO (Input/output error) [pid 5131] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5130] exit_group(0 [pid 5133] <... futex resumed>) = ? [pid 5130] <... exit_group resumed>) = ? [pid 5133] +++ exited with 0 +++ [pid 5131] <... futex resumed>) = ? [pid 5131] +++ exited with 0 +++ [pid 5130] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5130, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./27/binderfs") = 0 [ 80.664076][ T5131] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 80.672039][ T5131] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 80.679999][ T5131] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 80.687962][ T5131] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 80.695940][ T5131] umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./27/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./27/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5134 ./strace-static-x86_64: Process 5134 attached [pid 5134] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5134] chdir("./28") = 0 [pid 5134] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5134] setpgid(0, 0) = 0 [pid 5134] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5134] write(3, "1000", 4) = 4 [pid 5134] close(3) = 0 [pid 5134] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5134] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5134] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5134] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5134] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5134] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5134] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5135]}, 88) = 5135 [pid 5134] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5134] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5135 attached [pid 5135] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5135] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5135] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5135] memfd_create("syzkaller", 0) = 3 [pid 5135] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5135] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5135] munmap(0x7f01272bc000, 16777216) = 0 [pid 5135] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5135] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5135] close(3) = 0 [pid 5135] mkdir("./file0", 0777) = 0 [ 81.003449][ T5135] loop0: detected capacity change from 0 to 32768 [ 81.015129][ T5135] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 81.023769][ T5135] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 81.033688][ T5135] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 81.042241][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 81.049008][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5135] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5135] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5135] chdir("./file0") = 0 [pid 5135] ioctl(4, LOOP_CLR_FD) = 0 [pid 5135] close(4) = 0 [pid 5135] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5134] <... futex resumed>) = 0 [pid 5134] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5135] <... futex resumed>) = 1 [pid 5134] <... futex resumed>) = 0 [pid 5135] open("./file0", O_RDWR [ 81.090460][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 81.099550][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 81.104887][ T5135] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 81.118811][ T5135] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 81.127509][ T5135] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 81.127509][ T5135] inode = 12 2341 [pid 5134] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5134] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5134] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5134] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5134] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5134] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5137]}, 88) = 5137 [pid 5134] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5134] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5137 attached [pid 5137] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5137] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5137] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5137] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5137] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5134] <... futex resumed>) = 0 [pid 5134] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5137] <... futex resumed>) = 1 [pid 5137] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5137] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5134] <... futex resumed>) = 0 [pid 5137] <... futex resumed>) = 1 [ 81.127509][ T5135] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 81.146770][ T5135] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 81.156568][ T5135] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5135 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 81.167834][ T5135] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 81.177450][ T5135] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 81.185051][ T5135] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 81.194530][ T5135] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 81.201547][ T5135] gfs2: fsid=syz:syz.0: File system withdrawn [ 81.207957][ T5135] CPU: 0 PID: 5135 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 81.218361][ T5135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 81.228418][ T5135] Call Trace: [ 81.231696][ T5135] [ 81.234620][ T5135] dump_stack_lvl+0x1e7/0x2d0 [ 81.239313][ T5135] ? nf_tcp_handle_invalid+0x650/0x650 [ 81.244758][ T5135] ? panic+0x770/0x770 [ 81.248817][ T5135] gfs2_withdraw+0xc94/0x11e0 [ 81.253483][ T5135] gfs2_dirent_scan+0x512/0x640 [ 81.258322][ T5135] ? gfs2_permission+0x268/0x3c0 [ 81.264553][ T5135] ? gfs2_dirent_search+0x8c0/0x8c0 [ 81.269744][ T5135] gfs2_dirent_search+0x30e/0x8c0 [ 81.274757][ T5135] ? gfs2_dirent_search+0x8c0/0x8c0 [ 81.279937][ T5135] ? generic_permission+0x1df/0x550 [ 81.285136][ T5135] ? gfs2_dir_search+0x2f0/0x2f0 [ 81.290168][ T5135] ? gfs2_permission+0x34a/0x3c0 [ 81.295156][ T5135] gfs2_dir_search+0xb2/0x2f0 [ 81.299855][ T5135] ? do_filldir_main+0x520/0x520 [ 81.304789][ T5135] ? inode_go_held+0xea/0x200 [ 81.309466][ T5135] ? gfs2_glock_wait+0x21a/0x2b0 [ 81.314403][ T5135] gfs2_lookupi+0x460/0x5d0 [ 81.318905][ T5135] ? gfs2_lookup_simple+0x180/0x180 [ 81.324096][ T5135] ? __gfs2_lookup+0xa4/0x270 [ 81.328775][ T5135] __gfs2_lookup+0xa4/0x270 [ 81.333288][ T5135] ? gfs2_atomic_open+0x230/0x230 [ 81.338304][ T5135] ? __d_lookup+0x675/0x730 [ 81.342888][ T5135] ? d_hash_and_lookup+0x1b0/0x1b0 [ 81.347992][ T5135] gfs2_atomic_open+0x9e/0x230 [ 81.352751][ T5135] path_openat+0x1044/0x3180 [ 81.357341][ T5135] ? gfs2_rename2+0x25a0/0x25a0 [ 81.362303][ T5135] ? do_filp_open+0x490/0x490 [ 81.367030][ T5135] do_filp_open+0x234/0x490 [ 81.371541][ T5135] ? vfs_tmpfile+0x4b0/0x4b0 [ 81.376166][ T5135] ? _raw_spin_unlock+0x28/0x40 [ 81.381012][ T5135] ? alloc_fd+0x59c/0x640 [ 81.385347][ T5135] do_sys_openat2+0x13e/0x1d0 [ 81.390026][ T5135] ? do_sys_open+0x230/0x230 [ 81.394696][ T5135] ? lockdep_hardirqs_on+0x98/0x140 [ 81.399888][ T5135] ? _raw_spin_unlock_irq+0x2e/0x50 [ 81.405077][ T5135] ? ptrace_notify+0x278/0x380 [ 81.409834][ T5135] __x64_sys_open+0x225/0x270 [ 81.414507][ T5135] ? do_sys_openat2+0x1d0/0x1d0 [ 81.419353][ T5135] ? syscall_enter_from_user_mode+0x32/0x230 [ 81.425335][ T5135] ? syscall_enter_from_user_mode+0x8c/0x230 [ 81.431316][ T5135] do_syscall_64+0x41/0xc0 [ 81.435726][ T5135] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.441626][ T5135] RIP: 0033:0x7f012f71fa59 [ 81.446032][ T5135] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 81.465714][ T5135] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 81.474136][ T5135] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 81.482272][ T5135] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5137] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5135] <... open resumed>) = -1 EIO (Input/output error) [pid 5135] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5134] exit_group(0 [pid 5137] <... futex resumed>) = ? [pid 5134] <... exit_group resumed>) = ? [pid 5137] +++ exited with 0 +++ [pid 5135] <... futex resumed>) = ? [pid 5135] +++ exited with 0 +++ [pid 5134] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5134, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./28/binderfs") = 0 [ 81.490329][ T5135] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 81.498390][ T5135] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 81.506380][ T5135] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 81.514386][ T5135] umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./28/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./28/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5138 ./strace-static-x86_64: Process 5138 attached [pid 5138] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5138] chdir("./29") = 0 [pid 5138] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5138] setpgid(0, 0) = 0 [pid 5138] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5138] write(3, "1000", 4) = 4 [pid 5138] close(3) = 0 [pid 5138] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5138] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5138] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5138] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5138] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5138] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5138] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5139]}, 88) = 5139 [pid 5138] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5138] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5139 attached [pid 5139] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5139] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5139] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5139] memfd_create("syzkaller", 0) = 3 [pid 5139] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5139] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5139] munmap(0x7f01272bc000, 16777216) = 0 [pid 5139] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5139] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5139] close(3) = 0 [pid 5139] mkdir("./file0", 0777) = 0 [ 81.811921][ T5139] loop0: detected capacity change from 0 to 32768 [ 81.822917][ T5139] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 81.831259][ T5139] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 81.840965][ T5139] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 81.850126][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 81.856918][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5139] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5139] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5139] chdir("./file0") = 0 [pid 5139] ioctl(4, LOOP_CLR_FD) = 0 [pid 5139] close(4) = 0 [pid 5139] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5138] <... futex resumed>) = 0 [pid 5138] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5139] <... futex resumed>) = 1 [ 81.893082][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 81.900721][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 81.905972][ T5139] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 81.921628][ T5139] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 81.930453][ T5139] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 81.930453][ T5139] inode = 12 2341 [pid 5139] open("./file0", O_RDWR [pid 5138] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5138] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5138] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5138] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5138] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5141]}, 88) = 5141 [pid 5138] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5138] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5141 attached [pid 5141] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5141] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5141] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5141] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5141] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5138] <... futex resumed>) = 0 [pid 5138] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5141] <... futex resumed>) = 1 [pid 5141] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5141] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5138] <... futex resumed>) = 0 [ 81.930453][ T5139] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 81.949545][ T5139] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 81.959694][ T5139] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5139 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 81.970132][ T5139] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 81.978616][ T5139] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5141] <... futex resumed>) = 1 [ 81.986972][ T5139] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 81.995995][ T5139] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 82.004393][ T5139] gfs2: fsid=syz:syz.0: File system withdrawn [ 82.010788][ T5139] CPU: 1 PID: 5139 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 82.021231][ T5139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 82.031299][ T5139] Call Trace: [ 82.034585][ T5139] [ 82.037510][ T5139] dump_stack_lvl+0x1e7/0x2d0 [ 82.042283][ T5139] ? nf_tcp_handle_invalid+0x650/0x650 [ 82.047765][ T5139] ? panic+0x770/0x770 [ 82.051870][ T5139] gfs2_withdraw+0xc94/0x11e0 [ 82.056567][ T5139] gfs2_dirent_scan+0x512/0x640 [ 82.061418][ T5139] ? gfs2_permission+0x268/0x3c0 [ 82.066350][ T5139] ? gfs2_dirent_search+0x8c0/0x8c0 [ 82.071565][ T5139] gfs2_dirent_search+0x30e/0x8c0 [ 82.076602][ T5139] ? gfs2_dirent_search+0x8c0/0x8c0 [ 82.081793][ T5139] ? generic_permission+0x1df/0x550 [ 82.086991][ T5139] ? gfs2_dir_search+0x2f0/0x2f0 [ 82.091924][ T5139] ? gfs2_permission+0x34a/0x3c0 [ 82.096861][ T5139] gfs2_dir_search+0xb2/0x2f0 [ 82.101562][ T5139] ? do_filldir_main+0x520/0x520 [ 82.106495][ T5139] ? inode_go_held+0xea/0x200 [ 82.111344][ T5139] ? gfs2_glock_wait+0x21a/0x2b0 [ 82.117056][ T5139] gfs2_lookupi+0x460/0x5d0 [ 82.121557][ T5139] ? gfs2_lookup_simple+0x180/0x180 [ 82.126766][ T5139] ? __gfs2_lookup+0xa4/0x270 [ 82.131445][ T5139] __gfs2_lookup+0xa4/0x270 [ 82.135943][ T5139] ? gfs2_atomic_open+0x230/0x230 [ 82.140961][ T5139] ? __d_lookup+0x675/0x730 [ 82.145460][ T5139] ? d_hash_and_lookup+0x1b0/0x1b0 [ 82.150569][ T5139] gfs2_atomic_open+0x9e/0x230 [ 82.155328][ T5139] path_openat+0x1044/0x3180 [ 82.159919][ T5139] ? gfs2_rename2+0x25a0/0x25a0 [ 82.164774][ T5139] ? do_filp_open+0x490/0x490 [ 82.169457][ T5139] do_filp_open+0x234/0x490 [ 82.173952][ T5139] ? vfs_tmpfile+0x4b0/0x4b0 [ 82.178548][ T5139] ? _raw_spin_unlock+0x28/0x40 [ 82.183401][ T5139] ? alloc_fd+0x59c/0x640 [ 82.187738][ T5139] do_sys_openat2+0x13e/0x1d0 [ 82.193040][ T5139] ? do_sys_open+0x230/0x230 [ 82.197640][ T5139] ? lockdep_hardirqs_on+0x98/0x140 [ 82.202859][ T5139] ? _raw_spin_unlock_irq+0x2e/0x50 [ 82.208144][ T5139] ? ptrace_notify+0x278/0x380 [ 82.212927][ T5139] __x64_sys_open+0x225/0x270 [ 82.217611][ T5139] ? do_sys_openat2+0x1d0/0x1d0 [ 82.222468][ T5139] ? syscall_enter_from_user_mode+0x32/0x230 [ 82.228452][ T5139] ? syscall_enter_from_user_mode+0x8c/0x230 [ 82.234456][ T5139] do_syscall_64+0x41/0xc0 [ 82.238980][ T5139] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.244884][ T5139] RIP: 0033:0x7f012f71fa59 [ 82.249298][ T5139] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 82.268931][ T5139] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 82.277350][ T5139] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 82.285315][ T5139] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5141] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5139] <... open resumed>) = -1 EIO (Input/output error) [pid 5139] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] exit_group(0 [pid 5139] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5141] <... futex resumed>) = ? [pid 5139] <... futex resumed>) = ? [pid 5138] <... exit_group resumed>) = ? [pid 5141] +++ exited with 0 +++ [pid 5139] +++ exited with 0 +++ [pid 5138] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5138, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./29/binderfs") = 0 [ 82.293277][ T5139] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 82.301257][ T5139] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 82.309232][ T5139] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 82.317230][ T5139] umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./29/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./29/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5142 ./strace-static-x86_64: Process 5142 attached [pid 5142] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5142] chdir("./30") = 0 [pid 5142] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5142] setpgid(0, 0) = 0 [pid 5142] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5142] write(3, "1000", 4) = 4 [pid 5142] close(3) = 0 [pid 5142] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5142] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5142] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5142] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5142] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5142] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5142] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5143]}, 88) = 5143 [pid 5142] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5142] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5143 attached [pid 5143] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5143] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5143] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5143] memfd_create("syzkaller", 0) = 3 [pid 5143] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5143] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5143] munmap(0x7f01272bc000, 16777216) = 0 [pid 5143] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5143] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5143] close(3) = 0 [pid 5143] mkdir("./file0", 0777) = 0 [ 82.654812][ T5143] loop0: detected capacity change from 0 to 32768 [ 82.666296][ T5143] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 82.674979][ T5143] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 82.684415][ T5143] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 82.692903][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 82.699797][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5143] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5143] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5143] chdir("./file0") = 0 [pid 5143] ioctl(4, LOOP_CLR_FD) = 0 [pid 5143] close(4) = 0 [pid 5143] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5142] <... futex resumed>) = 0 [pid 5143] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5142] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5143] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5142] <... futex resumed>) = 0 [pid 5143] open("./file0", O_RDWR [ 82.735691][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 82.744197][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 82.749633][ T5143] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 82.766494][ T5143] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 82.775960][ T5143] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5142] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5142] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5142] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5142] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5142] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5145]}, 88) = 5145 [pid 5142] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5142] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5145 attached [pid 5145] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5145] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5145] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5145] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5145] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5142] <... futex resumed>) = 0 [pid 5142] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5145] <... futex resumed>) = 1 [pid 5145] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5145] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5142] <... futex resumed>) = 0 [pid 5145] <... futex resumed>) = 1 [ 82.775960][ T5143] inode = 12 2341 [ 82.775960][ T5143] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 82.794841][ T5143] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 82.804120][ T5143] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5143 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 82.814324][ T5143] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 82.822836][ T5143] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 82.830454][ T5143] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 82.839295][ T5143] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 82.846033][ T5143] gfs2: fsid=syz:syz.0: File system withdrawn [ 82.852165][ T5143] CPU: 0 PID: 5143 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 82.862598][ T5143] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 82.872650][ T5143] Call Trace: [ 82.875921][ T5143] [ 82.878845][ T5143] dump_stack_lvl+0x1e7/0x2d0 [ 82.883517][ T5143] ? nf_tcp_handle_invalid+0x650/0x650 [ 82.888992][ T5143] ? panic+0x770/0x770 [ 82.893080][ T5143] gfs2_withdraw+0xc94/0x11e0 [ 82.897767][ T5143] gfs2_dirent_scan+0x512/0x640 [ 82.902628][ T5143] ? gfs2_permission+0x268/0x3c0 [ 82.907581][ T5143] ? gfs2_dirent_search+0x8c0/0x8c0 [ 82.912882][ T5143] gfs2_dirent_search+0x30e/0x8c0 [ 82.917925][ T5143] ? gfs2_dirent_search+0x8c0/0x8c0 [ 82.923138][ T5143] ? generic_permission+0x1df/0x550 [ 82.928414][ T5143] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5145] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5142] exit_group(0 [pid 5145] <... futex resumed>) = ? [pid 5142] <... exit_group resumed>) = ? [pid 5145] +++ exited with 0 +++ [ 82.933364][ T5143] ? gfs2_permission+0x34a/0x3c0 [ 82.938319][ T5143] gfs2_dir_search+0xb2/0x2f0 [ 82.943017][ T5143] ? do_filldir_main+0x520/0x520 [ 82.947977][ T5143] ? inode_go_held+0xea/0x200 [ 82.952664][ T5143] ? gfs2_glock_wait+0x21a/0x2b0 [ 82.957617][ T5143] gfs2_lookupi+0x460/0x5d0 [ 82.962144][ T5143] ? gfs2_lookup_simple+0x180/0x180 [ 82.967365][ T5143] ? __gfs2_lookup+0xa4/0x270 [ 82.972149][ T5143] __gfs2_lookup+0xa4/0x270 [ 82.976755][ T5143] ? gfs2_atomic_open+0x230/0x230 [ 82.981788][ T5143] ? __d_lookup+0x675/0x730 [ 82.986303][ T5143] ? d_hash_and_lookup+0x1b0/0x1b0 [ 82.991434][ T5143] gfs2_atomic_open+0x9e/0x230 [ 82.996218][ T5143] path_openat+0x1044/0x3180 [ 83.000816][ T5143] ? gfs2_rename2+0x25a0/0x25a0 [ 83.005669][ T5143] ? do_filp_open+0x490/0x490 [ 83.010352][ T5143] do_filp_open+0x234/0x490 [ 83.014864][ T5143] ? vfs_tmpfile+0x4b0/0x4b0 [ 83.019476][ T5143] ? _raw_spin_unlock+0x28/0x40 [ 83.024321][ T5143] ? alloc_fd+0x59c/0x640 [ 83.028674][ T5143] do_sys_openat2+0x13e/0x1d0 [ 83.033368][ T5143] ? do_sys_open+0x230/0x230 [ 83.037951][ T5143] ? lockdep_hardirqs_on+0x98/0x140 [ 83.043163][ T5143] ? _raw_spin_unlock_irq+0x2e/0x50 [ 83.048447][ T5143] ? ptrace_notify+0x278/0x380 [ 83.053228][ T5143] __x64_sys_open+0x225/0x270 [ 83.058011][ T5143] ? do_sys_openat2+0x1d0/0x1d0 [ 83.062870][ T5143] ? syscall_enter_from_user_mode+0x32/0x230 [ 83.068875][ T5143] ? syscall_enter_from_user_mode+0x8c/0x230 [ 83.074860][ T5143] do_syscall_64+0x41/0xc0 [ 83.079284][ T5143] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.085283][ T5143] RIP: 0033:0x7f012f71fa59 [ 83.089689][ T5143] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 83.109651][ T5143] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 83.118423][ T5143] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 83.126393][ T5143] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5143] <... open resumed>) = ? [pid 5143] +++ exited with 0 +++ [pid 5142] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5142, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./30/binderfs") = 0 [ 83.134380][ T5143] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 83.142373][ T5143] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 83.150355][ T5143] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 83.158334][ T5143] umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./30/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./30/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5146 ./strace-static-x86_64: Process 5146 attached [pid 5146] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5146] chdir("./31") = 0 [pid 5146] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5146] setpgid(0, 0) = 0 [pid 5146] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5146] write(3, "1000", 4) = 4 [pid 5146] close(3) = 0 [pid 5146] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5146] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5146] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5146] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5146] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5146] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5146] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5147]}, 88) = 5147 [pid 5146] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5146] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5147 attached [pid 5147] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5147] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5147] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5147] memfd_create("syzkaller", 0) = 3 [pid 5147] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5147] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5147] munmap(0x7f01272bc000, 16777216) = 0 [pid 5147] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5147] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5147] close(3) = 0 [pid 5147] mkdir("./file0", 0777) = 0 [ 83.466032][ T5147] loop0: detected capacity change from 0 to 32768 [ 83.478071][ T5147] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 83.486907][ T5147] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 83.496575][ T5147] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 83.505627][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 83.512684][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5147] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5147] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5147] chdir("./file0") = 0 [pid 5147] ioctl(4, LOOP_CLR_FD) = 0 [pid 5147] close(4) = 0 [pid 5147] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5146] <... futex resumed>) = 0 [pid 5146] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5147] <... futex resumed>) = 1 [ 83.546150][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 83.554706][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 83.560095][ T5147] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 83.572847][ T5147] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 83.581377][ T5147] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 83.581377][ T5147] inode = 12 2341 [pid 5147] open("./file0", O_RDWR [pid 5146] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5146] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5146] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5146] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5146] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5149]}, 88) = 5149 [pid 5146] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5146] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5149 attached [pid 5149] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5149] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5149] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5149] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5149] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5146] <... futex resumed>) = 0 [pid 5146] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5149] <... futex resumed>) = 1 [pid 5146] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5149] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5149] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5146] <... futex resumed>) = 0 [ 83.581377][ T5147] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 83.600090][ T5147] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 83.609162][ T5147] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5147 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 83.619385][ T5147] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 83.628053][ T5147] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 83.635505][ T5147] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 83.644421][ T5147] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 83.651007][ T5147] gfs2: fsid=syz:syz.0: File system withdrawn [ 83.657092][ T5147] CPU: 0 PID: 5147 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 83.667598][ T5147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 83.677844][ T5147] Call Trace: [ 83.681138][ T5147] [ 83.684061][ T5147] dump_stack_lvl+0x1e7/0x2d0 [ 83.688736][ T5147] ? nf_tcp_handle_invalid+0x650/0x650 [ 83.694199][ T5147] ? panic+0x770/0x770 [ 83.698361][ T5147] gfs2_withdraw+0xc94/0x11e0 [ 83.703055][ T5147] gfs2_dirent_scan+0x512/0x640 [ 83.707908][ T5147] ? gfs2_permission+0x268/0x3c0 [ 83.712840][ T5147] ? gfs2_dirent_search+0x8c0/0x8c0 [ 83.718126][ T5147] gfs2_dirent_search+0x30e/0x8c0 [ 83.723147][ T5147] ? gfs2_dirent_search+0x8c0/0x8c0 [ 83.728347][ T5147] ? generic_permission+0x1df/0x550 [ 83.733537][ T5147] ? gfs2_dir_search+0x2f0/0x2f0 [ 83.738480][ T5147] ? gfs2_permission+0x34a/0x3c0 [ 83.743675][ T5147] gfs2_dir_search+0xb2/0x2f0 [ 83.748347][ T5147] ? do_filldir_main+0x520/0x520 [ 83.753280][ T5147] ? inode_go_held+0xea/0x200 [ 83.757966][ T5147] ? gfs2_glock_wait+0x21a/0x2b0 [ 83.762898][ T5147] gfs2_lookupi+0x460/0x5d0 [ 83.767400][ T5147] ? gfs2_lookup_simple+0x180/0x180 [ 83.772597][ T5147] ? __gfs2_lookup+0xa4/0x270 [ 83.777276][ T5147] __gfs2_lookup+0xa4/0x270 [ 83.781777][ T5147] ? gfs2_atomic_open+0x230/0x230 [ 83.786810][ T5147] ? __d_lookup+0x675/0x730 [ 83.791305][ T5147] ? d_hash_and_lookup+0x1b0/0x1b0 [ 83.796408][ T5147] gfs2_atomic_open+0x9e/0x230 [ 83.801172][ T5147] path_openat+0x1044/0x3180 [ 83.805756][ T5147] ? gfs2_rename2+0x25a0/0x25a0 [ 83.810615][ T5147] ? do_filp_open+0x490/0x490 [ 83.815297][ T5147] do_filp_open+0x234/0x490 [ 83.819793][ T5147] ? vfs_tmpfile+0x4b0/0x4b0 [ 83.824391][ T5147] ? _raw_spin_unlock+0x28/0x40 [ 83.829268][ T5147] ? alloc_fd+0x59c/0x640 [ 83.833606][ T5147] do_sys_openat2+0x13e/0x1d0 [ 83.838279][ T5147] ? do_sys_open+0x230/0x230 [ 83.842883][ T5147] ? lockdep_hardirqs_on+0x98/0x140 [ 83.848111][ T5147] ? _raw_spin_unlock_irq+0x2e/0x50 [ 83.853413][ T5147] ? ptrace_notify+0x278/0x380 [ 83.858223][ T5147] __x64_sys_open+0x225/0x270 [ 83.862992][ T5147] ? do_sys_openat2+0x1d0/0x1d0 [ 83.867859][ T5147] ? syscall_enter_from_user_mode+0x32/0x230 [ 83.873863][ T5147] ? syscall_enter_from_user_mode+0x8c/0x230 [ 83.879853][ T5147] do_syscall_64+0x41/0xc0 [ 83.884268][ T5147] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.890171][ T5147] RIP: 0033:0x7f012f71fa59 [ 83.894595][ T5147] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 83.914456][ T5147] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 83.922954][ T5147] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 83.932839][ T5147] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5149] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5147] <... open resumed>) = -1 EIO (Input/output error) [pid 5147] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5147] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5146] exit_group(0) = ? [pid 5147] <... futex resumed>) = ? [pid 5147] +++ exited with 0 +++ [pid 5149] <... futex resumed>) = ? [pid 5149] +++ exited with 0 +++ [pid 5146] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5146, si_uid=0, si_status=0, si_utime=0, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./31/binderfs") = 0 [ 83.940889][ T5147] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 83.948853][ T5147] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 83.956817][ T5147] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 83.964881][ T5147] umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./31/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./31/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5150 ./strace-static-x86_64: Process 5150 attached [pid 5150] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5150] chdir("./32") = 0 [pid 5150] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5150] setpgid(0, 0) = 0 [pid 5150] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5150] write(3, "1000", 4) = 4 [pid 5150] close(3) = 0 [pid 5150] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5150] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5150] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5150] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5150] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5150] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5150] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5151]}, 88) = 5151 ./strace-static-x86_64: Process 5151 attached [pid 5150] rt_sigprocmask(SIG_SETMASK, [], [pid 5151] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5151] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5151] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5151] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5150] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5151] <... futex resumed>) = 0 [pid 5150] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5151] memfd_create("syzkaller", 0) = 3 [pid 5151] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5151] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5151] munmap(0x7f01272bc000, 16777216) = 0 [pid 5151] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5151] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5151] close(3) = 0 [pid 5151] mkdir("./file0", 0777) = 0 [ 84.281904][ T5151] loop0: detected capacity change from 0 to 32768 [ 84.293606][ T5151] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 84.301958][ T5151] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 84.311887][ T5151] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 84.320547][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 84.327351][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5151] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5151] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5151] chdir("./file0") = 0 [pid 5151] ioctl(4, LOOP_CLR_FD) = 0 [pid 5151] close(4) = 0 [pid 5151] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] <... futex resumed>) = 0 [pid 5150] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5151] <... futex resumed>) = 1 [ 84.363639][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 84.372526][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 84.377799][ T5151] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 84.398346][ T5151] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5151] open("./file0", O_RDWR [pid 5150] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5150] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5150] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5150] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5150] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5153]}, 88) = 5153 [pid 5150] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5150] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5153 attached [pid 5153] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5153] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5153] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5153] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5153] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] <... futex resumed>) = 0 [pid 5150] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5153] <... futex resumed>) = 1 [pid 5153] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5153] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] <... futex resumed>) = 0 [ 84.408471][ T5151] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 84.408471][ T5151] inode = 12 2341 [ 84.408471][ T5151] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 84.427396][ T5151] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 84.437078][ T5151] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5151 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 84.449371][ T5151] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5153] <... futex resumed>) = 1 [ 84.457836][ T5151] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 84.465101][ T5151] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 84.474021][ T5151] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 84.481314][ T5151] gfs2: fsid=syz:syz.0: File system withdrawn [ 84.487727][ T5151] CPU: 1 PID: 5151 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 84.498147][ T5151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 84.508190][ T5151] Call Trace: [ 84.511557][ T5151] [ 84.514475][ T5151] dump_stack_lvl+0x1e7/0x2d0 [ 84.519278][ T5151] ? nf_tcp_handle_invalid+0x650/0x650 [ 84.524749][ T5151] ? panic+0x770/0x770 [ 84.528996][ T5151] gfs2_withdraw+0xc94/0x11e0 [ 84.533684][ T5151] gfs2_dirent_scan+0x512/0x640 [ 84.538537][ T5151] ? gfs2_permission+0x268/0x3c0 [ 84.543465][ T5151] ? gfs2_dirent_search+0x8c0/0x8c0 [ 84.548658][ T5151] gfs2_dirent_search+0x30e/0x8c0 [ 84.553678][ T5151] ? gfs2_dirent_search+0x8c0/0x8c0 [ 84.558869][ T5151] ? generic_permission+0x1df/0x550 [ 84.564059][ T5151] ? gfs2_dir_search+0x2f0/0x2f0 [ 84.568988][ T5151] ? gfs2_permission+0x34a/0x3c0 [ 84.573928][ T5151] gfs2_dir_search+0xb2/0x2f0 [ 84.578603][ T5151] ? do_filldir_main+0x520/0x520 [ 84.583537][ T5151] ? inode_go_held+0xea/0x200 [ 84.588217][ T5151] ? gfs2_glock_wait+0x21a/0x2b0 [ 84.593154][ T5151] gfs2_lookupi+0x460/0x5d0 [ 84.597654][ T5151] ? gfs2_lookup_simple+0x180/0x180 [ 84.602869][ T5151] ? __gfs2_lookup+0xa4/0x270 [ 84.607562][ T5151] __gfs2_lookup+0xa4/0x270 [ 84.612069][ T5151] ? gfs2_atomic_open+0x230/0x230 [ 84.617104][ T5151] ? __d_lookup+0x675/0x730 [ 84.621777][ T5151] ? d_hash_and_lookup+0x1b0/0x1b0 [ 84.626886][ T5151] gfs2_atomic_open+0x9e/0x230 [ 84.631649][ T5151] path_openat+0x1044/0x3180 [ 84.636237][ T5151] ? gfs2_rename2+0x25a0/0x25a0 [ 84.641091][ T5151] ? do_filp_open+0x490/0x490 [ 84.645775][ T5151] do_filp_open+0x234/0x490 [ 84.650272][ T5151] ? vfs_tmpfile+0x4b0/0x4b0 [ 84.654869][ T5151] ? _raw_spin_unlock+0x28/0x40 [ 84.659753][ T5151] ? alloc_fd+0x59c/0x640 [ 84.664178][ T5151] do_sys_openat2+0x13e/0x1d0 [ 84.668849][ T5151] ? do_sys_open+0x230/0x230 [ 84.673435][ T5151] ? lockdep_hardirqs_on+0x98/0x140 [ 84.678627][ T5151] ? _raw_spin_unlock_irq+0x2e/0x50 [ 84.683819][ T5151] ? ptrace_notify+0x278/0x380 [ 84.688666][ T5151] __x64_sys_open+0x225/0x270 [ 84.693337][ T5151] ? do_sys_openat2+0x1d0/0x1d0 [ 84.698206][ T5151] ? syscall_enter_from_user_mode+0x32/0x230 [ 84.704269][ T5151] ? syscall_enter_from_user_mode+0x8c/0x230 [ 84.710250][ T5151] do_syscall_64+0x41/0xc0 [ 84.714658][ T5151] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.720637][ T5151] RIP: 0033:0x7f012f71fa59 [ 84.725047][ T5151] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 84.744650][ T5151] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 84.753060][ T5151] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5153] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5151] <... open resumed>) = -1 EIO (Input/output error) [pid 5151] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5151] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] exit_group(0 [pid 5153] <... futex resumed>) = ? [pid 5151] <... futex resumed>) = ? [pid 5150] <... exit_group resumed>) = ? [pid 5153] +++ exited with 0 +++ [pid 5151] +++ exited with 0 +++ [pid 5150] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5150, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=25 /* 0.25 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./32", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./32/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./32/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./32/binderfs") = 0 [ 84.761086][ T5151] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 84.770365][ T5151] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 84.778326][ T5151] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 84.786286][ T5151] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 84.794272][ T5151] umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./32/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./32/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./32") = 0 mkdir("./33", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5154 ./strace-static-x86_64: Process 5154 attached [pid 5154] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5154] chdir("./33") = 0 [pid 5154] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5154] setpgid(0, 0) = 0 [pid 5154] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5154] write(3, "1000", 4) = 4 [pid 5154] close(3) = 0 [pid 5154] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5154] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5154] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5154] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5154] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5154] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5154] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5155]}, 88) = 5155 [pid 5154] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5154] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5155 attached [pid 5155] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5155] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5155] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5155] memfd_create("syzkaller", 0) = 3 [pid 5155] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5155] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5155] munmap(0x7f01272bc000, 16777216) = 0 [pid 5155] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5155] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5155] close(3) = 0 [pid 5155] mkdir("./file0", 0777) = 0 [ 85.103098][ T5155] loop0: detected capacity change from 0 to 32768 [ 85.113632][ T5155] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 85.121954][ T5155] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 85.131467][ T5155] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 85.140278][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 85.147049][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5155] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5155] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5155] chdir("./file0") = 0 [pid 5155] ioctl(4, LOOP_CLR_FD) = 0 [pid 5155] close(4) = 0 [pid 5155] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5154] <... futex resumed>) = 0 [pid 5154] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5155] <... futex resumed>) = 1 [ 85.181345][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 85.190055][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 85.195338][ T5155] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 85.215911][ T5155] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 85.224466][ T5155] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5155] open("./file0", O_RDWR [pid 5154] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5154] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5154] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5154] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5154] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5157]}, 88) = 5157 [pid 5154] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5154] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5157 attached [pid 5157] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5157] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5157] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 85.224466][ T5155] inode = 12 2341 [ 85.224466][ T5155] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 85.243389][ T5155] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 85.253426][ T5155] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5155 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 85.263930][ T5155] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 85.276636][ T5157] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 85.277622][ T5155] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 85.285440][ T5157] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 85.292808][ T5155] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 85.301818][ T5157] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5155 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 85.310608][ T5155] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5157] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5154] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5154] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5154] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5154] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5154] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5158]}, 88) = 5158 [pid 5154] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5154] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5158 attached [pid 5158] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5158] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5158] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5158] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [ 85.320637][ T5157] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5157 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 85.327038][ T5155] gfs2: fsid=syz:syz.0: File system withdrawn [ 85.337128][ T5157] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 85.344442][ T5155] CPU: 1 PID: 5155 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 85.361826][ T5155] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 85.371904][ T5155] Call Trace: [ 85.375191][ T5155] [pid 5158] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5154] <... futex resumed>) = 0 [pid 5158] <... futex resumed>) = 1 [ 85.378140][ T5155] dump_stack_lvl+0x1e7/0x2d0 [ 85.382834][ T5155] ? nf_tcp_handle_invalid+0x650/0x650 [ 85.388288][ T5155] ? panic+0x770/0x770 [ 85.392394][ T5155] gfs2_withdraw+0xc94/0x11e0 [ 85.397089][ T5155] gfs2_dirent_scan+0x512/0x640 [ 85.401933][ T5155] ? gfs2_permission+0x268/0x3c0 [ 85.406875][ T5155] ? gfs2_dirent_search+0x8c0/0x8c0 [ 85.414000][ T5155] gfs2_dirent_search+0x30e/0x8c0 [ 85.419053][ T5155] ? gfs2_dirent_search+0x8c0/0x8c0 [ 85.424277][ T5155] ? generic_permission+0x1df/0x550 [ 85.429580][ T5155] ? gfs2_dir_search+0x2f0/0x2f0 [ 85.434527][ T5155] ? gfs2_permission+0x34a/0x3c0 [ 85.439471][ T5155] gfs2_dir_search+0xb2/0x2f0 [ 85.444185][ T5155] ? do_filldir_main+0x520/0x520 [ 85.449261][ T5155] ? inode_go_held+0xea/0x200 [ 85.453989][ T5155] ? gfs2_glock_wait+0x21a/0x2b0 [ 85.459036][ T5155] gfs2_lookupi+0x460/0x5d0 [ 85.463549][ T5155] ? gfs2_lookup_simple+0x180/0x180 [ 85.468754][ T5155] ? __gfs2_lookup+0xa4/0x270 [ 85.473434][ T5155] __gfs2_lookup+0xa4/0x270 [ 85.477959][ T5155] ? gfs2_atomic_open+0x230/0x230 [ 85.483131][ T5155] ? __d_lookup+0x675/0x730 [ 85.487648][ T5155] ? d_hash_and_lookup+0x1b0/0x1b0 [ 85.492777][ T5155] gfs2_atomic_open+0x9e/0x230 [ 85.497570][ T5155] path_openat+0x1044/0x3180 [ 85.502188][ T5155] ? gfs2_rename2+0x25a0/0x25a0 [ 85.507070][ T5155] ? do_filp_open+0x490/0x490 [ 85.511771][ T5155] do_filp_open+0x234/0x490 [ 85.516292][ T5155] ? vfs_tmpfile+0x4b0/0x4b0 [ 85.520909][ T5155] ? _raw_spin_unlock+0x28/0x40 [ 85.525773][ T5155] ? alloc_fd+0x59c/0x640 [ 85.530138][ T5155] do_sys_openat2+0x13e/0x1d0 [ 85.534840][ T5155] ? do_sys_open+0x230/0x230 [ 85.539435][ T5155] ? lockdep_hardirqs_on+0x98/0x140 [ 85.544638][ T5155] ? _raw_spin_unlock_irq+0x2e/0x50 [ 85.549847][ T5155] ? ptrace_notify+0x278/0x380 [ 85.554605][ T5155] __x64_sys_open+0x225/0x270 [ 85.559291][ T5155] ? do_sys_openat2+0x1d0/0x1d0 [ 85.564157][ T5155] ? syscall_enter_from_user_mode+0x32/0x230 [ 85.570144][ T5155] ? syscall_enter_from_user_mode+0x8c/0x230 [ 85.576135][ T5155] do_syscall_64+0x41/0xc0 [ 85.580629][ T5155] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.586523][ T5155] RIP: 0033:0x7f012f71fa59 [ 85.590933][ T5155] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 85.610532][ T5155] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 85.618944][ T5155] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5158] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5154] exit_group(0 [pid 5158] <... futex resumed>) = ? [pid 5154] <... exit_group resumed>) = ? [pid 5158] +++ exited with 0 +++ [pid 5157] <... openat resumed>) = ? [pid 5155] <... open resumed>) = ? [pid 5155] +++ exited with 0 +++ [pid 5157] +++ exited with 0 +++ [pid 5154] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5154, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=43 /* 0.43 s */} --- umount2("./33", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./33/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./33/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./33/binderfs") = 0 [ 85.626948][ T5155] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 85.634929][ T5155] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 85.642894][ T5155] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 85.650955][ T5155] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 85.658945][ T5155] umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./33/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./33/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./33") = 0 mkdir("./34", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5159 ./strace-static-x86_64: Process 5159 attached [pid 5159] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5159] chdir("./34") = 0 [pid 5159] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5159] setpgid(0, 0) = 0 [pid 5159] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5159] write(3, "1000", 4) = 4 [pid 5159] close(3) = 0 [pid 5159] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5159] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5159] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5159] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5159] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5159] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5159] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5160 attached => {parent_tid=[5160]}, 88) = 5160 [pid 5159] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5159] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5160] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5160] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5160] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5160] memfd_create("syzkaller", 0) = 3 [pid 5160] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5160] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5160] munmap(0x7f01272bc000, 16777216) = 0 [pid 5160] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5160] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5160] close(3) = 0 [pid 5160] mkdir("./file0", 0777) = 0 [ 85.976448][ T5160] loop0: detected capacity change from 0 to 32768 [ 85.987884][ T5160] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 85.996374][ T5160] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 86.005884][ T5160] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 86.014518][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 86.021722][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5160] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5160] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5160] chdir("./file0") = 0 [pid 5160] ioctl(4, LOOP_CLR_FD) = 0 [pid 5160] close(4) = 0 [pid 5160] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5159] <... futex resumed>) = 0 [pid 5159] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 86.058134][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 86.067119][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 86.072692][ T5160] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5160] open("./file0", O_RDWR [pid 5159] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5159] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 86.101459][ T5160] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 86.110092][ T5160] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 86.110092][ T5160] inode = 12 2341 [ 86.110092][ T5160] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 86.132508][ T5160] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [pid 5159] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5159] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5159] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5159] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5162]}, 88) = 5162 [pid 5159] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5159] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5162 attached [pid 5162] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5162] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5162] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 86.142043][ T5160] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5160 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 86.152563][ T5160] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 86.160964][ T5162] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 86.162046][ T5160] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 86.169972][ T5162] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 86.176750][ T5160] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5162] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5159] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5159] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5159] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5159] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5159] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0}./strace-static-x86_64: Process 5163 attached => {parent_tid=[5163]}, 88) = 5163 [pid 5159] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5159] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5163] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5163] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5163] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5163] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5163] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5159] <... futex resumed>) = 0 [ 86.186130][ T5162] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5160 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 86.194747][ T5160] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 86.204947][ T5162] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5162 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 86.211294][ T5160] gfs2: fsid=syz:syz.0: File system withdrawn [ 86.227837][ T5160] CPU: 1 PID: 5160 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 86.230013][ T5162] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 86.238268][ T5160] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 86.238282][ T5160] Call Trace: [ 86.238289][ T5160] [ 86.238297][ T5160] dump_stack_lvl+0x1e7/0x2d0 [ 86.238323][ T5160] ? nf_tcp_handle_invalid+0x650/0x650 [ 86.238342][ T5160] ? panic+0x770/0x770 [ 86.277164][ T5160] gfs2_withdraw+0xc94/0x11e0 [ 86.281858][ T5160] gfs2_dirent_scan+0x512/0x640 [ 86.286713][ T5160] ? gfs2_permission+0x268/0x3c0 [ 86.291643][ T5160] ? gfs2_dirent_search+0x8c0/0x8c0 [ 86.296849][ T5160] gfs2_dirent_search+0x30e/0x8c0 [ 86.301871][ T5160] ? gfs2_dirent_search+0x8c0/0x8c0 [ 86.307062][ T5160] ? generic_permission+0x1df/0x550 [ 86.312285][ T5160] ? gfs2_dir_search+0x2f0/0x2f0 [ 86.317239][ T5160] ? gfs2_permission+0x34a/0x3c0 [ 86.322188][ T5160] gfs2_dir_search+0xb2/0x2f0 [ 86.326871][ T5160] ? do_filldir_main+0x520/0x520 [ 86.331859][ T5160] ? inode_go_held+0xea/0x200 [ 86.336535][ T5160] ? gfs2_glock_wait+0x21a/0x2b0 [ 86.341468][ T5160] gfs2_lookupi+0x460/0x5d0 [ 86.345983][ T5160] ? gfs2_lookup_simple+0x180/0x180 [ 86.351189][ T5160] ? __gfs2_lookup+0xa4/0x270 [ 86.355860][ T5160] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 86.361848][ T5160] __gfs2_lookup+0xa4/0x270 [ 86.366348][ T5160] ? asm_sysvec_reschedule_ipi+0x1a/0x20 [ 86.371978][ T5160] ? gfs2_atomic_open+0x230/0x230 [ 86.377024][ T5160] ? gfs2_atomic_open+0x5c/0x230 [ 86.381983][ T5160] gfs2_atomic_open+0x9e/0x230 [ 86.386764][ T5160] path_openat+0x1044/0x3180 [ 86.391362][ T5160] ? gfs2_rename2+0x25a0/0x25a0 [ 86.396219][ T5160] ? do_filp_open+0x490/0x490 [ 86.400903][ T5160] do_filp_open+0x234/0x490 [ 86.405402][ T5160] ? vfs_tmpfile+0x4b0/0x4b0 [ 86.410012][ T5160] ? _raw_spin_unlock+0x28/0x40 [ 86.414859][ T5160] ? alloc_fd+0x59c/0x640 [ 86.419218][ T5160] do_sys_openat2+0x13e/0x1d0 [ 86.423917][ T5160] ? do_sys_open+0x230/0x230 [ 86.428509][ T5160] ? lockdep_hardirqs_on+0x98/0x140 [ 86.433710][ T5160] ? _raw_spin_unlock_irq+0x2e/0x50 [ 86.438935][ T5160] ? ptrace_notify+0x278/0x380 [ 86.443731][ T5160] __x64_sys_open+0x225/0x270 [ 86.448425][ T5160] ? do_sys_openat2+0x1d0/0x1d0 [ 86.453279][ T5160] ? syscall_enter_from_user_mode+0x32/0x230 [ 86.459269][ T5160] ? syscall_enter_from_user_mode+0x8c/0x230 [ 86.465246][ T5160] do_syscall_64+0x41/0xc0 [ 86.469659][ T5160] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 86.475554][ T5160] RIP: 0033:0x7f012f71fa59 [ 86.479965][ T5160] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [pid 5163] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5160] <... open resumed>) = -1 EIO (Input/output error) [pid 5160] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5160] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5162] <... openat resumed>) = -1 EIO (Input/output error) [pid 5162] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5162] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5159] exit_group(0 [pid 5163] <... futex resumed>) = ? [pid 5162] <... futex resumed>) = ? [pid 5159] <... exit_group resumed>) = ? [pid 5163] +++ exited with 0 +++ [pid 5162] +++ exited with 0 +++ [pid 5160] <... futex resumed>) = ? [pid 5160] +++ exited with 0 +++ [pid 5159] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5159, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=40 /* 0.40 s */} --- umount2("./34", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./34/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./34/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./34/binderfs") = 0 [ 86.499566][ T5160] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 86.507977][ T5160] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 86.515939][ T5160] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 86.523922][ T5160] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 86.531904][ T5160] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 86.539890][ T5160] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 86.547896][ T5160] umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./34/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./34/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./34") = 0 mkdir("./35", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5164 ./strace-static-x86_64: Process 5164 attached [pid 5164] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5164] chdir("./35") = 0 [pid 5164] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5164] setpgid(0, 0) = 0 [pid 5164] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5164] write(3, "1000", 4) = 4 [pid 5164] close(3) = 0 [pid 5164] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5164] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5164] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5164] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5164] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5164] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5164] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5165]}, 88) = 5165 ./strace-static-x86_64: Process 5165 attached [pid 5164] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5164] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5165] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5165] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5165] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5165] memfd_create("syzkaller", 0) = 3 [pid 5165] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5165] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5165] munmap(0x7f01272bc000, 16777216) = 0 [pid 5165] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5165] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5165] close(3) = 0 [pid 5165] mkdir("./file0", 0777) = 0 [ 86.858606][ T5165] loop0: detected capacity change from 0 to 32768 [ 86.870136][ T5165] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 86.878575][ T5165] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 86.888014][ T5165] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 86.897443][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 86.904309][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5165] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5165] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5165] chdir("./file0") = 0 [pid 5165] ioctl(4, LOOP_CLR_FD) = 0 [pid 5165] close(4) = 0 [pid 5165] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5165] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5164] <... futex resumed>) = 0 [pid 5164] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5164] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5165] <... futex resumed>) = 0 [ 86.943325][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 86.950936][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 86.956193][ T5165] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 86.973294][ T5165] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 86.982302][ T5165] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 86.982302][ T5165] inode = 12 2341 [pid 5165] open("./file0", O_RDWR [pid 5164] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5164] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5164] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5164] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5164] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5167]}, 88) = 5167 [pid 5164] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5164] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5167 attached [pid 5167] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5167] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5167] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5167] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5167] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5164] <... futex resumed>) = 0 [pid 5164] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5167] <... futex resumed>) = 1 [pid 5167] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5167] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5164] <... futex resumed>) = 0 [pid 5167] <... futex resumed>) = 1 [ 86.982302][ T5165] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 87.001654][ T5165] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 87.011031][ T5165] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5165 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 87.021293][ T5165] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 87.030354][ T5165] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 87.038390][ T5165] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 87.047215][ T5165] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 87.054127][ T5165] gfs2: fsid=syz:syz.0: File system withdrawn [ 87.060646][ T5165] CPU: 0 PID: 5165 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 87.071057][ T5165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 87.081534][ T5165] Call Trace: [ 87.084801][ T5165] [ 87.087889][ T5165] dump_stack_lvl+0x1e7/0x2d0 [ 87.092560][ T5165] ? nf_tcp_handle_invalid+0x650/0x650 [ 87.098002][ T5165] ? panic+0x770/0x770 [ 87.102064][ T5165] gfs2_withdraw+0xc94/0x11e0 [ 87.106737][ T5165] gfs2_dirent_scan+0x512/0x640 [ 87.111668][ T5165] ? gfs2_permission+0x268/0x3c0 [ 87.116598][ T5165] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.121799][ T5165] gfs2_dirent_search+0x30e/0x8c0 [ 87.126905][ T5165] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.132099][ T5165] ? generic_permission+0x1df/0x550 [ 87.137379][ T5165] ? gfs2_dir_search+0x2f0/0x2f0 [ 87.142314][ T5165] ? gfs2_permission+0x34a/0x3c0 [ 87.147251][ T5165] gfs2_dir_search+0xb2/0x2f0 [ 87.151926][ T5165] ? do_filldir_main+0x520/0x520 [ 87.156860][ T5165] ? inode_go_held+0xea/0x200 [ 87.161536][ T5165] ? gfs2_glock_wait+0x21a/0x2b0 [ 87.166572][ T5165] gfs2_lookupi+0x460/0x5d0 [ 87.171168][ T5165] ? gfs2_lookup_simple+0x180/0x180 [ 87.176363][ T5165] ? __gfs2_lookup+0xa4/0x270 [ 87.181130][ T5165] __gfs2_lookup+0xa4/0x270 [ 87.185625][ T5165] ? gfs2_atomic_open+0x230/0x230 [ 87.190645][ T5165] ? __d_lookup+0x675/0x730 [ 87.195236][ T5165] ? d_hash_and_lookup+0x1b0/0x1b0 [ 87.200343][ T5165] gfs2_atomic_open+0x9e/0x230 [ 87.205109][ T5165] path_openat+0x1044/0x3180 [ 87.209701][ T5165] ? gfs2_rename2+0x25a0/0x25a0 [ 87.214558][ T5165] ? do_filp_open+0x490/0x490 [ 87.219333][ T5165] do_filp_open+0x234/0x490 [ 87.223835][ T5165] ? vfs_tmpfile+0x4b0/0x4b0 [ 87.228434][ T5165] ? _raw_spin_unlock+0x28/0x40 [ 87.233289][ T5165] ? alloc_fd+0x59c/0x640 [ 87.237622][ T5165] do_sys_openat2+0x13e/0x1d0 [ 87.242298][ T5165] ? do_sys_open+0x230/0x230 [ 87.247062][ T5165] ? lockdep_hardirqs_on+0x98/0x140 [ 87.252270][ T5165] ? _raw_spin_unlock_irq+0x2e/0x50 [ 87.257462][ T5165] ? ptrace_notify+0x278/0x380 [ 87.262228][ T5165] __x64_sys_open+0x225/0x270 [ 87.266907][ T5165] ? do_sys_openat2+0x1d0/0x1d0 [ 87.271755][ T5165] ? syscall_enter_from_user_mode+0x32/0x230 [ 87.277743][ T5165] ? syscall_enter_from_user_mode+0x8c/0x230 [ 87.284009][ T5165] do_syscall_64+0x41/0xc0 [ 87.288506][ T5165] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 87.294425][ T5165] RIP: 0033:0x7f012f71fa59 [ 87.298840][ T5165] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 87.318533][ T5165] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 87.327045][ T5165] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 87.335010][ T5165] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5167] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5165] <... open resumed>) = -1 EIO (Input/output error) [pid 5165] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5165] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5164] exit_group(0) = ? [pid 5165] <... futex resumed>) = ? [pid 5165] +++ exited with 0 +++ [pid 5167] <... futex resumed>) = ? [pid 5167] +++ exited with 0 +++ [pid 5164] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5164, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- umount2("./35", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./35/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./35/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./35/binderfs") = 0 [ 87.343032][ T5165] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 87.351004][ T5165] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 87.358977][ T5165] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 87.366961][ T5165] umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./35/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./35/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./35") = 0 mkdir("./36", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5168 ./strace-static-x86_64: Process 5168 attached [pid 5168] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5168] chdir("./36") = 0 [pid 5168] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5168] setpgid(0, 0) = 0 [pid 5168] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5168] write(3, "1000", 4) = 4 [pid 5168] close(3) = 0 [pid 5168] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5168] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5168] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5168] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5168] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5168] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5168] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5169 attached => {parent_tid=[5169]}, 88) = 5169 [pid 5169] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5168] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5168] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5169] <... rseq resumed>) = 0 [pid 5169] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5169] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5169] memfd_create("syzkaller", 0) = 3 [pid 5169] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5169] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5169] munmap(0x7f01272bc000, 16777216) = 0 [pid 5169] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5169] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5169] close(3) = 0 [pid 5169] mkdir("./file0", 0777) = 0 [ 87.678031][ T5169] loop0: detected capacity change from 0 to 32768 [ 87.690245][ T5169] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 87.698687][ T5169] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 87.707985][ T5169] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 87.716493][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 87.723532][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5169] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5169] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5169] chdir("./file0") = 0 [pid 5169] ioctl(4, LOOP_CLR_FD) = 0 [pid 5169] close(4) = 0 [pid 5169] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5168] <... futex resumed>) = 0 [pid 5168] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5169] <... futex resumed>) = 1 [ 87.757719][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 87.766613][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 87.772396][ T5169] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 87.787028][ T5169] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 87.795854][ T5169] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 87.795854][ T5169] inode = 12 2341 [pid 5169] open("./file0", O_RDWR [pid 5168] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5168] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5168] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5168] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5168] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5171]}, 88) = 5171 [pid 5168] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5168] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5171 attached [pid 5171] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5171] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5171] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5171] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5171] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5168] <... futex resumed>) = 0 [pid 5168] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5171] <... futex resumed>) = 1 [pid 5171] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5171] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5168] <... futex resumed>) = 0 [pid 5171] <... futex resumed>) = 1 [ 87.795854][ T5169] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 87.814997][ T5169] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 87.824571][ T5169] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5169 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 87.834961][ T5169] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 87.844281][ T5169] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 87.851861][ T5169] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 87.861126][ T5169] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 87.868660][ T5169] gfs2: fsid=syz:syz.0: File system withdrawn [ 87.874870][ T5169] CPU: 0 PID: 5169 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 87.885291][ T5169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 87.895424][ T5169] Call Trace: [ 87.898703][ T5169] [ 87.901645][ T5169] dump_stack_lvl+0x1e7/0x2d0 [ 87.906351][ T5169] ? nf_tcp_handle_invalid+0x650/0x650 [ 87.911815][ T5169] ? panic+0x770/0x770 [ 87.915972][ T5169] gfs2_withdraw+0xc94/0x11e0 [ 87.920669][ T5169] gfs2_dirent_scan+0x512/0x640 [ 87.925533][ T5169] ? gfs2_permission+0x268/0x3c0 [ 87.930484][ T5169] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.935686][ T5169] gfs2_dirent_search+0x30e/0x8c0 [ 87.940789][ T5169] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.945983][ T5169] ? generic_permission+0x1df/0x550 [ 87.951182][ T5169] ? gfs2_dir_search+0x2f0/0x2f0 [ 87.956115][ T5169] ? gfs2_permission+0x34a/0x3c0 [ 87.961135][ T5169] gfs2_dir_search+0xb2/0x2f0 [ 87.965895][ T5169] ? do_filldir_main+0x520/0x520 [ 87.970830][ T5169] ? inode_go_held+0xea/0x200 [ 87.975504][ T5169] ? gfs2_glock_wait+0x21a/0x2b0 [ 87.980435][ T5169] gfs2_lookupi+0x460/0x5d0 [ 87.984934][ T5169] ? gfs2_lookup_simple+0x180/0x180 [ 87.990127][ T5169] ? __gfs2_lookup+0xa4/0x270 [ 87.994800][ T5169] __gfs2_lookup+0xa4/0x270 [ 87.999309][ T5169] ? gfs2_atomic_open+0x230/0x230 [ 88.004507][ T5169] ? __d_lookup+0x675/0x730 [ 88.009001][ T5169] ? d_hash_and_lookup+0x1b0/0x1b0 [ 88.014191][ T5169] gfs2_atomic_open+0x9e/0x230 [ 88.018951][ T5169] path_openat+0x1044/0x3180 [ 88.023539][ T5169] ? gfs2_rename2+0x25a0/0x25a0 [ 88.028410][ T5169] ? do_filp_open+0x490/0x490 [ 88.033106][ T5169] do_filp_open+0x234/0x490 [ 88.037637][ T5169] ? vfs_tmpfile+0x4b0/0x4b0 [ 88.042271][ T5169] ? _raw_spin_unlock+0x28/0x40 [ 88.047139][ T5169] ? alloc_fd+0x59c/0x640 [ 88.051476][ T5169] do_sys_openat2+0x13e/0x1d0 [ 88.056238][ T5169] ? do_sys_open+0x230/0x230 [ 88.060830][ T5169] ? lockdep_hardirqs_on+0x98/0x140 [ 88.066025][ T5169] ? _raw_spin_unlock_irq+0x2e/0x50 [ 88.071218][ T5169] ? ptrace_notify+0x278/0x380 [ 88.075995][ T5169] __x64_sys_open+0x225/0x270 [ 88.080671][ T5169] ? do_sys_openat2+0x1d0/0x1d0 [ 88.085519][ T5169] ? syscall_enter_from_user_mode+0x32/0x230 [ 88.091526][ T5169] ? syscall_enter_from_user_mode+0x8c/0x230 [ 88.097791][ T5169] do_syscall_64+0x41/0xc0 [ 88.102215][ T5169] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 88.108112][ T5169] RIP: 0033:0x7f012f71fa59 [ 88.112524][ T5169] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 88.132513][ T5169] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 88.140938][ T5169] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 88.149015][ T5169] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5171] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5169] <... open resumed>) = -1 EIO (Input/output error) [pid 5169] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5169] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5168] exit_group(0 [pid 5169] <... futex resumed>) = ? [pid 5168] <... exit_group resumed>) = ? [pid 5171] <... futex resumed>) = ? [pid 5169] +++ exited with 0 +++ [pid 5171] +++ exited with 0 +++ [pid 5168] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5168, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- umount2("./36", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./36/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./36/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./36/binderfs") = 0 [ 88.157070][ T5169] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 88.165121][ T5169] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 88.173083][ T5169] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 88.181147][ T5169] umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./36/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./36/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./36") = 0 mkdir("./37", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5172 ./strace-static-x86_64: Process 5172 attached [pid 5172] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5172] chdir("./37") = 0 [pid 5172] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5172] setpgid(0, 0) = 0 [pid 5172] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5172] write(3, "1000", 4) = 4 [pid 5172] close(3) = 0 [pid 5172] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5172] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5172] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5172] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5172] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5172] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5172] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5173]}, 88) = 5173 [pid 5172] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5172] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5173 attached [pid 5173] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5173] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5173] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5173] memfd_create("syzkaller", 0) = 3 [pid 5173] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5173] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5173] munmap(0x7f01272bc000, 16777216) = 0 [pid 5173] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5173] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5173] close(3) = 0 [pid 5173] mkdir("./file0", 0777) = 0 [ 88.489710][ T5173] loop0: detected capacity change from 0 to 32768 [ 88.501490][ T5173] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 88.510262][ T5173] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 88.519785][ T5173] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 88.528235][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 88.535358][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5173] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5173] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5173] chdir("./file0") = 0 [pid 5173] ioctl(4, LOOP_CLR_FD) = 0 [pid 5173] close(4) = 0 [pid 5173] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5172] <... futex resumed>) = 0 [pid 5172] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5173] open("./file0", O_RDWR [ 88.571765][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 88.579335][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 88.584607][ T5173] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 88.604780][ T5173] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 88.614063][ T5173] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5172] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5172] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5172] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5172] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5172] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5175]}, 88) = 5175 [pid 5172] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5172] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5175 attached [ 88.614063][ T5173] inode = 12 2341 [ 88.614063][ T5173] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 88.633498][ T5173] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 88.642693][ T5173] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5173 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 88.653166][ T5173] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 88.661967][ T5173] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5175] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5175] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5175] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5175] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5175] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5172] <... futex resumed>) = 0 [pid 5172] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5175] <... futex resumed>) = 1 [pid 5175] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5175] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5172] <... futex resumed>) = 0 [pid 5175] <... futex resumed>) = 1 [ 88.669212][ T5173] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 88.678036][ T5173] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 88.688966][ T5173] gfs2: fsid=syz:syz.0: File system withdrawn [ 88.695281][ T5173] CPU: 0 PID: 5173 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 88.705722][ T5173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 88.715819][ T5173] Call Trace: [ 88.719101][ T5173] [ 88.722027][ T5173] dump_stack_lvl+0x1e7/0x2d0 [ 88.726798][ T5173] ? nf_tcp_handle_invalid+0x650/0x650 [ 88.732274][ T5173] ? panic+0x770/0x770 [ 88.736381][ T5173] gfs2_withdraw+0xc94/0x11e0 [ 88.741074][ T5173] gfs2_dirent_scan+0x512/0x640 [ 88.745924][ T5173] ? gfs2_permission+0x268/0x3c0 [ 88.750887][ T5173] ? gfs2_dirent_search+0x8c0/0x8c0 [ 88.756174][ T5173] gfs2_dirent_search+0x30e/0x8c0 [ 88.761202][ T5173] ? gfs2_dirent_search+0x8c0/0x8c0 [ 88.766408][ T5173] ? generic_permission+0x1df/0x550 [pid 5175] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5172] exit_group(0 [pid 5175] <... futex resumed>) = ? [pid 5172] <... exit_group resumed>) = ? [pid 5175] +++ exited with 0 +++ [ 88.771600][ T5173] ? gfs2_dir_search+0x2f0/0x2f0 [ 88.776641][ T5173] ? gfs2_permission+0x34a/0x3c0 [ 88.781699][ T5173] gfs2_dir_search+0xb2/0x2f0 [ 88.786493][ T5173] ? do_filldir_main+0x520/0x520 [ 88.791782][ T5173] ? inode_go_held+0xea/0x200 [ 88.796473][ T5173] ? gfs2_glock_wait+0x21a/0x2b0 [ 88.801420][ T5173] gfs2_lookupi+0x460/0x5d0 [ 88.805924][ T5173] ? gfs2_lookup_simple+0x180/0x180 [ 88.811121][ T5173] ? __gfs2_lookup+0xa4/0x270 [ 88.815799][ T5173] __gfs2_lookup+0xa4/0x270 [ 88.820317][ T5173] ? gfs2_atomic_open+0x230/0x230 [ 88.825441][ T5173] ? __d_lookup+0x675/0x730 [ 88.829954][ T5173] ? d_hash_and_lookup+0x1b0/0x1b0 [ 88.835079][ T5173] gfs2_atomic_open+0x9e/0x230 [ 88.839839][ T5173] path_openat+0x1044/0x3180 [ 88.844427][ T5173] ? gfs2_rename2+0x25a0/0x25a0 [ 88.849310][ T5173] ? do_filp_open+0x490/0x490 [ 88.853995][ T5173] do_filp_open+0x234/0x490 [ 88.858501][ T5173] ? vfs_tmpfile+0x4b0/0x4b0 [ 88.863105][ T5173] ? _raw_spin_unlock+0x28/0x40 [ 88.867956][ T5173] ? alloc_fd+0x59c/0x640 [ 88.872327][ T5173] do_sys_openat2+0x13e/0x1d0 [ 88.877028][ T5173] ? do_sys_open+0x230/0x230 [ 88.881628][ T5173] ? lockdep_hardirqs_on+0x98/0x140 [ 88.886839][ T5173] ? _raw_spin_unlock_irq+0x2e/0x50 [ 88.892037][ T5173] ? ptrace_notify+0x278/0x380 [ 88.896823][ T5173] __x64_sys_open+0x225/0x270 [ 88.901529][ T5173] ? do_sys_openat2+0x1d0/0x1d0 [ 88.906383][ T5173] ? syscall_enter_from_user_mode+0x32/0x230 [ 88.912375][ T5173] ? syscall_enter_from_user_mode+0x8c/0x230 [ 88.918356][ T5173] do_syscall_64+0x41/0xc0 [ 88.922842][ T5173] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 88.928743][ T5173] RIP: 0033:0x7f012f71fa59 [ 88.933150][ T5173] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 88.952753][ T5173] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 88.961166][ T5173] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5173] <... open resumed>) = ? [pid 5173] +++ exited with 0 +++ [pid 5172] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5172, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=28 /* 0.28 s */} --- umount2("./37", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./37/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./37/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./37/binderfs") = 0 [ 88.969148][ T5173] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 88.977232][ T5173] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 88.985211][ T5173] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 88.993176][ T5173] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 89.001164][ T5173] umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./37/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./37/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./37") = 0 mkdir("./38", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5176 ./strace-static-x86_64: Process 5176 attached [pid 5176] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5176] chdir("./38") = 0 [pid 5176] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5176] setpgid(0, 0) = 0 [pid 5176] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5176] write(3, "1000", 4) = 4 [pid 5176] close(3) = 0 [pid 5176] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5176] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5176] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5176] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5176] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5176] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5176] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5177]}, 88) = 5177 [pid 5176] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5176] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5177 attached [pid 5177] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5177] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5177] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5177] memfd_create("syzkaller", 0) = 3 [pid 5177] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5177] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5177] munmap(0x7f01272bc000, 16777216) = 0 [pid 5177] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5177] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5177] close(3) = 0 [pid 5177] mkdir("./file0", 0777) = 0 [ 89.305371][ T5177] loop0: detected capacity change from 0 to 32768 [ 89.318855][ T5177] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 89.327530][ T5177] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 89.337717][ T5177] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 89.346166][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 89.353329][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5177] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5177] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5177] chdir("./file0") = 0 [pid 5177] ioctl(4, LOOP_CLR_FD) = 0 [pid 5177] close(4) = 0 [pid 5177] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5176] <... futex resumed>) = 0 [pid 5176] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5177] <... futex resumed>) = 1 [ 89.388449][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 89.397469][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 89.403153][ T5177] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 89.418379][ T5177] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 89.427170][ T5177] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 89.427170][ T5177] inode = 12 2341 [pid 5177] open("./file0", O_RDWR [pid 5176] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 89.427170][ T5177] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 89.445944][ T5177] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 89.455091][ T5177] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5177 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 89.465201][ T5177] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 89.473750][ T5177] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5176] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5176] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5176] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5176] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5179]}, 88) = 5179 [pid 5176] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5176] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5179 attached [pid 5179] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5179] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5179] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5179] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5179] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5176] <... futex resumed>) = 0 [pid 5176] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5179] <... futex resumed>) = 1 [pid 5179] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5179] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5176] <... futex resumed>) = 0 [pid 5179] <... futex resumed>) = 1 [ 89.481360][ T5177] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 89.490673][ T5177] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 89.497675][ T5177] gfs2: fsid=syz:syz.0: File system withdrawn [ 89.503882][ T5177] CPU: 1 PID: 5177 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 89.514324][ T5177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 89.524392][ T5177] Call Trace: [ 89.527672][ T5177] [ 89.530870][ T5177] dump_stack_lvl+0x1e7/0x2d0 [ 89.535583][ T5177] ? nf_tcp_handle_invalid+0x650/0x650 [ 89.541062][ T5177] ? panic+0x770/0x770 [ 89.545135][ T5177] gfs2_withdraw+0xc94/0x11e0 [ 89.549818][ T5177] gfs2_dirent_scan+0x512/0x640 [ 89.554674][ T5177] ? gfs2_permission+0x268/0x3c0 [ 89.559617][ T5177] ? gfs2_dirent_search+0x8c0/0x8c0 [ 89.565036][ T5177] gfs2_dirent_search+0x30e/0x8c0 [ 89.570060][ T5177] ? gfs2_dirent_search+0x8c0/0x8c0 [ 89.575276][ T5177] ? generic_permission+0x1df/0x550 [ 89.580495][ T5177] ? gfs2_dir_search+0x2f0/0x2f0 [ 89.585446][ T5177] ? gfs2_permission+0x34a/0x3c0 [ 89.590392][ T5177] gfs2_dir_search+0xb2/0x2f0 [ 89.595080][ T5177] ? do_filldir_main+0x520/0x520 [ 89.600032][ T5177] ? inode_go_held+0xea/0x200 [ 89.604726][ T5177] ? gfs2_glock_wait+0x21a/0x2b0 [ 89.609686][ T5177] gfs2_lookupi+0x460/0x5d0 [ 89.614200][ T5177] ? gfs2_lookup_simple+0x180/0x180 [ 89.619397][ T5177] ? __gfs2_lookup+0xa4/0x270 [ 89.624076][ T5177] __gfs2_lookup+0xa4/0x270 [ 89.628578][ T5177] ? gfs2_atomic_open+0x230/0x230 [ 89.633614][ T5177] ? __d_lookup+0x675/0x730 [ 89.638111][ T5177] ? d_hash_and_lookup+0x1b0/0x1b0 [ 89.643483][ T5177] gfs2_atomic_open+0x9e/0x230 [ 89.648244][ T5177] path_openat+0x1044/0x3180 [ 89.652836][ T5177] ? gfs2_rename2+0x25a0/0x25a0 [ 89.657698][ T5177] ? do_filp_open+0x490/0x490 [ 89.662387][ T5177] do_filp_open+0x234/0x490 [ 89.666886][ T5177] ? vfs_tmpfile+0x4b0/0x4b0 [ 89.671485][ T5177] ? _raw_spin_unlock+0x28/0x40 [ 89.676330][ T5177] ? alloc_fd+0x59c/0x640 [ 89.680667][ T5177] do_sys_openat2+0x13e/0x1d0 [ 89.685344][ T5177] ? do_sys_open+0x230/0x230 [ 89.689977][ T5177] ? lockdep_hardirqs_on+0x98/0x140 [ 89.695173][ T5177] ? _raw_spin_unlock_irq+0x2e/0x50 [ 89.700368][ T5177] ? ptrace_notify+0x278/0x380 [ 89.705132][ T5177] __x64_sys_open+0x225/0x270 [ 89.709818][ T5177] ? do_sys_openat2+0x1d0/0x1d0 [ 89.714670][ T5177] ? syscall_enter_from_user_mode+0x32/0x230 [ 89.720649][ T5177] ? syscall_enter_from_user_mode+0x8c/0x230 [ 89.726625][ T5177] do_syscall_64+0x41/0xc0 [ 89.731049][ T5177] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 89.736940][ T5177] RIP: 0033:0x7f012f71fa59 [ 89.741350][ T5177] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 89.760977][ T5177] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 89.769404][ T5177] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 89.777394][ T5177] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5179] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5177] <... open resumed>) = -1 EIO (Input/output error) [pid 5177] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5177] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5176] exit_group(0 [pid 5177] <... futex resumed>) = ? [pid 5177] +++ exited with 0 +++ [pid 5176] <... exit_group resumed>) = ? [pid 5179] <... futex resumed>) = ? [pid 5179] +++ exited with 0 +++ [pid 5176] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5176, si_uid=0, si_status=0, si_utime=0, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./38/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./38/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./38/binderfs") = 0 [ 89.785361][ T5177] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 89.793324][ T5177] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 89.801290][ T5177] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 89.809272][ T5177] umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./38/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./38/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./38") = 0 mkdir("./39", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5180 ./strace-static-x86_64: Process 5180 attached [pid 5180] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5180] chdir("./39") = 0 [pid 5180] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5180] setpgid(0, 0) = 0 [pid 5180] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5180] write(3, "1000", 4) = 4 [pid 5180] close(3) = 0 [pid 5180] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5180] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5180] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5180] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5180] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5180] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5180] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5181 attached [pid 5181] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5180] <... clone3 resumed> => {parent_tid=[5181]}, 88) = 5181 [pid 5181] <... rseq resumed>) = 0 [pid 5180] rt_sigprocmask(SIG_SETMASK, [], [pid 5181] set_robust_list(0x7f012f6dc9a0, 24 [pid 5180] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5181] <... set_robust_list resumed>) = 0 [pid 5180] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5181] rt_sigprocmask(SIG_SETMASK, [], [pid 5180] <... futex resumed>) = 0 [pid 5181] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5180] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5181] memfd_create("syzkaller", 0) = 3 [pid 5181] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5181] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5181] munmap(0x7f01272bc000, 16777216) = 0 [pid 5181] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5181] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5181] close(3) = 0 [pid 5181] mkdir("./file0", 0777) = 0 [ 90.130492][ T5181] loop0: detected capacity change from 0 to 32768 [ 90.141095][ T5181] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 90.149543][ T5181] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 90.158673][ T5181] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 90.167222][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 90.174207][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5181] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5181] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5181] chdir("./file0") = 0 [pid 5181] ioctl(4, LOOP_CLR_FD) = 0 [pid 5181] close(4) = 0 [pid 5181] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5180] <... futex resumed>) = 0 [pid 5181] open("./file0", O_RDWR [pid 5180] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 90.208693][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 90.217124][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 90.222463][ T5181] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 90.234818][ T5181] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 90.243880][ T5181] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 90.243880][ T5181] inode = 12 2341 [pid 5180] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5180] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5180] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5180] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5180] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5180] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5183]}, 88) = 5183 [pid 5180] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5180] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5183 attached [pid 5183] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5183] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5183] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5183] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5183] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5180] <... futex resumed>) = 0 [pid 5180] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5183] <... futex resumed>) = 1 [pid 5183] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5183] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5180] <... futex resumed>) = 0 [pid 5183] <... futex resumed>) = 1 [ 90.243880][ T5181] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 90.262717][ T5181] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 90.272654][ T5181] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5181 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 90.283214][ T5181] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 90.292440][ T5181] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 90.300072][ T5181] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 90.308908][ T5181] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 90.315669][ T5181] gfs2: fsid=syz:syz.0: File system withdrawn [ 90.322273][ T5181] CPU: 0 PID: 5181 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 90.332710][ T5181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 90.342854][ T5181] Call Trace: [ 90.346129][ T5181] [ 90.349054][ T5181] dump_stack_lvl+0x1e7/0x2d0 [ 90.353754][ T5181] ? nf_tcp_handle_invalid+0x650/0x650 [ 90.359403][ T5181] ? panic+0x770/0x770 [ 90.363503][ T5181] gfs2_withdraw+0xc94/0x11e0 [ 90.368194][ T5181] gfs2_dirent_scan+0x512/0x640 [ 90.373055][ T5181] ? gfs2_permission+0x268/0x3c0 [ 90.378015][ T5181] ? gfs2_dirent_search+0x8c0/0x8c0 [ 90.383228][ T5181] gfs2_dirent_search+0x30e/0x8c0 [ 90.388263][ T5181] ? gfs2_dirent_search+0x8c0/0x8c0 [ 90.393472][ T5181] ? generic_permission+0x1df/0x550 [ 90.398665][ T5181] ? gfs2_dir_search+0x2f0/0x2f0 [ 90.403694][ T5181] ? gfs2_permission+0x34a/0x3c0 [pid 5183] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5180] exit_group(0 [pid 5183] <... futex resumed>) = ? [pid 5180] <... exit_group resumed>) = ? [pid 5183] +++ exited with 0 +++ [ 90.408657][ T5181] gfs2_dir_search+0xb2/0x2f0 [ 90.413345][ T5181] ? do_filldir_main+0x520/0x520 [ 90.418293][ T5181] ? inode_go_held+0xea/0x200 [ 90.422984][ T5181] ? gfs2_glock_wait+0x21a/0x2b0 [ 90.427937][ T5181] gfs2_lookupi+0x460/0x5d0 [ 90.432451][ T5181] ? gfs2_lookup_simple+0x180/0x180 [ 90.437768][ T5181] ? __gfs2_lookup+0xa4/0x270 [ 90.442479][ T5181] __gfs2_lookup+0xa4/0x270 [ 90.447015][ T5181] ? gfs2_atomic_open+0x230/0x230 [ 90.452058][ T5181] ? __d_lookup+0x675/0x730 [ 90.456567][ T5181] ? d_hash_and_lookup+0x1b0/0x1b0 [ 90.461694][ T5181] gfs2_atomic_open+0x9e/0x230 [ 90.466459][ T5181] path_openat+0x1044/0x3180 [ 90.471140][ T5181] ? gfs2_rename2+0x25a0/0x25a0 [ 90.476005][ T5181] ? do_filp_open+0x490/0x490 [ 90.480683][ T5181] do_filp_open+0x234/0x490 [ 90.485190][ T5181] ? vfs_tmpfile+0x4b0/0x4b0 [ 90.489802][ T5181] ? _raw_spin_unlock+0x28/0x40 [ 90.494663][ T5181] ? alloc_fd+0x59c/0x640 [ 90.499109][ T5181] do_sys_openat2+0x13e/0x1d0 [ 90.503808][ T5181] ? do_sys_open+0x230/0x230 [ 90.508395][ T5181] ? lockdep_hardirqs_on+0x98/0x140 [ 90.513592][ T5181] ? _raw_spin_unlock_irq+0x2e/0x50 [ 90.518968][ T5181] ? ptrace_notify+0x278/0x380 [ 90.523743][ T5181] __x64_sys_open+0x225/0x270 [ 90.528439][ T5181] ? do_sys_openat2+0x1d0/0x1d0 [ 90.533308][ T5181] ? syscall_enter_from_user_mode+0x32/0x230 [ 90.539321][ T5181] ? syscall_enter_from_user_mode+0x8c/0x230 [ 90.545308][ T5181] do_syscall_64+0x41/0xc0 [ 90.549735][ T5181] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 90.555742][ T5181] RIP: 0033:0x7f012f71fa59 [ 90.560152][ T5181] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 90.579771][ T5181] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 90.588207][ T5181] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 90.596186][ T5181] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5181] <... open resumed>) = ? [pid 5181] +++ exited with 0 +++ [pid 5180] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5180, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./39", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./39/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./39/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./39/binderfs") = 0 [ 90.604179][ T5181] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 90.612160][ T5181] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 90.620302][ T5181] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 90.628281][ T5181] umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./39/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./39/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./39") = 0 mkdir("./40", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5184 ./strace-static-x86_64: Process 5184 attached [pid 5184] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5184] chdir("./40") = 0 [pid 5184] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5184] setpgid(0, 0) = 0 [pid 5184] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5184] write(3, "1000", 4) = 4 [pid 5184] close(3) = 0 [pid 5184] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5184] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5184] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5184] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5184] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5184] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5184] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5185]}, 88) = 5185 [pid 5184] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5184] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5185 attached [pid 5185] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5185] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5185] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5185] memfd_create("syzkaller", 0) = 3 [pid 5185] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5185] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5185] munmap(0x7f01272bc000, 16777216) = 0 [pid 5185] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5185] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5185] close(3) = 0 [pid 5185] mkdir("./file0", 0777) = 0 [ 90.934165][ T5185] loop0: detected capacity change from 0 to 32768 [ 90.945777][ T5185] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 90.954453][ T5185] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 90.964446][ T5185] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 90.973164][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 90.980240][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5185] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5185] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5185] chdir("./file0") = 0 [pid 5185] ioctl(4, LOOP_CLR_FD) = 0 [pid 5185] close(4) = 0 [pid 5185] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5184] <... futex resumed>) = 0 [pid 5184] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5185] open("./file0", O_RDWR [pid 5184] <... futex resumed>) = 0 [ 91.016276][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 91.023805][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 91.029057][ T5185] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 91.043498][ T5185] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 91.052890][ T5185] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 91.052890][ T5185] inode = 12 2341 [pid 5184] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5184] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5184] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5184] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5184] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5187]}, 88) = 5187 [ 91.052890][ T5185] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 91.072218][ T5185] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 91.082303][ T5185] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5185 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 91.092450][ T5185] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 91.100935][ T5185] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 91.108284][ T5185] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5184] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5184] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5187 attached [pid 5187] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5187] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5187] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5187] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5187] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] <... futex resumed>) = 0 [pid 5184] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5187] <... futex resumed>) = 1 [pid 5187] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5187] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] <... futex resumed>) = 0 [pid 5187] <... futex resumed>) = 1 [ 91.117326][ T5185] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 91.125776][ T5185] gfs2: fsid=syz:syz.0: File system withdrawn [ 91.131950][ T5185] CPU: 0 PID: 5185 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 91.142386][ T5185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 91.152469][ T5185] Call Trace: [ 91.155758][ T5185] [ 91.158694][ T5185] dump_stack_lvl+0x1e7/0x2d0 [ 91.163405][ T5185] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.168938][ T5185] ? panic+0x770/0x770 [ 91.173019][ T5185] gfs2_withdraw+0xc94/0x11e0 [ 91.177739][ T5185] gfs2_dirent_scan+0x512/0x640 [ 91.182607][ T5185] ? gfs2_permission+0x268/0x3c0 [ 91.187552][ T5185] ? gfs2_dirent_search+0x8c0/0x8c0 [ 91.192775][ T5185] gfs2_dirent_search+0x30e/0x8c0 [ 91.197902][ T5185] ? gfs2_dirent_search+0x8c0/0x8c0 [ 91.203113][ T5185] ? generic_permission+0x1df/0x550 [ 91.208318][ T5185] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5187] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5184] exit_group(0 [pid 5187] <... futex resumed>) = ? [pid 5184] <... exit_group resumed>) = ? [pid 5187] +++ exited with 0 +++ [ 91.213276][ T5185] ? gfs2_permission+0x34a/0x3c0 [ 91.218216][ T5185] gfs2_dir_search+0xb2/0x2f0 [ 91.222896][ T5185] ? do_filldir_main+0x520/0x520 [ 91.227851][ T5185] ? inode_go_held+0xea/0x200 [ 91.232622][ T5185] ? gfs2_glock_wait+0x21a/0x2b0 [ 91.237564][ T5185] gfs2_lookupi+0x460/0x5d0 [ 91.242191][ T5185] ? gfs2_lookup_simple+0x180/0x180 [ 91.247399][ T5185] ? __gfs2_lookup+0xa4/0x270 [ 91.252075][ T5185] __gfs2_lookup+0xa4/0x270 [ 91.256585][ T5185] ? gfs2_atomic_open+0x230/0x230 [ 91.261642][ T5185] ? __d_lookup+0x675/0x730 [ 91.266246][ T5185] ? d_hash_and_lookup+0x1b0/0x1b0 [ 91.271375][ T5185] gfs2_atomic_open+0x9e/0x230 [ 91.276153][ T5185] path_openat+0x1044/0x3180 [ 91.280768][ T5185] ? gfs2_rename2+0x25a0/0x25a0 [ 91.285646][ T5185] ? do_filp_open+0x490/0x490 [ 91.290349][ T5185] do_filp_open+0x234/0x490 [ 91.294875][ T5185] ? vfs_tmpfile+0x4b0/0x4b0 [ 91.299491][ T5185] ? _raw_spin_unlock+0x28/0x40 [ 91.304355][ T5185] ? alloc_fd+0x59c/0x640 [ 91.308681][ T5185] do_sys_openat2+0x13e/0x1d0 [ 91.313356][ T5185] ? do_sys_open+0x230/0x230 [ 91.317939][ T5185] ? lockdep_hardirqs_on+0x98/0x140 [ 91.323130][ T5185] ? _raw_spin_unlock_irq+0x2e/0x50 [ 91.328321][ T5185] ? ptrace_notify+0x278/0x380 [ 91.333077][ T5185] __x64_sys_open+0x225/0x270 [ 91.337755][ T5185] ? do_sys_openat2+0x1d0/0x1d0 [ 91.342602][ T5185] ? syscall_enter_from_user_mode+0x32/0x230 [ 91.348590][ T5185] ? syscall_enter_from_user_mode+0x8c/0x230 [ 91.354575][ T5185] do_syscall_64+0x41/0xc0 [ 91.358987][ T5185] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.364887][ T5185] RIP: 0033:0x7f012f71fa59 [ 91.369319][ T5185] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 91.388934][ T5185] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 91.397352][ T5185] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 91.405333][ T5185] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5185] <... open resumed>) = ? [pid 5185] +++ exited with 0 +++ [pid 5184] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5184, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./40", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./40/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./40/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./40/binderfs") = 0 [ 91.413298][ T5185] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 91.421265][ T5185] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 91.429586][ T5185] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 91.437564][ T5185] umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./40/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./40/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./40") = 0 mkdir("./41", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5188 ./strace-static-x86_64: Process 5188 attached [pid 5188] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5188] chdir("./41") = 0 [pid 5188] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5188] setpgid(0, 0) = 0 [pid 5188] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5188] write(3, "1000", 4) = 4 [pid 5188] close(3) = 0 [pid 5188] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5188] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5188] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5188] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5188] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5188] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5188] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5189 attached => {parent_tid=[5189]}, 88) = 5189 [pid 5188] rt_sigprocmask(SIG_SETMASK, [], [pid 5189] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5188] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5188] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5189] set_robust_list(0x7f012f6dc9a0, 24 [pid 5188] <... futex resumed>) = 0 [pid 5189] <... set_robust_list resumed>) = 0 [pid 5188] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5189] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5189] memfd_create("syzkaller", 0) = 3 [pid 5189] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5189] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5189] munmap(0x7f01272bc000, 16777216) = 0 [pid 5189] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5189] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5189] close(3) = 0 [pid 5189] mkdir("./file0", 0777) = 0 [ 91.747901][ T5189] loop0: detected capacity change from 0 to 32768 [ 91.760096][ T5189] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 91.768578][ T5189] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 91.779107][ T5189] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 91.788123][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 91.795466][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5189] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5189] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5189] chdir("./file0") = 0 [pid 5189] ioctl(4, LOOP_CLR_FD) = 0 [pid 5189] close(4) = 0 [pid 5189] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] <... futex resumed>) = 0 [pid 5188] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5189] <... futex resumed>) = 1 [ 91.828648][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 91.836363][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 91.841884][ T5189] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 91.855994][ T5189] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 91.864846][ T5189] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 91.864846][ T5189] inode = 12 2341 [pid 5189] open("./file0", O_RDWR [pid 5188] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5188] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5188] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5188] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5188] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5188] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5191]}, 88) = 5191 [pid 5188] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5188] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5191 attached [pid 5191] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5191] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5191] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5191] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5191] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] <... futex resumed>) = 0 [pid 5188] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5191] <... futex resumed>) = 1 [pid 5191] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5191] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] <... futex resumed>) = 0 [pid 5191] <... futex resumed>) = 1 [ 91.864846][ T5189] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 91.883663][ T5189] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 91.893101][ T5189] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5189 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 91.903759][ T5189] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 91.912767][ T5189] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 91.920657][ T5189] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 91.929778][ T5189] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 91.936624][ T5189] gfs2: fsid=syz:syz.0: File system withdrawn [ 91.942870][ T5189] CPU: 0 PID: 5189 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 91.953384][ T5189] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 91.963439][ T5189] Call Trace: [ 91.966730][ T5189] [ 91.969665][ T5189] dump_stack_lvl+0x1e7/0x2d0 [ 91.974356][ T5189] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.979811][ T5189] ? panic+0x770/0x770 [ 91.983908][ T5189] gfs2_withdraw+0xc94/0x11e0 [ 91.988606][ T5189] gfs2_dirent_scan+0x512/0x640 [ 91.993478][ T5189] ? gfs2_permission+0x268/0x3c0 [ 91.998436][ T5189] ? gfs2_dirent_search+0x8c0/0x8c0 [ 92.003665][ T5189] gfs2_dirent_search+0x30e/0x8c0 [ 92.008720][ T5189] ? gfs2_dirent_search+0x8c0/0x8c0 [ 92.013951][ T5189] ? generic_permission+0x1df/0x550 [ 92.019351][ T5189] ? gfs2_dir_search+0x2f0/0x2f0 [ 92.024311][ T5189] ? gfs2_permission+0x34a/0x3c0 [pid 5191] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5188] exit_group(0) = ? [pid 5191] <... futex resumed>) = ? [pid 5191] +++ exited with 0 +++ [ 92.029354][ T5189] gfs2_dir_search+0xb2/0x2f0 [ 92.034051][ T5189] ? do_filldir_main+0x520/0x520 [ 92.038999][ T5189] ? inode_go_held+0xea/0x200 [ 92.043696][ T5189] ? gfs2_glock_wait+0x21a/0x2b0 [ 92.048827][ T5189] gfs2_lookupi+0x460/0x5d0 [ 92.053369][ T5189] ? gfs2_lookup_simple+0x180/0x180 [ 92.058642][ T5189] ? __gfs2_lookup+0xa4/0x270 [ 92.063330][ T5189] __gfs2_lookup+0xa4/0x270 [ 92.067849][ T5189] ? gfs2_atomic_open+0x230/0x230 [ 92.072895][ T5189] ? __d_lookup+0x675/0x730 [ 92.077401][ T5189] ? d_hash_and_lookup+0x1b0/0x1b0 [ 92.082521][ T5189] gfs2_atomic_open+0x9e/0x230 [ 92.087291][ T5189] path_openat+0x1044/0x3180 [ 92.091905][ T5189] ? gfs2_rename2+0x25a0/0x25a0 [ 92.096802][ T5189] ? do_filp_open+0x490/0x490 [ 92.101522][ T5189] do_filp_open+0x234/0x490 [ 92.106052][ T5189] ? vfs_tmpfile+0x4b0/0x4b0 [ 92.110658][ T5189] ? _raw_spin_unlock+0x28/0x40 [ 92.115513][ T5189] ? alloc_fd+0x59c/0x640 [ 92.119844][ T5189] do_sys_openat2+0x13e/0x1d0 [ 92.124522][ T5189] ? do_sys_open+0x230/0x230 [ 92.129110][ T5189] ? lockdep_hardirqs_on+0x98/0x140 [ 92.134317][ T5189] ? _raw_spin_unlock_irq+0x2e/0x50 [ 92.139622][ T5189] ? ptrace_notify+0x278/0x380 [ 92.144390][ T5189] __x64_sys_open+0x225/0x270 [ 92.149065][ T5189] ? do_sys_openat2+0x1d0/0x1d0 [ 92.153916][ T5189] ? syscall_enter_from_user_mode+0x32/0x230 [ 92.159997][ T5189] ? syscall_enter_from_user_mode+0x8c/0x230 [ 92.165982][ T5189] do_syscall_64+0x41/0xc0 [ 92.170414][ T5189] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.176325][ T5189] RIP: 0033:0x7f012f71fa59 [ 92.180739][ T5189] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 92.200355][ T5189] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 92.208956][ T5189] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 92.216926][ T5189] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5189] <... open resumed>) = ? [pid 5189] +++ exited with 0 +++ [pid 5188] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5188, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- umount2("./41", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./41/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./41/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./41/binderfs") = 0 [ 92.224902][ T5189] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 92.232889][ T5189] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 92.240867][ T5189] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 92.248863][ T5189] umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./41/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./41/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./41") = 0 mkdir("./42", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5192 ./strace-static-x86_64: Process 5192 attached [pid 5192] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5192] chdir("./42") = 0 [pid 5192] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5192] setpgid(0, 0) = 0 [pid 5192] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5192] write(3, "1000", 4) = 4 [pid 5192] close(3) = 0 [pid 5192] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5192] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5192] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5192] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5192] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5192] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5192] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5194]}, 88) = 5194 [pid 5192] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5192] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5194 attached [pid 5194] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5194] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5194] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5194] memfd_create("syzkaller", 0) = 3 [pid 5194] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5194] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5194] munmap(0x7f01272bc000, 16777216) = 0 [pid 5194] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5194] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5194] close(3) = 0 [pid 5194] mkdir("./file0", 0777) = 0 [ 92.565789][ T5194] loop0: detected capacity change from 0 to 32768 [ 92.576349][ T5194] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 92.584828][ T5194] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 92.594028][ T5194] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 92.602998][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 92.609952][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5194] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5194] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5194] chdir("./file0") = 0 [pid 5194] ioctl(4, LOOP_CLR_FD) = 0 [pid 5194] close(4) = 0 [pid 5194] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5194] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5192] <... futex resumed>) = 0 [pid 5192] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5194] <... futex resumed>) = 0 [pid 5192] <... futex resumed>) = 1 [pid 5194] open("./file0", O_RDWR [ 92.650003][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 92.658593][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 92.663952][ T5194] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 92.679616][ T5194] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 92.688385][ T5194] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 92.688385][ T5194] inode = 12 2341 [ 92.688385][ T5194] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 92.707525][ T5194] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 92.716692][ T5194] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5194 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 92.727136][ T5194] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 92.735646][ T5194] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5192] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5192] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5192] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5192] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5192] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5196]}, 88) = 5196 [pid 5192] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5192] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5196 attached [pid 5196] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5196] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5196] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5196] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5196] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5192] <... futex resumed>) = 0 [pid 5192] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5196] <... futex resumed>) = 1 [pid 5196] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5196] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5192] <... futex resumed>) = 0 [pid 5196] <... futex resumed>) = 1 [ 92.742978][ T5194] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 92.752227][ T5194] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 92.759435][ T5194] gfs2: fsid=syz:syz.0: File system withdrawn [ 92.765815][ T5194] CPU: 1 PID: 5194 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 92.776263][ T5194] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 92.786339][ T5194] Call Trace: [ 92.789613][ T5194] [ 92.792540][ T5194] dump_stack_lvl+0x1e7/0x2d0 [ 92.797221][ T5194] ? nf_tcp_handle_invalid+0x650/0x650 [ 92.802696][ T5194] ? panic+0x770/0x770 [ 92.806767][ T5194] gfs2_withdraw+0xc94/0x11e0 [ 92.811461][ T5194] gfs2_dirent_scan+0x512/0x640 [ 92.816323][ T5194] ? gfs2_permission+0x268/0x3c0 [ 92.821266][ T5194] ? gfs2_dirent_search+0x8c0/0x8c0 [ 92.826485][ T5194] gfs2_dirent_search+0x30e/0x8c0 [ 92.831526][ T5194] ? gfs2_dirent_search+0x8c0/0x8c0 [ 92.836729][ T5194] ? generic_permission+0x1df/0x550 [ 92.841947][ T5194] ? gfs2_dir_search+0x2f0/0x2f0 [ 92.846893][ T5194] ? gfs2_permission+0x34a/0x3c0 [ 92.852376][ T5194] gfs2_dir_search+0xb2/0x2f0 [ 92.857068][ T5194] ? do_filldir_main+0x520/0x520 [ 92.862012][ T5194] ? inode_go_held+0xea/0x200 [ 92.866704][ T5194] ? gfs2_glock_wait+0x21a/0x2b0 [ 92.871643][ T5194] gfs2_lookupi+0x460/0x5d0 [ 92.876149][ T5194] ? gfs2_lookup_simple+0x180/0x180 [ 92.881344][ T5194] ? __gfs2_lookup+0xa4/0x270 [ 92.886021][ T5194] __gfs2_lookup+0xa4/0x270 [ 92.890526][ T5194] ? gfs2_atomic_open+0x230/0x230 [ 92.895635][ T5194] ? __d_lookup+0x675/0x730 [ 92.900137][ T5194] ? d_hash_and_lookup+0x1b0/0x1b0 [ 92.905242][ T5194] gfs2_atomic_open+0x9e/0x230 [ 92.910011][ T5194] path_openat+0x1044/0x3180 [ 92.914601][ T5194] ? gfs2_rename2+0x25a0/0x25a0 [ 92.919490][ T5194] ? do_filp_open+0x490/0x490 [ 92.924794][ T5194] do_filp_open+0x234/0x490 [ 92.929295][ T5194] ? vfs_tmpfile+0x4b0/0x4b0 [ 92.933986][ T5194] ? _raw_spin_unlock+0x28/0x40 [ 92.938835][ T5194] ? alloc_fd+0x59c/0x640 [ 92.943177][ T5194] do_sys_openat2+0x13e/0x1d0 [ 92.947859][ T5194] ? do_sys_open+0x230/0x230 [ 92.952463][ T5194] ? lockdep_hardirqs_on+0x98/0x140 [ 92.957658][ T5194] ? _raw_spin_unlock_irq+0x2e/0x50 [ 92.962934][ T5194] ? ptrace_notify+0x278/0x380 [ 92.967703][ T5194] __x64_sys_open+0x225/0x270 [ 92.972386][ T5194] ? do_sys_openat2+0x1d0/0x1d0 [ 92.977668][ T5194] ? syscall_enter_from_user_mode+0x32/0x230 [ 92.983647][ T5194] ? syscall_enter_from_user_mode+0x8c/0x230 [ 92.989637][ T5194] do_syscall_64+0x41/0xc0 [ 92.994048][ T5194] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.999940][ T5194] RIP: 0033:0x7f012f71fa59 [ 93.004352][ T5194] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 93.025256][ T5194] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 93.033668][ T5194] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 93.041632][ T5194] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5196] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5194] <... open resumed>) = -1 EIO (Input/output error) [pid 5194] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5194] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5192] exit_group(0 [pid 5194] <... futex resumed>) = ? [pid 5194] +++ exited with 0 +++ [pid 5196] <... futex resumed>) = ? [pid 5192] <... exit_group resumed>) = ? [pid 5196] +++ exited with 0 +++ [pid 5192] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5192, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./42", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./42/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./42/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./42/binderfs") = 0 [ 93.049594][ T5194] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 93.057563][ T5194] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 93.065526][ T5194] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 93.073512][ T5194] umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./42/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./42/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./42") = 0 mkdir("./43", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5199 ./strace-static-x86_64: Process 5199 attached [pid 5199] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5199] chdir("./43") = 0 [pid 5199] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5199] setpgid(0, 0) = 0 [pid 5199] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5199] write(3, "1000", 4) = 4 [pid 5199] close(3) = 0 [pid 5199] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5199] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5199] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5199] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5199] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5199] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5199] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5200]}, 88) = 5200 [pid 5199] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5199] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5200 attached [pid 5200] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5200] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5200] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5200] memfd_create("syzkaller", 0) = 3 [pid 5200] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5200] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5200] munmap(0x7f01272bc000, 16777216) = 0 [pid 5200] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5200] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5200] close(3) = 0 [pid 5200] mkdir("./file0", 0777) = 0 [ 93.392537][ T5200] loop0: detected capacity change from 0 to 32768 [ 93.404089][ T5200] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 93.412536][ T5200] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 93.421974][ T5200] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 93.430752][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 93.437516][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5200] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5200] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5200] chdir("./file0") = 0 [pid 5200] ioctl(4, LOOP_CLR_FD) = 0 [pid 5200] close(4) = 0 [pid 5200] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5199] <... futex resumed>) = 0 [pid 5199] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5200] <... futex resumed>) = 1 [ 93.472015][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 93.479722][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 93.484996][ T5200] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 93.500854][ T5200] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 93.509966][ T5200] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 93.509966][ T5200] inode = 12 2341 [pid 5200] open("./file0", O_RDWR [pid 5199] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5199] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5199] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5199] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5199] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5203]}, 88) = 5203 [pid 5199] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5199] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5203 attached [pid 5203] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5203] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5203] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 93.509966][ T5200] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 93.528857][ T5200] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 93.538083][ T5200] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5200 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 93.548442][ T5200] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 93.554440][ T5203] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 93.557991][ T5200] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5203] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5199] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5199] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5199] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5199] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5199] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5205]}, 88) = 5205 [pid 5199] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5199] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5205 attached [pid 5205] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5205] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5205] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5205] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5205] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5199] <... futex resumed>) = 0 [pid 5205] <... futex resumed>) = 1 [ 93.565777][ T5203] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 93.573779][ T5200] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 93.581783][ T5203] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5200 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 93.596025][ T5200] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 93.601238][ T5203] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5203 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 93.609733][ T5200] gfs2: fsid=syz:syz.0: File system withdrawn [ 93.621419][ T5203] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 93.632367][ T5200] CPU: 0 PID: 5200 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 93.643087][ T5200] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 93.653141][ T5200] Call Trace: [ 93.656420][ T5200] [ 93.659346][ T5200] dump_stack_lvl+0x1e7/0x2d0 [ 93.664025][ T5200] ? nf_tcp_handle_invalid+0x650/0x650 [ 93.669520][ T5200] ? panic+0x770/0x770 [ 93.673853][ T5200] gfs2_withdraw+0xc94/0x11e0 [ 93.678535][ T5200] gfs2_dirent_scan+0x512/0x640 [ 93.683388][ T5200] ? gfs2_permission+0x268/0x3c0 [ 93.688317][ T5200] ? gfs2_dirent_search+0x8c0/0x8c0 [ 93.693607][ T5200] gfs2_dirent_search+0x30e/0x8c0 [ 93.698662][ T5200] ? gfs2_dirent_search+0x8c0/0x8c0 [ 93.703853][ T5200] ? generic_permission+0x1df/0x550 [ 93.709052][ T5200] ? gfs2_dir_search+0x2f0/0x2f0 [ 93.713988][ T5200] ? gfs2_permission+0x34a/0x3c0 [ 93.718925][ T5200] gfs2_dir_search+0xb2/0x2f0 [ 93.723601][ T5200] ? do_filldir_main+0x520/0x520 [ 93.728539][ T5200] ? inode_go_held+0xea/0x200 [ 93.733296][ T5200] ? gfs2_glock_wait+0x21a/0x2b0 [ 93.738228][ T5200] gfs2_lookupi+0x460/0x5d0 [ 93.742731][ T5200] ? gfs2_lookup_simple+0x180/0x180 [ 93.747923][ T5200] ? __gfs2_lookup+0xa4/0x270 [ 93.752597][ T5200] __gfs2_lookup+0xa4/0x270 [ 93.757183][ T5200] ? gfs2_atomic_open+0x230/0x230 [ 93.762204][ T5200] ? __d_lookup+0x675/0x730 [ 93.766701][ T5200] ? d_hash_and_lookup+0x1b0/0x1b0 [ 93.771806][ T5200] gfs2_atomic_open+0x9e/0x230 [ 93.776565][ T5200] path_openat+0x1044/0x3180 [ 93.781153][ T5200] ? gfs2_rename2+0x25a0/0x25a0 [ 93.786009][ T5200] ? do_filp_open+0x490/0x490 [ 93.790691][ T5200] do_filp_open+0x234/0x490 [ 93.795188][ T5200] ? vfs_tmpfile+0x4b0/0x4b0 [ 93.799789][ T5200] ? _raw_spin_unlock+0x28/0x40 [ 93.804643][ T5200] ? alloc_fd+0x59c/0x640 [ 93.808975][ T5200] do_sys_openat2+0x13e/0x1d0 [ 93.813649][ T5200] ? do_sys_open+0x230/0x230 [ 93.818407][ T5200] ? lockdep_hardirqs_on+0x98/0x140 [ 93.823623][ T5200] ? _raw_spin_unlock_irq+0x2e/0x50 [ 93.828990][ T5200] ? ptrace_notify+0x278/0x380 [ 93.833753][ T5200] __x64_sys_open+0x225/0x270 [ 93.838463][ T5200] ? do_sys_openat2+0x1d0/0x1d0 [ 93.843328][ T5200] ? syscall_enter_from_user_mode+0x32/0x230 [ 93.849319][ T5200] ? syscall_enter_from_user_mode+0x8c/0x230 [ 93.855387][ T5200] do_syscall_64+0x41/0xc0 [ 93.859803][ T5200] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.865700][ T5200] RIP: 0033:0x7f012f71fa59 [ 93.870110][ T5200] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 93.889798][ T5200] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 93.898242][ T5200] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 93.906669][ T5200] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 93.914825][ T5200] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5205] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5203] <... openat resumed>) = -1 EIO (Input/output error) [pid 5203] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5203] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5200] <... open resumed>) = -1 EIO (Input/output error) [pid 5200] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5200] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5199] exit_group(0 [pid 5205] <... futex resumed>) = ? [pid 5203] <... futex resumed>) = ? [pid 5200] <... futex resumed>) = ? [pid 5199] <... exit_group resumed>) = ? [pid 5205] +++ exited with 0 +++ [pid 5203] +++ exited with 0 +++ [pid 5200] +++ exited with 0 +++ [pid 5199] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5199, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=42 /* 0.42 s */} --- umount2("./43", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./43/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./43/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./43/binderfs") = 0 [ 93.922891][ T5200] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 93.930858][ T5200] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 93.938832][ T5200] umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./43/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./43/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./43") = 0 mkdir("./44", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5208 ./strace-static-x86_64: Process 5208 attached [pid 5208] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5208] chdir("./44") = 0 [pid 5208] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5208] setpgid(0, 0) = 0 [pid 5208] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5208] write(3, "1000", 4) = 4 [pid 5208] close(3) = 0 [pid 5208] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5208] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5208] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5208] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5208] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5208] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5208] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5209]}, 88) = 5209 [pid 5208] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5208] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5209 attached [pid 5209] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5209] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5209] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5209] memfd_create("syzkaller", 0) = 3 [pid 5209] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5209] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5209] munmap(0x7f01272bc000, 16777216) = 0 [pid 5209] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5209] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5209] close(3) = 0 [pid 5209] mkdir("./file0", 0777) = 0 [ 94.249880][ T5209] loop0: detected capacity change from 0 to 32768 [ 94.261011][ T5209] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 94.269203][ T5209] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 94.279029][ T5209] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 94.287752][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 94.294665][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5209] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5209] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5209] chdir("./file0") = 0 [pid 5209] ioctl(4, LOOP_CLR_FD) = 0 [pid 5209] close(4) = 0 [pid 5209] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5208] <... futex resumed>) = 0 [pid 5208] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5209] <... futex resumed>) = 1 [ 94.327901][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 94.335878][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 94.341224][ T5209] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 94.360782][ T5209] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 94.369640][ T5209] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5209] open("./file0", O_RDWR [pid 5208] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5208] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5208] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5208] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5208] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5208] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5208] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5211]}, 88) = 5211 [pid 5208] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5208] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5211 attached [pid 5211] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5211] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5211] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 94.369640][ T5209] inode = 12 2341 [ 94.369640][ T5209] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 94.388834][ T5209] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 94.398287][ T5209] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5209 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 94.408875][ T5209] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 94.415616][ T5211] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 94.425865][ T5209] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 94.426135][ T5211] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 94.442341][ T5209] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 94.442640][ T5211] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5209 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 94.461793][ T5209] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 94.461873][ T5211] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5211 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5211] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5208] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5208] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5208] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5208] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5208] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5212]}, 88) = 5212 [pid 5208] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5208] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5212 attached [pid 5212] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5212] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5212] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5212] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5212] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5208] <... futex resumed>) = 0 [pid 5212] <... futex resumed>) = 1 [ 94.470621][ T5209] gfs2: fsid=syz:syz.0: File system withdrawn [ 94.482722][ T5211] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 94.492788][ T5209] CPU: 1 PID: 5209 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 94.503225][ T5209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 94.513284][ T5209] Call Trace: [ 94.516563][ T5209] [ 94.519496][ T5209] dump_stack_lvl+0x1e7/0x2d0 [ 94.524283][ T5209] ? nf_tcp_handle_invalid+0x650/0x650 [ 94.529779][ T5209] ? panic+0x770/0x770 [ 94.533994][ T5209] gfs2_withdraw+0xc94/0x11e0 [ 94.538683][ T5209] gfs2_dirent_scan+0x512/0x640 [ 94.543536][ T5209] ? gfs2_permission+0x268/0x3c0 [ 94.548474][ T5209] ? gfs2_dirent_search+0x8c0/0x8c0 [ 94.553698][ T5209] gfs2_dirent_search+0x30e/0x8c0 [ 94.558837][ T5209] ? gfs2_dirent_search+0x8c0/0x8c0 [ 94.564047][ T5209] ? generic_permission+0x1df/0x550 [ 94.569272][ T5209] ? gfs2_dir_search+0x2f0/0x2f0 [ 94.574238][ T5209] ? gfs2_permission+0x34a/0x3c0 [pid 5212] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5208] exit_group(0 [pid 5212] <... futex resumed>) = ? [pid 5208] <... exit_group resumed>) = ? [pid 5212] +++ exited with 0 +++ [ 94.579193][ T5209] gfs2_dir_search+0xb2/0x2f0 [ 94.583909][ T5209] ? do_filldir_main+0x520/0x520 [ 94.589107][ T5209] ? inode_go_held+0xea/0x200 [ 94.593798][ T5209] ? gfs2_glock_wait+0x21a/0x2b0 [ 94.598929][ T5209] gfs2_lookupi+0x460/0x5d0 [ 94.603553][ T5209] ? gfs2_lookup_simple+0x180/0x180 [ 94.608766][ T5209] ? __gfs2_lookup+0xa4/0x270 [ 94.613459][ T5209] __gfs2_lookup+0xa4/0x270 [ 94.617958][ T5209] ? gfs2_atomic_open+0x230/0x230 [ 94.623089][ T5209] ? __d_lookup+0x675/0x730 [ 94.627612][ T5209] ? d_hash_and_lookup+0x1b0/0x1b0 [ 94.632733][ T5209] gfs2_atomic_open+0x9e/0x230 [ 94.637535][ T5209] path_openat+0x1044/0x3180 [ 94.642130][ T5209] ? gfs2_rename2+0x25a0/0x25a0 [ 94.646995][ T5209] ? do_filp_open+0x490/0x490 [ 94.651683][ T5209] do_filp_open+0x234/0x490 [ 94.656216][ T5209] ? vfs_tmpfile+0x4b0/0x4b0 [ 94.660851][ T5209] ? _raw_spin_unlock+0x28/0x40 [ 94.665806][ T5209] ? alloc_fd+0x59c/0x640 [ 94.670169][ T5209] do_sys_openat2+0x13e/0x1d0 [ 94.674880][ T5209] ? do_sys_open+0x230/0x230 [ 94.679652][ T5209] ? lockdep_hardirqs_on+0x98/0x140 [ 94.684938][ T5209] ? _raw_spin_unlock_irq+0x2e/0x50 [ 94.690156][ T5209] ? ptrace_notify+0x278/0x380 [ 94.695025][ T5209] __x64_sys_open+0x225/0x270 [ 94.699878][ T5209] ? do_sys_openat2+0x1d0/0x1d0 [ 94.704813][ T5209] ? syscall_enter_from_user_mode+0x32/0x230 [ 94.710815][ T5209] ? syscall_enter_from_user_mode+0x8c/0x230 [ 94.716817][ T5209] do_syscall_64+0x41/0xc0 [ 94.721332][ T5209] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 94.727331][ T5209] RIP: 0033:0x7f012f71fa59 [ 94.731762][ T5209] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 94.751568][ T5209] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 94.759978][ T5209] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 94.767944][ T5209] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5211] <... openat resumed>) = ? [pid 5209] <... open resumed>) = ? [pid 5211] +++ exited with 0 +++ [pid 5209] +++ exited with 0 +++ [pid 5208] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5208, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./44", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./44/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./44/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./44/binderfs") = 0 [ 94.775905][ T5209] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 94.783875][ T5209] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 94.791856][ T5209] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 94.799850][ T5209] umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./44/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./44/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./44") = 0 mkdir("./45", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5213 ./strace-static-x86_64: Process 5213 attached [pid 5213] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5213] chdir("./45") = 0 [pid 5213] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5213] setpgid(0, 0) = 0 [pid 5213] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5213] write(3, "1000", 4) = 4 [pid 5213] close(3) = 0 [pid 5213] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5213] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5213] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5213] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5213] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5213] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5213] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5214]}, 88) = 5214 [pid 5213] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5213] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5214 attached [pid 5214] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5214] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5214] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5214] memfd_create("syzkaller", 0) = 3 [pid 5214] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5214] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5214] munmap(0x7f01272bc000, 16777216) = 0 [pid 5214] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5214] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5214] close(3) = 0 [pid 5214] mkdir("./file0", 0777) = 0 [ 95.104684][ T5214] loop0: detected capacity change from 0 to 32768 [ 95.116365][ T5214] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 95.124838][ T5214] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 95.135049][ T5214] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 95.143832][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 95.150917][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5214] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5214] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5214] chdir("./file0") = 0 [pid 5214] ioctl(4, LOOP_CLR_FD) = 0 [pid 5214] close(4) = 0 [pid 5214] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5213] <... futex resumed>) = 0 [pid 5213] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5214] <... futex resumed>) = 1 [ 95.184855][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 95.192436][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 95.197725][ T5214] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 95.219895][ T5214] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 95.228743][ T5214] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 95.228743][ T5214] inode = 12 2341 [ 95.228743][ T5214] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 95.248158][ T5214] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 95.257547][ T5214] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5214 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 95.267701][ T5216] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 95.267723][ T5216] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5214] open("./file0", O_RDWR [pid 5213] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5213] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5213] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5213] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5213] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5216]}, 88) = 5216 [pid 5213] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5213] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5216 attached [pid 5216] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5216] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5216] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5216] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5213] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5213] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 95.267723][ T5216] inode = 12 2341 [ 95.267723][ T5216] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 95.267751][ T5216] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 95.267780][ T5216] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5214 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 95.276398][ T5214] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5216 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 95.296293][ T5216] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5216 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5213] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5213] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5213] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5213] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5217]}, 88) = 5217 [pid 5213] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5213] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5217 attached [pid 5217] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5217] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5217] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5217] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5217] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5213] <... futex resumed>) = 0 [pid 5217] <... futex resumed>) = 1 [ 95.305218][ T5214] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 95.314857][ T5216] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 95.325144][ T5214] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 95.359404][ T5214] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 95.368226][ T5214] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 95.374934][ T5214] gfs2: fsid=syz:syz.0: File system withdrawn [ 95.381316][ T5214] CPU: 0 PID: 5214 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 95.391779][ T5214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 95.401837][ T5214] Call Trace: [ 95.405119][ T5214] [ 95.408040][ T5214] dump_stack_lvl+0x1e7/0x2d0 [ 95.412722][ T5214] ? nf_tcp_handle_invalid+0x650/0x650 [ 95.418205][ T5214] ? panic+0x770/0x770 [ 95.422398][ T5214] gfs2_withdraw+0xc94/0x11e0 [ 95.427098][ T5214] gfs2_dirent_scan+0x512/0x640 [ 95.432038][ T5214] ? gfs2_permission+0x268/0x3c0 [ 95.436985][ T5214] ? gfs2_dirent_search+0x8c0/0x8c0 [ 95.442180][ T5214] gfs2_dirent_search+0x30e/0x8c0 [ 95.447205][ T5214] ? gfs2_dirent_search+0x8c0/0x8c0 [ 95.452422][ T5214] ? generic_permission+0x1df/0x550 [ 95.457633][ T5214] ? gfs2_dir_search+0x2f0/0x2f0 [ 95.462667][ T5214] ? gfs2_permission+0x34a/0x3c0 [ 95.467617][ T5214] gfs2_dir_search+0xb2/0x2f0 [ 95.472313][ T5214] ? do_filldir_main+0x520/0x520 [ 95.477252][ T5214] ? inode_go_held+0xea/0x200 [ 95.481928][ T5214] ? gfs2_glock_wait+0x21a/0x2b0 [ 95.486929][ T5214] gfs2_lookupi+0x460/0x5d0 [ 95.491452][ T5214] ? gfs2_lookup_simple+0x180/0x180 [ 95.496742][ T5214] ? __gfs2_lookup+0xa4/0x270 [ 95.501428][ T5214] __gfs2_lookup+0xa4/0x270 [ 95.506189][ T5214] ? gfs2_atomic_open+0x230/0x230 [ 95.511222][ T5214] ? __d_lookup+0x675/0x730 [ 95.515719][ T5214] ? d_hash_and_lookup+0x1b0/0x1b0 [ 95.520827][ T5214] gfs2_atomic_open+0x9e/0x230 [ 95.525587][ T5214] path_openat+0x1044/0x3180 [ 95.530193][ T5214] ? gfs2_rename2+0x25a0/0x25a0 [ 95.535074][ T5214] ? do_filp_open+0x490/0x490 [ 95.539780][ T5214] do_filp_open+0x234/0x490 [ 95.544302][ T5214] ? vfs_tmpfile+0x4b0/0x4b0 [ 95.548917][ T5214] ? _raw_spin_unlock+0x28/0x40 [ 95.553780][ T5214] ? alloc_fd+0x59c/0x640 [ 95.558130][ T5214] do_sys_openat2+0x13e/0x1d0 [ 95.562812][ T5214] ? do_sys_open+0x230/0x230 [ 95.567411][ T5214] ? lockdep_hardirqs_on+0x98/0x140 [ 95.572816][ T5214] ? _raw_spin_unlock_irq+0x2e/0x50 [ 95.578021][ T5214] ? ptrace_notify+0x278/0x380 [ 95.582784][ T5214] __x64_sys_open+0x225/0x270 [ 95.587461][ T5214] ? do_sys_openat2+0x1d0/0x1d0 [ 95.592398][ T5214] ? syscall_enter_from_user_mode+0x32/0x230 [ 95.598381][ T5214] ? syscall_enter_from_user_mode+0x8c/0x230 [ 95.604379][ T5214] do_syscall_64+0x41/0xc0 [ 95.608799][ T5214] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 95.615127][ T5214] RIP: 0033:0x7f012f71fa59 [ 95.619540][ T5214] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 95.641324][ T5214] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 95.650013][ T5214] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 95.658370][ T5214] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 95.667058][ T5214] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 95.675146][ T5214] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [pid 5217] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5214] <... open resumed>) = -1 EIO (Input/output error) [pid 5216] <... openat resumed>) = -1 EIO (Input/output error) [pid 5214] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5216] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5213] exit_group(0 [pid 5214] <... futex resumed>) = ? [pid 5213] <... exit_group resumed>) = ? [pid 5217] <... futex resumed>) = ? [pid 5216] <... futex resumed>) = ? [pid 5214] +++ exited with 0 +++ [pid 5217] +++ exited with 0 +++ [pid 5216] +++ exited with 0 +++ [pid 5213] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5213, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=43 /* 0.43 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./45", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./45/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./45/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./45/binderfs") = 0 [ 95.684817][ T5214] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 95.693177][ T5214] umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./45/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./45/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./45") = 0 mkdir("./46", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5218 ./strace-static-x86_64: Process 5218 attached [pid 5218] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5218] chdir("./46") = 0 [pid 5218] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5218] setpgid(0, 0) = 0 [pid 5218] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5218] write(3, "1000", 4) = 4 [pid 5218] close(3) = 0 [pid 5218] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5218] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5218] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5218] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5218] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5218] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5218] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5219]}, 88) = 5219 ./strace-static-x86_64: Process 5219 attached [pid 5218] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5219] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5218] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5219] <... rseq resumed>) = 0 [pid 5218] <... futex resumed>) = 0 [pid 5219] set_robust_list(0x7f012f6dc9a0, 24 [pid 5218] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5219] <... set_robust_list resumed>) = 0 [pid 5219] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5219] memfd_create("syzkaller", 0) = 3 [pid 5219] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5219] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5219] munmap(0x7f01272bc000, 16777216) = 0 [pid 5219] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5219] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5219] close(3) = 0 [pid 5219] mkdir("./file0", 0777) = 0 [ 96.017607][ T5219] loop0: detected capacity change from 0 to 32768 [ 96.028615][ T5219] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 96.037110][ T5219] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 96.046348][ T5219] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 96.054877][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 96.062009][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5219] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5219] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5219] chdir("./file0") = 0 [pid 5219] ioctl(4, LOOP_CLR_FD) = 0 [pid 5219] close(4) = 0 [pid 5219] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] <... futex resumed>) = 0 [pid 5219] <... futex resumed>) = 1 [pid 5218] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5219] open("./file0", O_RDWR [pid 5218] <... futex resumed>) = 0 [ 96.099496][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 96.107108][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 96.112402][ T5219] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 96.124637][ T5219] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 96.133303][ T5219] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 96.133303][ T5219] inode = 12 2341 [pid 5218] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5218] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5218] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5218] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5218] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5221]}, 88) = 5221 [pid 5218] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5218] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5221 attached [pid 5221] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5221] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5221] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5221] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5221] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] <... futex resumed>) = 0 [pid 5218] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5221] <... futex resumed>) = 1 [pid 5221] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5221] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] <... futex resumed>) = 0 [pid 5221] <... futex resumed>) = 1 [ 96.133303][ T5219] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 96.152645][ T5219] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 96.162168][ T5219] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5219 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 96.172618][ T5219] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 96.181357][ T5219] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 96.189110][ T5219] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 96.198278][ T5219] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 96.205055][ T5219] gfs2: fsid=syz:syz.0: File system withdrawn [ 96.211505][ T5219] CPU: 1 PID: 5219 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 96.221939][ T5219] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 96.232011][ T5219] Call Trace: [ 96.235274][ T5219] [ 96.238274][ T5219] dump_stack_lvl+0x1e7/0x2d0 [ 96.242978][ T5219] ? nf_tcp_handle_invalid+0x650/0x650 [ 96.248421][ T5219] ? panic+0x770/0x770 [ 96.252485][ T5219] gfs2_withdraw+0xc94/0x11e0 [ 96.257166][ T5219] gfs2_dirent_scan+0x512/0x640 [ 96.262011][ T5219] ? gfs2_permission+0x268/0x3c0 [ 96.267106][ T5219] ? gfs2_dirent_search+0x8c0/0x8c0 [ 96.272301][ T5219] gfs2_dirent_search+0x30e/0x8c0 [ 96.277324][ T5219] ? gfs2_dirent_search+0x8c0/0x8c0 [ 96.282520][ T5219] ? generic_permission+0x1df/0x550 [ 96.287711][ T5219] ? gfs2_dir_search+0x2f0/0x2f0 [ 96.292729][ T5219] ? gfs2_permission+0x34a/0x3c0 [ 96.297666][ T5219] gfs2_dir_search+0xb2/0x2f0 [ 96.302352][ T5219] ? do_filldir_main+0x520/0x520 [ 96.307284][ T5219] ? inode_go_held+0xea/0x200 [ 96.311977][ T5219] ? gfs2_glock_wait+0x21a/0x2b0 [ 96.316906][ T5219] gfs2_lookupi+0x460/0x5d0 [ 96.321430][ T5219] ? gfs2_lookup_simple+0x180/0x180 [ 96.326641][ T5219] ? __gfs2_lookup+0xa4/0x270 [ 96.331342][ T5219] __gfs2_lookup+0xa4/0x270 [ 96.336121][ T5219] ? gfs2_atomic_open+0x230/0x230 [ 96.341236][ T5219] ? __d_lookup+0x675/0x730 [ 96.345735][ T5219] ? d_hash_and_lookup+0x1b0/0x1b0 [ 96.350840][ T5219] gfs2_atomic_open+0x9e/0x230 [ 96.355686][ T5219] path_openat+0x1044/0x3180 [ 96.360275][ T5219] ? gfs2_rename2+0x25a0/0x25a0 [ 96.365170][ T5219] ? do_filp_open+0x490/0x490 [ 96.369880][ T5219] do_filp_open+0x234/0x490 [ 96.374565][ T5219] ? vfs_tmpfile+0x4b0/0x4b0 [ 96.379164][ T5219] ? _raw_spin_unlock+0x28/0x40 [ 96.387230][ T5219] ? alloc_fd+0x59c/0x640 [ 96.391562][ T5219] do_sys_openat2+0x13e/0x1d0 [ 96.396245][ T5219] ? do_sys_open+0x230/0x230 [ 96.401112][ T5219] ? lockdep_hardirqs_on+0x98/0x140 [ 96.406308][ T5219] ? _raw_spin_unlock_irq+0x2e/0x50 [ 96.411590][ T5219] ? ptrace_notify+0x278/0x380 [ 96.416354][ T5219] __x64_sys_open+0x225/0x270 [ 96.421028][ T5219] ? do_sys_openat2+0x1d0/0x1d0 [ 96.425961][ T5219] ? syscall_enter_from_user_mode+0x32/0x230 [ 96.431937][ T5219] ? syscall_enter_from_user_mode+0x8c/0x230 [ 96.437998][ T5219] do_syscall_64+0x41/0xc0 [ 96.442417][ T5219] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 96.448306][ T5219] RIP: 0033:0x7f012f71fa59 [ 96.452722][ T5219] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 96.472321][ T5219] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 96.480729][ T5219] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 96.488695][ T5219] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5221] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5219] <... open resumed>) = -1 EIO (Input/output error) [pid 5219] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] exit_group(0) = ? [pid 5219] <... futex resumed>) = ? [pid 5221] <... futex resumed>) = ? [pid 5221] +++ exited with 0 +++ [pid 5219] +++ exited with 0 +++ [pid 5218] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5218, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./46", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./46/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./46/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./46/binderfs") = 0 [ 96.496672][ T5219] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 96.504634][ T5219] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 96.514692][ T5219] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 96.522670][ T5219] umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./46/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./46/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./46") = 0 mkdir("./47", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5222 ./strace-static-x86_64: Process 5222 attached [pid 5222] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5222] chdir("./47") = 0 [pid 5222] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5222] setpgid(0, 0) = 0 [pid 5222] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5222] write(3, "1000", 4) = 4 [pid 5222] close(3) = 0 [pid 5222] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5222] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5222] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5222] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5222] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5223]}, 88) = 5223 [pid 5222] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5222] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5223 attached [pid 5223] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5223] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5223] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5223] memfd_create("syzkaller", 0) = 3 [pid 5223] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5223] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5223] munmap(0x7f01272bc000, 16777216) = 0 [pid 5223] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5223] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5223] close(3) = 0 [pid 5223] mkdir("./file0", 0777) = 0 [ 96.826985][ T5223] loop0: detected capacity change from 0 to 32768 [ 96.837336][ T5223] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 96.845790][ T5223] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 96.856657][ T5223] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 96.865664][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 96.872599][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5223] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5223] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5223] chdir("./file0") = 0 [pid 5223] ioctl(4, LOOP_CLR_FD) = 0 [pid 5223] close(4) = 0 [pid 5223] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5223] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5222] <... futex resumed>) = 0 [pid 5222] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5222] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5223] <... futex resumed>) = 0 [ 96.911051][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 96.919975][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 96.925308][ T5223] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 96.943369][ T5223] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 96.952056][ T5223] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5223] open("./file0", O_RDWR [pid 5222] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5222] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5222] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5222] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0}./strace-static-x86_64: Process 5225 attached => {parent_tid=[5225]}, 88) = 5225 [pid 5222] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5222] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5225] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5225] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5225] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 96.952056][ T5223] inode = 12 2341 [ 96.952056][ T5223] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 96.971961][ T5223] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 96.982031][ T5223] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5223 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 96.995047][ T5223] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 97.001502][ T5225] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5225] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5222] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5222] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5222] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5222] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5226]}, 88) = 5226 [pid 5222] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5222] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 97.003600][ T5223] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 97.012679][ T5225] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 97.019224][ T5223] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 97.029561][ T5225] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5223 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 97.037795][ T5223] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5222] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5226 attached [pid 5226] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5226] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5226] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5226] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5226] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5222] <... futex resumed>) = 0 [ 97.054095][ T5225] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5225 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 97.056148][ T5223] gfs2: fsid=syz:syz.0: File system withdrawn [ 97.064914][ T5225] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 97.070315][ T5223] CPU: 0 PID: 5223 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 97.089369][ T5223] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 97.099582][ T5223] Call Trace: [ 97.102867][ T5223] [ 97.105798][ T5223] dump_stack_lvl+0x1e7/0x2d0 [ 97.110479][ T5223] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.115953][ T5223] ? panic+0x770/0x770 [ 97.120038][ T5223] gfs2_withdraw+0xc94/0x11e0 [ 97.124727][ T5223] gfs2_dirent_scan+0x512/0x640 [ 97.129579][ T5223] ? gfs2_permission+0x268/0x3c0 [ 97.134528][ T5223] ? gfs2_dirent_search+0x8c0/0x8c0 [ 97.139768][ T5223] gfs2_dirent_search+0x30e/0x8c0 [ 97.144801][ T5223] ? gfs2_dirent_search+0x8c0/0x8c0 [ 97.150017][ T5223] ? generic_permission+0x1df/0x550 [ 97.155241][ T5223] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5226] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5222] exit_group(0 [pid 5226] <... futex resumed>) = ? [pid 5222] <... exit_group resumed>) = ? [pid 5226] +++ exited with 0 +++ [ 97.160209][ T5223] ? gfs2_permission+0x34a/0x3c0 [ 97.165197][ T5223] gfs2_dir_search+0xb2/0x2f0 [ 97.169984][ T5223] ? do_filldir_main+0x520/0x520 [ 97.175490][ T5223] ? inode_go_held+0xea/0x200 [ 97.180190][ T5223] ? gfs2_glock_wait+0x21a/0x2b0 [ 97.185136][ T5223] gfs2_lookupi+0x460/0x5d0 [ 97.189662][ T5223] ? gfs2_lookup_simple+0x180/0x180 [ 97.195252][ T5223] ? __gfs2_lookup+0xa4/0x270 [ 97.199959][ T5223] __gfs2_lookup+0xa4/0x270 [ 97.204515][ T5223] ? gfs2_atomic_open+0x230/0x230 [ 97.209638][ T5223] ? __d_lookup+0x675/0x730 [ 97.214165][ T5223] ? d_hash_and_lookup+0x1b0/0x1b0 [ 97.219290][ T5223] gfs2_atomic_open+0x9e/0x230 [ 97.224072][ T5223] path_openat+0x1044/0x3180 [ 97.228749][ T5223] ? gfs2_rename2+0x25a0/0x25a0 [ 97.233606][ T5223] ? do_filp_open+0x490/0x490 [ 97.238288][ T5223] do_filp_open+0x234/0x490 [ 97.242787][ T5223] ? vfs_tmpfile+0x4b0/0x4b0 [ 97.247385][ T5223] ? _raw_spin_unlock+0x28/0x40 [ 97.252232][ T5223] ? alloc_fd+0x59c/0x640 [ 97.256651][ T5223] do_sys_openat2+0x13e/0x1d0 [ 97.261357][ T5223] ? do_sys_open+0x230/0x230 [ 97.266057][ T5223] ? lockdep_hardirqs_on+0x98/0x140 [ 97.271255][ T5223] ? _raw_spin_unlock_irq+0x2e/0x50 [ 97.276577][ T5223] ? ptrace_notify+0x278/0x380 [ 97.281386][ T5223] __x64_sys_open+0x225/0x270 [ 97.286071][ T5223] ? do_sys_openat2+0x1d0/0x1d0 [ 97.291210][ T5223] ? syscall_enter_from_user_mode+0x32/0x230 [ 97.297293][ T5223] ? syscall_enter_from_user_mode+0x8c/0x230 [ 97.303387][ T5223] do_syscall_64+0x41/0xc0 [ 97.307915][ T5223] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 97.313812][ T5223] RIP: 0033:0x7f012f71fa59 [ 97.318225][ T5223] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 97.337934][ T5223] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 97.346356][ T5223] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 97.354324][ T5223] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5225] <... openat resumed>) = ? [pid 5223] <... open resumed>) = ? [pid 5225] +++ exited with 0 +++ [pid 5223] +++ exited with 0 +++ [pid 5222] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5222, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=41 /* 0.41 s */} --- umount2("./47", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./47/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./47/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./47/binderfs") = 0 [ 97.362301][ T5223] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 97.370294][ T5223] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 97.378291][ T5223] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 97.386278][ T5223] umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./47/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./47/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./47") = 0 mkdir("./48", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5227 ./strace-static-x86_64: Process 5227 attached [pid 5227] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5227] chdir("./48") = 0 [pid 5227] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5227] setpgid(0, 0) = 0 [pid 5227] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "1000", 4) = 4 [pid 5227] close(3) = 0 [pid 5227] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5227] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5227] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5227] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5227] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5227] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5227] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5228]}, 88) = 5228 [pid 5227] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5227] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5228 attached [pid 5228] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5228] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5228] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5228] memfd_create("syzkaller", 0) = 3 [pid 5228] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5228] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5228] munmap(0x7f01272bc000, 16777216) = 0 [pid 5228] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5228] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5228] close(3) = 0 [pid 5228] mkdir("./file0", 0777) = 0 [ 97.684128][ T5228] loop0: detected capacity change from 0 to 32768 [ 97.696304][ T5228] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 97.704799][ T5228] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 97.714068][ T5228] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 97.722631][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 97.730604][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5228] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5228] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5228] chdir("./file0") = 0 [pid 5228] ioctl(4, LOOP_CLR_FD) = 0 [pid 5228] close(4) = 0 [pid 5228] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5227] <... futex resumed>) = 0 [pid 5227] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5228] <... futex resumed>) = 1 [ 97.768817][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 97.777313][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 97.782986][ T5228] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 97.800433][ T5228] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 97.808930][ T5228] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5228] open("./file0", O_RDWR [pid 5227] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5227] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5227] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5227] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5227] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5230]}, 88) = 5230 [pid 5227] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5227] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5230 attached [pid 5230] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5230] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5230] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 97.808930][ T5228] inode = 12 2341 [ 97.808930][ T5228] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 97.828183][ T5228] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 97.837531][ T5228] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5228 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 97.847910][ T5228] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 97.857158][ T5228] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5230] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5230] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5227] <... futex resumed>) = 0 [pid 5227] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5230] <... futex resumed>) = 1 [pid 5230] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5230] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5227] <... futex resumed>) = 0 [pid 5230] <... futex resumed>) = 1 [ 97.864774][ T5228] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 97.873843][ T5228] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 97.880589][ T5228] gfs2: fsid=syz:syz.0: File system withdrawn [ 97.886670][ T5228] CPU: 0 PID: 5228 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 97.897175][ T5228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 97.907251][ T5228] Call Trace: [ 97.910541][ T5228] [ 97.913464][ T5228] dump_stack_lvl+0x1e7/0x2d0 [ 97.918157][ T5228] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.923632][ T5228] ? panic+0x770/0x770 [ 97.927720][ T5228] gfs2_withdraw+0xc94/0x11e0 [ 97.932418][ T5228] gfs2_dirent_scan+0x512/0x640 [ 97.937289][ T5228] ? gfs2_permission+0x268/0x3c0 [ 97.942230][ T5228] ? gfs2_dirent_search+0x8c0/0x8c0 [ 97.947469][ T5228] gfs2_dirent_search+0x30e/0x8c0 [ 97.952509][ T5228] ? gfs2_dirent_search+0x8c0/0x8c0 [ 97.957702][ T5228] ? generic_permission+0x1df/0x550 [ 97.962995][ T5228] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5230] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5227] exit_group(0 [pid 5230] <... futex resumed>) = ? [pid 5227] <... exit_group resumed>) = ? [pid 5230] +++ exited with 0 +++ [ 97.967949][ T5228] ? gfs2_permission+0x34a/0x3c0 [ 97.972910][ T5228] gfs2_dir_search+0xb2/0x2f0 [ 97.977594][ T5228] ? do_filldir_main+0x520/0x520 [ 97.982549][ T5228] ? inode_go_held+0xea/0x200 [ 97.987270][ T5228] ? gfs2_glock_wait+0x21a/0x2b0 [ 97.992323][ T5228] gfs2_lookupi+0x460/0x5d0 [ 97.996850][ T5228] ? gfs2_lookup_simple+0x180/0x180 [ 98.002057][ T5228] ? __gfs2_lookup+0xa4/0x270 [ 98.006779][ T5228] __gfs2_lookup+0xa4/0x270 [ 98.011323][ T5228] ? gfs2_atomic_open+0x230/0x230 [ 98.016365][ T5228] ? __d_lookup+0x675/0x730 [ 98.020874][ T5228] ? d_hash_and_lookup+0x1b0/0x1b0 [ 98.026002][ T5228] gfs2_atomic_open+0x9e/0x230 [ 98.030771][ T5228] path_openat+0x1044/0x3180 [ 98.035451][ T5228] ? gfs2_rename2+0x25a0/0x25a0 [ 98.040306][ T5228] ? do_filp_open+0x490/0x490 [ 98.044987][ T5228] do_filp_open+0x234/0x490 [ 98.049582][ T5228] ? vfs_tmpfile+0x4b0/0x4b0 [ 98.054355][ T5228] ? _raw_spin_unlock+0x28/0x40 [ 98.059217][ T5228] ? alloc_fd+0x59c/0x640 [ 98.063564][ T5228] do_sys_openat2+0x13e/0x1d0 [ 98.068236][ T5228] ? do_sys_open+0x230/0x230 [ 98.072833][ T5228] ? lockdep_hardirqs_on+0x98/0x140 [ 98.078135][ T5228] ? _raw_spin_unlock_irq+0x2e/0x50 [ 98.083442][ T5228] ? ptrace_notify+0x278/0x380 [ 98.088739][ T5228] __x64_sys_open+0x225/0x270 [ 98.093415][ T5228] ? do_sys_openat2+0x1d0/0x1d0 [ 98.098290][ T5228] ? syscall_enter_from_user_mode+0x32/0x230 [ 98.104288][ T5228] ? syscall_enter_from_user_mode+0x8c/0x230 [ 98.110274][ T5228] do_syscall_64+0x41/0xc0 [ 98.114688][ T5228] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 98.120577][ T5228] RIP: 0033:0x7f012f71fa59 [ 98.124988][ T5228] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 98.144598][ T5228] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 98.153022][ T5228] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 98.161003][ T5228] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5228] <... open resumed>) = ? [pid 5228] +++ exited with 0 +++ [pid 5227] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5227, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./48", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./48/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./48/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./48/binderfs") = 0 [ 98.168981][ T5228] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 98.176944][ T5228] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 98.184917][ T5228] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 98.192992][ T5228] umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./48/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./48/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./48") = 0 mkdir("./49", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5231 ./strace-static-x86_64: Process 5231 attached [pid 5231] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5231] chdir("./49") = 0 [pid 5231] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5231] setpgid(0, 0) = 0 [pid 5231] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5231] write(3, "1000", 4) = 4 [pid 5231] close(3) = 0 [pid 5231] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5231] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5231] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5231] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5231] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5231] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5231] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5232]}, 88) = 5232 [pid 5231] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5231] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5232 attached [pid 5232] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5232] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5232] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5232] memfd_create("syzkaller", 0) = 3 [pid 5232] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5232] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5232] munmap(0x7f01272bc000, 16777216) = 0 [pid 5232] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5232] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5232] close(3) = 0 [pid 5232] mkdir("./file0", 0777) = 0 [ 98.524317][ T5232] loop0: detected capacity change from 0 to 32768 [ 98.534881][ T5232] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 98.543154][ T5232] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 98.553788][ T5232] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 98.562376][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 98.569163][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5232] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5232] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5232] chdir("./file0") = 0 [pid 5232] ioctl(4, LOOP_CLR_FD) = 0 [pid 5232] close(4) = 0 [pid 5232] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5231] <... futex resumed>) = 0 [pid 5231] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5232] <... futex resumed>) = 1 [ 98.601570][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 98.610872][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 98.616119][ T5232] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 98.634132][ T5232] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 98.642947][ T5232] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5232] open("./file0", O_RDWR [pid 5231] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5231] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5231] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5231] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5231] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5234]}, 88) = 5234 [pid 5231] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5231] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5234 attached [pid 5234] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5234] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5234] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5234] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5234] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5231] <... futex resumed>) = 0 [pid 5231] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5234] <... futex resumed>) = 1 [ 98.642947][ T5232] inode = 12 2341 [ 98.642947][ T5232] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 98.662241][ T5232] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 98.671931][ T5232] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5232 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 98.682295][ T5232] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 98.691137][ T5232] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5234] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5234] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5231] <... futex resumed>) = 0 [pid 5234] <... futex resumed>) = 1 [ 98.698679][ T5232] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 98.707935][ T5232] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 98.714843][ T5232] gfs2: fsid=syz:syz.0: File system withdrawn [ 98.721202][ T5232] CPU: 0 PID: 5232 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 98.731640][ T5232] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 98.741683][ T5232] Call Trace: [ 98.744973][ T5232] [ 98.747903][ T5232] dump_stack_lvl+0x1e7/0x2d0 [ 98.752581][ T5232] ? nf_tcp_handle_invalid+0x650/0x650 [ 98.758035][ T5232] ? panic+0x770/0x770 [ 98.762103][ T5232] gfs2_withdraw+0xc94/0x11e0 [ 98.766888][ T5232] gfs2_dirent_scan+0x512/0x640 [ 98.771748][ T5232] ? gfs2_permission+0x268/0x3c0 [ 98.776683][ T5232] ? gfs2_dirent_search+0x8c0/0x8c0 [ 98.781881][ T5232] gfs2_dirent_search+0x30e/0x8c0 [ 98.786897][ T5232] ? gfs2_dirent_search+0x8c0/0x8c0 [ 98.792083][ T5232] ? generic_permission+0x1df/0x550 [ 98.797287][ T5232] ? gfs2_dir_search+0x2f0/0x2f0 [ 98.802314][ T5232] ? gfs2_permission+0x34a/0x3c0 [ 98.807251][ T5232] gfs2_dir_search+0xb2/0x2f0 [ 98.811922][ T5232] ? do_filldir_main+0x520/0x520 [ 98.816856][ T5232] ? inode_go_held+0xea/0x200 [ 98.821524][ T5232] ? gfs2_glock_wait+0x21a/0x2b0 [ 98.826468][ T5232] gfs2_lookupi+0x460/0x5d0 [ 98.830965][ T5232] ? gfs2_lookup_simple+0x180/0x180 [ 98.836147][ T5232] ? __gfs2_lookup+0xa4/0x270 [ 98.840814][ T5232] __gfs2_lookup+0xa4/0x270 [ 98.845302][ T5232] ? gfs2_atomic_open+0x230/0x230 [ 98.850319][ T5232] ? __d_lookup+0x675/0x730 [ 98.854808][ T5232] ? d_hash_and_lookup+0x1b0/0x1b0 [ 98.859907][ T5232] gfs2_atomic_open+0x9e/0x230 [ 98.864780][ T5232] path_openat+0x1044/0x3180 [ 98.869479][ T5232] ? gfs2_rename2+0x25a0/0x25a0 [ 98.874372][ T5232] ? do_filp_open+0x490/0x490 [ 98.879052][ T5232] do_filp_open+0x234/0x490 [ 98.883547][ T5232] ? vfs_tmpfile+0x4b0/0x4b0 [ 98.888158][ T5232] ? _raw_spin_unlock+0x28/0x40 [ 98.893011][ T5232] ? alloc_fd+0x59c/0x640 [ 98.897617][ T5232] do_sys_openat2+0x13e/0x1d0 [ 98.902303][ T5232] ? do_sys_open+0x230/0x230 [ 98.906922][ T5232] ? lockdep_hardirqs_on+0x98/0x140 [ 98.914130][ T5232] ? _raw_spin_unlock_irq+0x2e/0x50 [ 98.919358][ T5232] ? ptrace_notify+0x278/0x380 [ 98.924134][ T5232] __x64_sys_open+0x225/0x270 [ 98.928890][ T5232] ? do_sys_openat2+0x1d0/0x1d0 [ 98.933744][ T5232] ? syscall_enter_from_user_mode+0x32/0x230 [ 98.939722][ T5232] ? syscall_enter_from_user_mode+0x8c/0x230 [ 98.945690][ T5232] do_syscall_64+0x41/0xc0 [ 98.950098][ T5232] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 98.955984][ T5232] RIP: 0033:0x7f012f71fa59 [ 98.960386][ T5232] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 98.979981][ T5232] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 98.988406][ T5232] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5234] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5232] <... open resumed>) = -1 EIO (Input/output error) [pid 5232] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5231] exit_group(0 [pid 5234] <... futex resumed>) = ? [pid 5231] <... exit_group resumed>) = ? [pid 5234] +++ exited with 0 +++ [pid 5232] <... futex resumed>) = ? [pid 5232] +++ exited with 0 +++ [pid 5231] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5231, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- umount2("./49", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./49/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./49/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./49/binderfs") = 0 [ 98.996366][ T5232] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 99.004324][ T5232] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 99.012284][ T5232] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 99.020246][ T5232] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 99.028218][ T5232] umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./49/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./49/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./49") = 0 mkdir("./50", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5235 ./strace-static-x86_64: Process 5235 attached [pid 5235] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5235] chdir("./50") = 0 [pid 5235] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5235] setpgid(0, 0) = 0 [pid 5235] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5235] write(3, "1000", 4) = 4 [pid 5235] close(3) = 0 [pid 5235] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5235] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5235] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5235] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5235] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5235] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5235] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5236 attached [pid 5236] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5236] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5236] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5236] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5235] <... clone3 resumed> => {parent_tid=[5236]}, 88) = 5236 [pid 5235] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5235] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5236] <... futex resumed>) = 0 [pid 5235] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5236] memfd_create("syzkaller", 0) = 3 [pid 5236] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5236] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5236] munmap(0x7f01272bc000, 16777216) = 0 [pid 5236] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5236] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5236] close(3) = 0 [pid 5236] mkdir("./file0", 0777) = 0 [ 99.341939][ T5236] loop0: detected capacity change from 0 to 32768 [ 99.352771][ T5236] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 99.361373][ T5236] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 99.371257][ T5236] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 99.379771][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 99.386544][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5236] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5236] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5236] chdir("./file0") = 0 [pid 5236] ioctl(4, LOOP_CLR_FD) = 0 [pid 5236] close(4) = 0 [pid 5236] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] <... futex resumed>) = 0 [pid 5235] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5236] <... futex resumed>) = 1 [ 99.426858][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 99.435880][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 99.441326][ T5236] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 99.454873][ T5236] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 99.464124][ T5236] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 99.464124][ T5236] inode = 12 2341 [pid 5236] open("./file0", O_RDWR [pid 5235] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5235] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5235] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5235] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5235] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5238]}, 88) = 5238 [pid 5235] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5235] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5238 attached [pid 5238] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5238] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5238] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5238] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5238] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] <... futex resumed>) = 0 [pid 5235] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5238] <... futex resumed>) = 1 [pid 5238] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5238] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] <... futex resumed>) = 0 [pid 5238] <... futex resumed>) = 1 [ 99.464124][ T5236] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 99.483716][ T5236] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 99.493297][ T5236] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5236 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 99.503846][ T5236] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 99.514730][ T5236] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 99.522311][ T5236] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 99.531269][ T5236] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 99.538135][ T5236] gfs2: fsid=syz:syz.0: File system withdrawn [ 99.544713][ T5236] CPU: 0 PID: 5236 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 99.555120][ T5236] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 99.565168][ T5236] Call Trace: [ 99.568436][ T5236] [ 99.571354][ T5236] dump_stack_lvl+0x1e7/0x2d0 [ 99.576020][ T5236] ? nf_tcp_handle_invalid+0x650/0x650 [ 99.581466][ T5236] ? panic+0x770/0x770 [ 99.585526][ T5236] gfs2_withdraw+0xc94/0x11e0 [ 99.590204][ T5236] gfs2_dirent_scan+0x512/0x640 [ 99.595060][ T5236] ? gfs2_permission+0x268/0x3c0 [ 99.599992][ T5236] ? gfs2_dirent_search+0x8c0/0x8c0 [ 99.605189][ T5236] gfs2_dirent_search+0x30e/0x8c0 [ 99.610213][ T5236] ? gfs2_dirent_search+0x8c0/0x8c0 [ 99.615406][ T5236] ? generic_permission+0x1df/0x550 [ 99.620600][ T5236] ? gfs2_dir_search+0x2f0/0x2f0 [ 99.625532][ T5236] ? gfs2_permission+0x34a/0x3c0 [ 99.630469][ T5236] gfs2_dir_search+0xb2/0x2f0 [ 99.635141][ T5236] ? do_filldir_main+0x520/0x520 [ 99.640077][ T5236] ? inode_go_held+0xea/0x200 [ 99.644757][ T5236] ? gfs2_glock_wait+0x21a/0x2b0 [ 99.649690][ T5236] gfs2_lookupi+0x460/0x5d0 [ 99.654198][ T5236] ? gfs2_lookup_simple+0x180/0x180 [ 99.659414][ T5236] ? __gfs2_lookup+0xa4/0x270 [ 99.664202][ T5236] ? preempt_schedule_thunk+0x1a/0x30 [ 99.669601][ T5236] ? d_alloc_parallel+0x12b3/0x13a0 [ 99.674811][ T5236] __gfs2_lookup+0xa4/0x270 [ 99.679319][ T5236] ? gfs2_atomic_open+0x230/0x230 [ 99.684345][ T5236] ? __d_lookup+0x675/0x730 [ 99.688844][ T5236] ? d_hash_and_lookup+0x1b0/0x1b0 [ 99.693951][ T5236] gfs2_atomic_open+0x9e/0x230 [ 99.698714][ T5236] path_openat+0x1044/0x3180 [ 99.703303][ T5236] ? gfs2_rename2+0x25a0/0x25a0 [ 99.708160][ T5236] ? do_filp_open+0x490/0x490 [ 99.712846][ T5236] do_filp_open+0x234/0x490 [ 99.717344][ T5236] ? vfs_tmpfile+0x4b0/0x4b0 [ 99.721944][ T5236] ? _raw_spin_unlock+0x28/0x40 [ 99.726793][ T5236] ? alloc_fd+0x59c/0x640 [ 99.731126][ T5236] do_sys_openat2+0x13e/0x1d0 [ 99.735799][ T5236] ? do_sys_open+0x230/0x230 [ 99.740385][ T5236] ? lockdep_hardirqs_on+0x98/0x140 [ 99.745603][ T5236] ? _raw_spin_unlock_irq+0x2e/0x50 [ 99.750811][ T5236] ? ptrace_notify+0x278/0x380 [ 99.755587][ T5236] __x64_sys_open+0x225/0x270 [ 99.760279][ T5236] ? do_sys_openat2+0x1d0/0x1d0 [ 99.765138][ T5236] ? syscall_enter_from_user_mode+0x32/0x230 [ 99.771121][ T5236] ? syscall_enter_from_user_mode+0x8c/0x230 [ 99.777299][ T5236] do_syscall_64+0x41/0xc0 [ 99.781710][ T5236] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 99.787605][ T5236] RIP: 0033:0x7f012f71fa59 [ 99.792020][ T5236] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 99.811621][ T5236] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 99.820034][ T5236] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5238] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5236] <... open resumed>) = -1 EIO (Input/output error) [pid 5236] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] exit_group(0 [pid 5238] <... futex resumed>) = ? [pid 5235] <... exit_group resumed>) = ? [pid 5238] +++ exited with 0 +++ [pid 5236] <... futex resumed>) = ? [pid 5236] +++ exited with 0 +++ [pid 5235] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5235, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=25 /* 0.25 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./50", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./50/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./50/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./50/binderfs") = 0 [ 99.828131][ T5236] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 99.836126][ T5236] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 99.844104][ T5236] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 99.852088][ T5236] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 99.860087][ T5236] umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./50/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./50/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./50") = 0 mkdir("./51", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5239 ./strace-static-x86_64: Process 5239 attached [pid 5239] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5239] chdir("./51") = 0 [pid 5239] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5239] setpgid(0, 0) = 0 [pid 5239] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5239] write(3, "1000", 4) = 4 [pid 5239] close(3) = 0 [pid 5239] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5239] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5239] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5239] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5239] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5239] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5239] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5239] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5240 attached => {parent_tid=[5240]}, 88) = 5240 [pid 5240] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5240] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5240] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5240] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5239] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5239] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5240] <... futex resumed>) = 0 [pid 5239] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5240] memfd_create("syzkaller", 0) = 3 [pid 5240] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5240] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5240] munmap(0x7f01272bc000, 16777216) = 0 [pid 5240] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5240] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5240] close(3) = 0 [pid 5240] mkdir("./file0", 0777) = 0 [ 100.169133][ T5240] loop0: detected capacity change from 0 to 32768 [ 100.179648][ T5240] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 100.187941][ T5240] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 100.197010][ T5240] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 100.205814][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 100.212819][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5240] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5240] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5240] chdir("./file0") = 0 [pid 5240] ioctl(4, LOOP_CLR_FD) = 0 [pid 5240] close(4) = 0 [pid 5240] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5239] <... futex resumed>) = 0 [pid 5239] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5239] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5240] <... futex resumed>) = 1 [ 100.246932][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 100.255877][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 100.261283][ T5240] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 100.280329][ T5240] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 100.289142][ T5240] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5240] open("./file0", O_RDWR [pid 5239] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5239] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5239] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5239] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5239] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5239] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5242]}, 88) = 5242 [pid 5239] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5239] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5239] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5242 attached [pid 5242] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5242] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5242] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5242] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5242] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5239] <... futex resumed>) = 0 [pid 5239] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5239] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5242] <... futex resumed>) = 1 [pid 5242] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5242] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5239] <... futex resumed>) = 0 [pid 5242] <... futex resumed>) = 1 [ 100.289142][ T5240] inode = 12 2341 [ 100.289142][ T5240] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 100.308473][ T5240] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 100.318010][ T5240] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5240 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 100.328511][ T5240] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 100.337940][ T5240] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 100.345407][ T5240] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 100.354310][ T5240] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 100.361276][ T5240] gfs2: fsid=syz:syz.0: File system withdrawn [ 100.367414][ T5240] CPU: 1 PID: 5240 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 100.378017][ T5240] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 100.388071][ T5240] Call Trace: [ 100.391356][ T5240] [ 100.394306][ T5240] dump_stack_lvl+0x1e7/0x2d0 [ 100.398988][ T5240] ? nf_tcp_handle_invalid+0x650/0x650 [ 100.404444][ T5240] ? panic+0x770/0x770 [ 100.408513][ T5240] gfs2_withdraw+0xc94/0x11e0 [ 100.413236][ T5240] gfs2_dirent_scan+0x512/0x640 [ 100.418117][ T5240] ? gfs2_permission+0x268/0x3c0 [ 100.423082][ T5240] ? gfs2_dirent_search+0x8c0/0x8c0 [ 100.428301][ T5240] gfs2_dirent_search+0x30e/0x8c0 [ 100.433340][ T5240] ? gfs2_dirent_search+0x8c0/0x8c0 [ 100.438577][ T5240] ? generic_permission+0x1df/0x550 [ 100.443813][ T5240] ? gfs2_dir_search+0x2f0/0x2f0 [ 100.449825][ T5240] ? gfs2_permission+0x34a/0x3c0 [ 100.454786][ T5240] gfs2_dir_search+0xb2/0x2f0 [ 100.459476][ T5240] ? do_filldir_main+0x520/0x520 [ 100.464425][ T5240] ? inode_go_held+0xea/0x200 [ 100.469112][ T5240] ? gfs2_glock_wait+0x21a/0x2b0 [ 100.474056][ T5240] gfs2_lookupi+0x460/0x5d0 [ 100.478567][ T5240] ? gfs2_lookup_simple+0x180/0x180 [ 100.483790][ T5240] ? __gfs2_lookup+0xa4/0x270 [ 100.488498][ T5240] __gfs2_lookup+0xa4/0x270 [ 100.493015][ T5240] ? gfs2_atomic_open+0x230/0x230 [ 100.498067][ T5240] ? __d_lookup+0x675/0x730 [ 100.502584][ T5240] ? d_hash_and_lookup+0x1b0/0x1b0 [ 100.507728][ T5240] gfs2_atomic_open+0x9e/0x230 [ 100.512526][ T5240] path_openat+0x1044/0x3180 [ 100.517141][ T5240] ? gfs2_rename2+0x25a0/0x25a0 [ 100.522024][ T5240] ? do_filp_open+0x490/0x490 [ 100.526728][ T5240] do_filp_open+0x234/0x490 [ 100.531235][ T5240] ? vfs_tmpfile+0x4b0/0x4b0 [ 100.535840][ T5240] ? _raw_spin_unlock+0x28/0x40 [ 100.540690][ T5240] ? alloc_fd+0x59c/0x640 [ 100.545031][ T5240] do_sys_openat2+0x13e/0x1d0 [ 100.549704][ T5240] ? do_sys_open+0x230/0x230 [ 100.554323][ T5240] ? lockdep_hardirqs_on+0x98/0x140 [ 100.559542][ T5240] ? _raw_spin_unlock_irq+0x2e/0x50 [ 100.564749][ T5240] ? ptrace_notify+0x278/0x380 [ 100.569512][ T5240] __x64_sys_open+0x225/0x270 [ 100.574189][ T5240] ? do_sys_openat2+0x1d0/0x1d0 [ 100.579038][ T5240] ? syscall_enter_from_user_mode+0x32/0x230 [ 100.585022][ T5240] ? syscall_enter_from_user_mode+0x8c/0x230 [ 100.591004][ T5240] do_syscall_64+0x41/0xc0 [ 100.595437][ T5240] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 100.601352][ T5240] RIP: 0033:0x7f012f71fa59 [ 100.605788][ T5240] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 100.625404][ T5240] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 100.633818][ T5240] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5242] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5240] <... open resumed>) = -1 EIO (Input/output error) [pid 5240] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5239] exit_group(0) = ? [pid 5242] <... futex resumed>) = ? [pid 5240] <... futex resumed>) = ? [pid 5242] +++ exited with 0 +++ [pid 5240] +++ exited with 0 +++ [pid 5239] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5239, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- umount2("./51", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./51/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./51/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./51/binderfs") = 0 [ 100.641803][ T5240] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 100.649792][ T5240] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 100.657874][ T5240] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 100.665888][ T5240] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 100.673899][ T5240] umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./51/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./51/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./51") = 0 mkdir("./52", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5243 ./strace-static-x86_64: Process 5243 attached [pid 5243] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5243] chdir("./52") = 0 [pid 5243] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5243] setpgid(0, 0) = 0 [pid 5243] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5243] write(3, "1000", 4) = 4 [pid 5243] close(3) = 0 [pid 5243] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5243] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5243] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5243] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5243] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5243] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5243] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5243] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5244]}, 88) = 5244 [pid 5243] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5243] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5243] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5244 attached [pid 5244] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5244] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5244] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5244] memfd_create("syzkaller", 0) = 3 [pid 5244] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5244] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5244] munmap(0x7f01272bc000, 16777216) = 0 [pid 5244] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5244] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5244] close(3) = 0 [pid 5244] mkdir("./file0", 0777) = 0 [ 100.989704][ T5244] loop0: detected capacity change from 0 to 32768 [ 101.001705][ T5244] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 101.010300][ T5244] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 101.020364][ T5244] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 101.028848][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 101.035990][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5244] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5244] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5244] chdir("./file0") = 0 [pid 5244] ioctl(4, LOOP_CLR_FD) = 0 [pid 5244] close(4) = 0 [pid 5244] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5243] <... futex resumed>) = 0 [pid 5244] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5243] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5244] open("./file0", O_RDWR [pid 5243] <... futex resumed>) = 0 [ 101.077142][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 101.084703][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 101.090040][ T5244] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 101.115107][ T5244] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5243] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5243] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5243] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [ 101.123639][ T5244] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 101.123639][ T5244] inode = 12 2341 [ 101.123639][ T5244] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 101.143467][ T5244] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 101.153654][ T5244] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5244 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 101.164347][ T5244] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5243] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5243] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5243] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5246]}, 88) = 5246 [pid 5243] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5243] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5243] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5246 attached [pid 5246] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5246] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5246] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5246] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5246] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5243] <... futex resumed>) = 0 [pid 5243] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5243] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5246] <... futex resumed>) = 1 [pid 5246] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5246] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5243] <... futex resumed>) = 0 [pid 5246] <... futex resumed>) = 1 [ 101.174915][ T5244] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 101.182586][ T5244] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 101.191623][ T5244] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 101.198310][ T5244] gfs2: fsid=syz:syz.0: File system withdrawn [ 101.204567][ T5244] CPU: 1 PID: 5244 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 101.214994][ T5244] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 101.225046][ T5244] Call Trace: [ 101.228335][ T5244] [ 101.231281][ T5244] dump_stack_lvl+0x1e7/0x2d0 [ 101.235976][ T5244] ? nf_tcp_handle_invalid+0x650/0x650 [ 101.241429][ T5244] ? panic+0x770/0x770 [ 101.245500][ T5244] gfs2_withdraw+0xc94/0x11e0 [ 101.250228][ T5244] gfs2_dirent_scan+0x512/0x640 [ 101.255193][ T5244] ? gfs2_permission+0x268/0x3c0 [ 101.260161][ T5244] ? gfs2_dirent_search+0x8c0/0x8c0 [ 101.265374][ T5244] gfs2_dirent_search+0x30e/0x8c0 [ 101.270576][ T5244] ? gfs2_dirent_search+0x8c0/0x8c0 [ 101.275881][ T5244] ? generic_permission+0x1df/0x550 [ 101.281170][ T5244] ? gfs2_dir_search+0x2f0/0x2f0 [ 101.286301][ T5244] ? gfs2_permission+0x34a/0x3c0 [ 101.291267][ T5244] gfs2_dir_search+0xb2/0x2f0 [ 101.295984][ T5244] ? do_filldir_main+0x520/0x520 [ 101.300964][ T5244] ? inode_go_held+0xea/0x200 [ 101.305660][ T5244] ? gfs2_glock_wait+0x21a/0x2b0 [ 101.310599][ T5244] gfs2_lookupi+0x460/0x5d0 [ 101.315112][ T5244] ? gfs2_lookup_simple+0x180/0x180 [ 101.320329][ T5244] ? __gfs2_lookup+0xa4/0x270 [ 101.325033][ T5244] __gfs2_lookup+0xa4/0x270 [ 101.329543][ T5244] ? gfs2_atomic_open+0x230/0x230 [ 101.334689][ T5244] ? __d_lookup+0x675/0x730 [ 101.339213][ T5244] ? d_hash_and_lookup+0x1b0/0x1b0 [ 101.344336][ T5244] gfs2_atomic_open+0x9e/0x230 [ 101.349110][ T5244] path_openat+0x1044/0x3180 [ 101.353744][ T5244] ? gfs2_rename2+0x25a0/0x25a0 [ 101.358642][ T5244] ? do_filp_open+0x490/0x490 [ 101.363346][ T5244] do_filp_open+0x234/0x490 [ 101.367863][ T5244] ? vfs_tmpfile+0x4b0/0x4b0 [ 101.372483][ T5244] ? _raw_spin_unlock+0x28/0x40 [ 101.377356][ T5244] ? alloc_fd+0x59c/0x640 [ 101.381716][ T5244] do_sys_openat2+0x13e/0x1d0 [ 101.386403][ T5244] ? do_sys_open+0x230/0x230 [ 101.390994][ T5244] ? lockdep_hardirqs_on+0x98/0x140 [ 101.396222][ T5244] ? _raw_spin_unlock_irq+0x2e/0x50 [ 101.401426][ T5244] ? ptrace_notify+0x278/0x380 [ 101.406190][ T5244] __x64_sys_open+0x225/0x270 [ 101.410868][ T5244] ? do_sys_openat2+0x1d0/0x1d0 [ 101.415721][ T5244] ? syscall_enter_from_user_mode+0x32/0x230 [ 101.421707][ T5244] ? syscall_enter_from_user_mode+0x8c/0x230 [ 101.427716][ T5244] do_syscall_64+0x41/0xc0 [ 101.432132][ T5244] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 101.438030][ T5244] RIP: 0033:0x7f012f71fa59 [ 101.442441][ T5244] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 101.462061][ T5244] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 101.470480][ T5244] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5246] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5244] <... open resumed>) = -1 EIO (Input/output error) [pid 5244] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5243] exit_group(0 [pid 5244] <... futex resumed>) = ? [pid 5244] +++ exited with 0 +++ [pid 5243] <... exit_group resumed>) = ? [pid 5246] <... futex resumed>) = ? [pid 5246] +++ exited with 0 +++ [pid 5243] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5243, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=26 /* 0.26 s */} --- umount2("./52", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./52/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./52/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./52/binderfs") = 0 [ 101.478467][ T5244] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 101.486458][ T5244] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 101.494436][ T5244] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 101.502409][ T5244] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 101.510407][ T5244] umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./52/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./52/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./52") = 0 mkdir("./53", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5247 ./strace-static-x86_64: Process 5247 attached [pid 5247] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5247] chdir("./53") = 0 [pid 5247] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5247] setpgid(0, 0) = 0 [pid 5247] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5247] write(3, "1000", 4) = 4 [pid 5247] close(3) = 0 [pid 5247] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5247] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5247] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5247] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5247] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5247] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5247] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5248]}, 88) = 5248 ./strace-static-x86_64: Process 5248 attached [pid 5247] rt_sigprocmask(SIG_SETMASK, [], [pid 5248] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5248] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5248] rt_sigprocmask(SIG_SETMASK, [], [pid 5247] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5248] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5248] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5247] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5247] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5248] <... futex resumed>) = 0 [pid 5248] memfd_create("syzkaller", 0) = 3 [pid 5248] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5248] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5248] munmap(0x7f01272bc000, 16777216) = 0 [pid 5248] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5248] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5248] close(3) = 0 [pid 5248] mkdir("./file0", 0777) = 0 [ 101.832235][ T5248] loop0: detected capacity change from 0 to 32768 [ 101.844283][ T5248] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 101.852759][ T5248] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 101.862651][ T5248] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 101.871668][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 101.878439][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5248] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5248] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5248] chdir("./file0") = 0 [pid 5248] ioctl(4, LOOP_CLR_FD) = 0 [pid 5248] close(4) = 0 [pid 5248] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5247] <... futex resumed>) = 0 [pid 5248] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5247] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5248] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5247] <... futex resumed>) = 0 [pid 5248] open("./file0", O_RDWR [ 101.918814][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 101.926386][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 101.931752][ T5248] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 101.951155][ T5248] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 101.960093][ T5248] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5247] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5247] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5247] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5247] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5247] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5250]}, 88) = 5250 [pid 5247] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5247] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5250 attached [pid 5250] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5250] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5250] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5250] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5250] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5247] <... futex resumed>) = 0 [pid 5247] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5250] <... futex resumed>) = 1 [pid 5250] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5250] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5247] <... futex resumed>) = 0 [pid 5250] <... futex resumed>) = 1 [ 101.960093][ T5248] inode = 12 2341 [ 101.960093][ T5248] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 101.978996][ T5248] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 101.988213][ T5248] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5248 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 101.998409][ T5248] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 102.006963][ T5248] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 102.014293][ T5248] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 102.023293][ T5248] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 102.029924][ T5248] gfs2: fsid=syz:syz.0: File system withdrawn [ 102.035997][ T5248] CPU: 1 PID: 5248 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 102.046428][ T5248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 102.056480][ T5248] Call Trace: [ 102.059763][ T5248] [ 102.062701][ T5248] dump_stack_lvl+0x1e7/0x2d0 [ 102.067374][ T5248] ? nf_tcp_handle_invalid+0x650/0x650 [ 102.072825][ T5248] ? panic+0x770/0x770 [ 102.076900][ T5248] gfs2_withdraw+0xc94/0x11e0 [ 102.081577][ T5248] gfs2_dirent_scan+0x512/0x640 [ 102.086426][ T5248] ? gfs2_permission+0x268/0x3c0 [ 102.091375][ T5248] ? gfs2_dirent_search+0x8c0/0x8c0 [ 102.096593][ T5248] gfs2_dirent_search+0x30e/0x8c0 [ 102.101794][ T5248] ? gfs2_dirent_search+0x8c0/0x8c0 [ 102.106998][ T5248] ? generic_permission+0x1df/0x550 [ 102.112207][ T5248] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5250] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5247] exit_group(0 [pid 5250] <... futex resumed>) = ? [pid 5247] <... exit_group resumed>) = ? [pid 5250] +++ exited with 0 +++ [ 102.117141][ T5248] ? gfs2_permission+0x34a/0x3c0 [ 102.122090][ T5248] gfs2_dir_search+0xb2/0x2f0 [ 102.126786][ T5248] ? do_filldir_main+0x520/0x520 [ 102.131813][ T5248] ? inode_go_held+0xea/0x200 [ 102.136490][ T5248] ? gfs2_glock_wait+0x21a/0x2b0 [ 102.141436][ T5248] gfs2_lookupi+0x460/0x5d0 [ 102.145937][ T5248] ? gfs2_lookup_simple+0x180/0x180 [ 102.151220][ T5248] ? __gfs2_lookup+0xa4/0x270 [ 102.155912][ T5248] __gfs2_lookup+0xa4/0x270 [ 102.160430][ T5248] ? gfs2_atomic_open+0x230/0x230 [ 102.165459][ T5248] ? __d_lookup+0x675/0x730 [ 102.169974][ T5248] ? d_hash_and_lookup+0x1b0/0x1b0 [ 102.175083][ T5248] gfs2_atomic_open+0x9e/0x230 [ 102.179847][ T5248] path_openat+0x1044/0x3180 [ 102.184451][ T5248] ? gfs2_rename2+0x25a0/0x25a0 [ 102.189337][ T5248] ? do_filp_open+0x490/0x490 [ 102.194051][ T5248] do_filp_open+0x234/0x490 [ 102.198571][ T5248] ? vfs_tmpfile+0x4b0/0x4b0 [ 102.203166][ T5248] ? _raw_spin_unlock+0x28/0x40 [ 102.208009][ T5248] ? alloc_fd+0x59c/0x640 [ 102.212342][ T5248] do_sys_openat2+0x13e/0x1d0 [ 102.217111][ T5248] ? do_sys_open+0x230/0x230 [ 102.221711][ T5248] ? lockdep_hardirqs_on+0x98/0x140 [ 102.226901][ T5248] ? _raw_spin_unlock_irq+0x2e/0x50 [ 102.232107][ T5248] ? ptrace_notify+0x278/0x380 [ 102.236884][ T5248] __x64_sys_open+0x225/0x270 [ 102.241569][ T5248] ? do_sys_openat2+0x1d0/0x1d0 [ 102.246435][ T5248] ? syscall_enter_from_user_mode+0x32/0x230 [ 102.252436][ T5248] ? syscall_enter_from_user_mode+0x8c/0x230 [ 102.258436][ T5248] do_syscall_64+0x41/0xc0 [ 102.262851][ T5248] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 102.268760][ T5248] RIP: 0033:0x7f012f71fa59 [ 102.273182][ T5248] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 102.292785][ T5248] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 102.301221][ T5248] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 102.309244][ T5248] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5248] <... open resumed>) = ? [pid 5248] +++ exited with 0 +++ [pid 5247] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5247, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./53", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./53/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./53/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./53/binderfs") = 0 [ 102.317235][ T5248] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 102.325208][ T5248] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 102.333187][ T5248] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 102.341192][ T5248] umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./53/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./53/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./53") = 0 mkdir("./54", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5251 ./strace-static-x86_64: Process 5251 attached [pid 5251] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5251] chdir("./54") = 0 [pid 5251] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5251] setpgid(0, 0) = 0 [pid 5251] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5251] write(3, "1000", 4) = 4 [pid 5251] close(3) = 0 [pid 5251] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5251] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5251] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5251] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5251] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5251] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5251] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5252 attached => {parent_tid=[5252]}, 88) = 5252 [pid 5252] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5251] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5251] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5252] <... rseq resumed>) = 0 [pid 5252] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5252] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5252] memfd_create("syzkaller", 0) = 3 [pid 5252] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5252] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5252] munmap(0x7f01272bc000, 16777216) = 0 [pid 5252] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5252] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5252] close(3) = 0 [pid 5252] mkdir("./file0", 0777) = 0 [ 102.651231][ T5252] loop0: detected capacity change from 0 to 32768 [ 102.663285][ T5252] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 102.671772][ T5252] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 102.681424][ T5252] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 102.690149][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 102.696930][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5252] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5252] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5252] chdir("./file0") = 0 [pid 5252] ioctl(4, LOOP_CLR_FD) = 0 [pid 5252] close(4) = 0 [pid 5252] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5252] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5251] <... futex resumed>) = 0 [pid 5251] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5251] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5252] <... futex resumed>) = 0 [ 102.737439][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 102.746412][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 102.751763][ T5252] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 102.768392][ T5252] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 102.777105][ T5252] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5252] open("./file0", O_RDWR [pid 5251] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5251] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5251] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5251] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5251] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5254]}, 88) = 5254 [pid 5251] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5251] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5254 attached [pid 5254] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5254] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5254] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5254] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5254] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5251] <... futex resumed>) = 0 [pid 5251] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5254] <... futex resumed>) = 1 [pid 5254] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5254] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5251] <... futex resumed>) = 0 [pid 5254] <... futex resumed>) = 1 [ 102.777105][ T5252] inode = 12 2341 [ 102.777105][ T5252] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 102.796064][ T5252] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 102.805239][ T5252] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5252 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 102.815543][ T5252] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 102.824078][ T5252] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 102.832231][ T5252] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 102.841323][ T5252] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 102.849492][ T5252] gfs2: fsid=syz:syz.0: File system withdrawn [ 102.855578][ T5252] CPU: 1 PID: 5252 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 102.865980][ T5252] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 102.876033][ T5252] Call Trace: [ 102.879316][ T5252] [ 102.882253][ T5252] dump_stack_lvl+0x1e7/0x2d0 [ 102.886942][ T5252] ? nf_tcp_handle_invalid+0x650/0x650 [ 102.892397][ T5252] ? panic+0x770/0x770 [ 102.896515][ T5252] gfs2_withdraw+0xc94/0x11e0 [ 102.901237][ T5252] gfs2_dirent_scan+0x512/0x640 [ 102.906102][ T5252] ? gfs2_permission+0x268/0x3c0 [ 102.911047][ T5252] ? gfs2_dirent_search+0x8c0/0x8c0 [ 102.916262][ T5252] gfs2_dirent_search+0x30e/0x8c0 [ 102.921279][ T5252] ? gfs2_dirent_search+0x8c0/0x8c0 [ 102.926488][ T5252] ? generic_permission+0x1df/0x550 [ 102.931708][ T5252] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5254] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5251] exit_group(0 [pid 5254] <... futex resumed>) = ? [pid 5251] <... exit_group resumed>) = ? [pid 5254] +++ exited with 0 +++ [ 102.936667][ T5252] ? gfs2_permission+0x34a/0x3c0 [ 102.941632][ T5252] gfs2_dir_search+0xb2/0x2f0 [ 102.946469][ T5252] ? do_filldir_main+0x520/0x520 [ 102.951409][ T5252] ? inode_go_held+0xea/0x200 [ 102.956098][ T5252] ? gfs2_glock_wait+0x21a/0x2b0 [ 102.961080][ T5252] gfs2_lookupi+0x460/0x5d0 [ 102.965697][ T5252] ? gfs2_lookup_simple+0x180/0x180 [ 102.970931][ T5252] ? __gfs2_lookup+0xa4/0x270 [ 102.975645][ T5252] __gfs2_lookup+0xa4/0x270 [ 102.980166][ T5252] ? gfs2_atomic_open+0x230/0x230 [ 102.985202][ T5252] ? __d_lookup+0x675/0x730 [ 102.989721][ T5252] ? d_hash_and_lookup+0x1b0/0x1b0 [ 102.994836][ T5252] gfs2_atomic_open+0x9e/0x230 [ 102.999614][ T5252] path_openat+0x1044/0x3180 [ 103.004218][ T5252] ? gfs2_rename2+0x25a0/0x25a0 [ 103.009089][ T5252] ? do_filp_open+0x490/0x490 [ 103.013799][ T5252] do_filp_open+0x234/0x490 [ 103.018316][ T5252] ? vfs_tmpfile+0x4b0/0x4b0 [ 103.022908][ T5252] ? _raw_spin_unlock+0x28/0x40 [ 103.027754][ T5252] ? alloc_fd+0x59c/0x640 [ 103.032081][ T5252] do_sys_openat2+0x13e/0x1d0 [ 103.036771][ T5252] ? do_sys_open+0x230/0x230 [ 103.041380][ T5252] ? lockdep_hardirqs_on+0x98/0x140 [ 103.046660][ T5252] ? _raw_spin_unlock_irq+0x2e/0x50 [ 103.051862][ T5252] ? ptrace_notify+0x278/0x380 [ 103.056638][ T5252] __x64_sys_open+0x225/0x270 [ 103.061496][ T5252] ? do_sys_openat2+0x1d0/0x1d0 [ 103.066393][ T5252] ? syscall_enter_from_user_mode+0x32/0x230 [ 103.072389][ T5252] ? syscall_enter_from_user_mode+0x8c/0x230 [ 103.078411][ T5252] do_syscall_64+0x41/0xc0 [ 103.082834][ T5252] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 103.088741][ T5252] RIP: 0033:0x7f012f71fa59 [ 103.093160][ T5252] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 103.112762][ T5252] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 103.121182][ T5252] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 103.129177][ T5252] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5252] <... open resumed>) = ? [pid 5252] +++ exited with 0 +++ [pid 5251] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5251, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./54", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./54/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./54/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./54/binderfs") = 0 [ 103.137161][ T5252] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 103.145125][ T5252] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 103.153089][ T5252] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 103.161062][ T5252] umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./54/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./54/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./54") = 0 mkdir("./55", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5255 ./strace-static-x86_64: Process 5255 attached [pid 5255] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5255] chdir("./55") = 0 [pid 5255] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5255] setpgid(0, 0) = 0 [pid 5255] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5255] write(3, "1000", 4) = 4 [pid 5255] close(3) = 0 [pid 5255] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5255] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5255] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5255] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5255] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5255] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5255] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5255] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5256]}, 88) = 5256 [pid 5255] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5255] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5255] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5256 attached [pid 5256] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5256] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5256] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5256] memfd_create("syzkaller", 0) = 3 [pid 5256] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5256] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5256] munmap(0x7f01272bc000, 16777216) = 0 [pid 5256] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5256] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5256] close(3) = 0 [pid 5256] mkdir("./file0", 0777) = 0 [ 103.472395][ T5256] loop0: detected capacity change from 0 to 32768 [ 103.483722][ T5256] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 103.492107][ T5256] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 103.502969][ T5256] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 103.511688][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 103.518460][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5256] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5256] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5256] chdir("./file0") = 0 [pid 5256] ioctl(4, LOOP_CLR_FD) = 0 [pid 5256] close(4) = 0 [pid 5256] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5255] <... futex resumed>) = 0 [pid 5255] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5255] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5256] <... futex resumed>) = 1 [ 103.551122][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 103.559986][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 103.565432][ T5256] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 103.582364][ T5256] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 103.590947][ T5256] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5256] open("./file0", O_RDWR [pid 5255] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5255] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5255] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5255] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5255] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5255] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5258]}, 88) = 5258 [pid 5255] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5255] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5258 attached [pid 5258] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5258] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5258] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5258] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5258] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5258] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5255] <... futex resumed>) = 1 [pid 5255] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 5255] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5255] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5258] <... futex resumed>) = 0 [pid 5258] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [ 103.590947][ T5256] inode = 12 2341 [ 103.590947][ T5256] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 103.610019][ T5256] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 103.619526][ T5256] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5256 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 103.629836][ T5256] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 103.638357][ T5256] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5258] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5255] <... futex resumed>) = 0 [pid 5258] <... futex resumed>) = 1 [ 103.645874][ T5256] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 103.655030][ T5256] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 103.661921][ T5256] gfs2: fsid=syz:syz.0: File system withdrawn [ 103.668028][ T5256] CPU: 0 PID: 5256 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 103.678455][ T5256] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 103.688513][ T5256] Call Trace: [ 103.691800][ T5256] [ 103.694746][ T5256] dump_stack_lvl+0x1e7/0x2d0 [ 103.699462][ T5256] ? nf_tcp_handle_invalid+0x650/0x650 [ 103.704934][ T5256] ? panic+0x770/0x770 [ 103.709178][ T5256] gfs2_withdraw+0xc94/0x11e0 [ 103.713890][ T5256] gfs2_dirent_scan+0x512/0x640 [ 103.718761][ T5256] ? gfs2_permission+0x268/0x3c0 [ 103.723697][ T5256] ? gfs2_dirent_search+0x8c0/0x8c0 [ 103.728918][ T5256] gfs2_dirent_search+0x30e/0x8c0 [ 103.734121][ T5256] ? gfs2_dirent_search+0x8c0/0x8c0 [ 103.739315][ T5256] ? generic_permission+0x1df/0x550 [ 103.744506][ T5256] ? gfs2_dir_search+0x2f0/0x2f0 [ 103.749437][ T5256] ? gfs2_permission+0x34a/0x3c0 [ 103.754372][ T5256] gfs2_dir_search+0xb2/0x2f0 [ 103.759046][ T5256] ? do_filldir_main+0x520/0x520 [ 103.763976][ T5256] ? inode_go_held+0xea/0x200 [ 103.768646][ T5256] ? gfs2_glock_wait+0x21a/0x2b0 [ 103.773577][ T5256] gfs2_lookupi+0x460/0x5d0 [ 103.778087][ T5256] ? gfs2_lookup_simple+0x180/0x180 [ 103.783277][ T5256] ? __gfs2_lookup+0xa4/0x270 [ 103.787957][ T5256] __gfs2_lookup+0xa4/0x270 [ 103.792453][ T5256] ? gfs2_atomic_open+0x230/0x230 [ 103.797480][ T5256] ? __d_lookup+0x675/0x730 [ 103.801976][ T5256] ? d_hash_and_lookup+0x1b0/0x1b0 [ 103.807082][ T5256] gfs2_atomic_open+0x9e/0x230 [ 103.811843][ T5256] path_openat+0x1044/0x3180 [ 103.816465][ T5256] ? gfs2_rename2+0x25a0/0x25a0 [ 103.821331][ T5256] ? do_filp_open+0x490/0x490 [ 103.826098][ T5256] do_filp_open+0x234/0x490 [ 103.830594][ T5256] ? vfs_tmpfile+0x4b0/0x4b0 [ 103.835279][ T5256] ? _raw_spin_unlock+0x28/0x40 [ 103.840124][ T5256] ? alloc_fd+0x59c/0x640 [ 103.844454][ T5256] do_sys_openat2+0x13e/0x1d0 [ 103.849131][ T5256] ? do_sys_open+0x230/0x230 [ 103.853715][ T5256] ? lockdep_hardirqs_on+0x98/0x140 [ 103.858995][ T5256] ? _raw_spin_unlock_irq+0x2e/0x50 [ 103.864197][ T5256] ? ptrace_notify+0x278/0x380 [ 103.868959][ T5256] __x64_sys_open+0x225/0x270 [ 103.873637][ T5256] ? do_sys_openat2+0x1d0/0x1d0 [ 103.878571][ T5256] ? syscall_enter_from_user_mode+0x32/0x230 [ 103.884553][ T5256] ? syscall_enter_from_user_mode+0x8c/0x230 [ 103.890531][ T5256] do_syscall_64+0x41/0xc0 [ 103.894984][ T5256] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 103.900909][ T5256] RIP: 0033:0x7f012f71fa59 [ 103.905333][ T5256] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 103.925209][ T5256] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 103.933620][ T5256] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 103.941583][ T5256] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5258] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5256] <... open resumed>) = -1 EIO (Input/output error) [pid 5256] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5255] exit_group(0 [pid 5256] <... futex resumed>) = ? [pid 5255] <... exit_group resumed>) = ? [pid 5258] <... futex resumed>) = ? [pid 5256] +++ exited with 0 +++ [pid 5258] +++ exited with 0 +++ [pid 5255] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5255, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=25 /* 0.25 s */} --- umount2("./55", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./55/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./55/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./55/binderfs") = 0 [ 103.949545][ T5256] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 103.957509][ T5256] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 103.965472][ T5256] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 103.973453][ T5256] umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./55/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./55/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./55") = 0 mkdir("./56", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5259 ./strace-static-x86_64: Process 5259 attached [pid 5259] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5259] chdir("./56") = 0 [pid 5259] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5259] setpgid(0, 0) = 0 [pid 5259] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5259] write(3, "1000", 4) = 4 [pid 5259] close(3) = 0 [pid 5259] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5259] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5259] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5259] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5259] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5259] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5259] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5260]}, 88) = 5260 [pid 5259] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5259] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5260 attached [pid 5260] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5260] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5260] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5260] memfd_create("syzkaller", 0) = 3 [pid 5260] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5260] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5260] munmap(0x7f01272bc000, 16777216) = 0 [pid 5260] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5260] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5260] close(3) = 0 [pid 5260] mkdir("./file0", 0777) = 0 [ 104.274182][ T5260] loop0: detected capacity change from 0 to 32768 [ 104.284179][ T5260] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 104.292434][ T5260] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 104.302335][ T5260] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 104.311099][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 104.318117][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5260] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5260] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5260] chdir("./file0") = 0 [pid 5260] ioctl(4, LOOP_CLR_FD) = 0 [pid 5260] close(4) = 0 [pid 5260] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5259] <... futex resumed>) = 0 [pid 5259] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5260] <... futex resumed>) = 1 [ 104.350884][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 104.360114][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 104.365348][ T5260] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 104.378667][ T5260] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 104.387666][ T5260] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 104.387666][ T5260] inode = 12 2341 [pid 5260] open("./file0", O_RDWR [pid 5259] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5259] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5259] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5259] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5259] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0}./strace-static-x86_64: Process 5262 attached => {parent_tid=[5262]}, 88) = 5262 [pid 5259] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5259] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5262] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5262] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5262] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5262] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5262] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5259] <... futex resumed>) = 0 [pid 5259] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5262] <... futex resumed>) = 1 [pid 5262] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [ 104.387666][ T5260] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 104.406474][ T5260] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 104.415967][ T5260] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5260 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 104.426657][ T5260] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 104.437984][ T5260] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5262] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5259] <... futex resumed>) = 0 [pid 5262] <... futex resumed>) = 1 [ 104.446103][ T5260] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 104.454966][ T5260] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 104.462229][ T5260] gfs2: fsid=syz:syz.0: File system withdrawn [ 104.468646][ T5260] CPU: 0 PID: 5260 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 104.479058][ T5260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 104.489127][ T5260] Call Trace: [ 104.492399][ T5260] [ 104.495406][ T5260] dump_stack_lvl+0x1e7/0x2d0 [ 104.500079][ T5260] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.505627][ T5260] ? panic+0x770/0x770 [ 104.509692][ T5260] gfs2_withdraw+0xc94/0x11e0 [ 104.514364][ T5260] gfs2_dirent_scan+0x512/0x640 [ 104.519201][ T5260] ? gfs2_permission+0x268/0x3c0 [ 104.524126][ T5260] ? gfs2_dirent_search+0x8c0/0x8c0 [ 104.529408][ T5260] gfs2_dirent_search+0x30e/0x8c0 [ 104.534422][ T5260] ? gfs2_dirent_search+0x8c0/0x8c0 [ 104.539605][ T5260] ? generic_permission+0x1df/0x550 [ 104.544786][ T5260] ? gfs2_dir_search+0x2f0/0x2f0 [ 104.549735][ T5260] ? gfs2_permission+0x34a/0x3c0 [ 104.554660][ T5260] gfs2_dir_search+0xb2/0x2f0 [ 104.559329][ T5260] ? do_filldir_main+0x520/0x520 [ 104.564247][ T5260] ? inode_go_held+0xea/0x200 [ 104.568905][ T5260] ? gfs2_glock_wait+0x21a/0x2b0 [ 104.573835][ T5260] gfs2_lookupi+0x460/0x5d0 [ 104.578324][ T5260] ? gfs2_lookup_simple+0x180/0x180 [ 104.583508][ T5260] ? __gfs2_lookup+0xa4/0x270 [ 104.588258][ T5260] __gfs2_lookup+0xa4/0x270 [ 104.592835][ T5260] ? gfs2_atomic_open+0x230/0x230 [ 104.597842][ T5260] ? __d_lookup+0x675/0x730 [ 104.602331][ T5260] ? d_hash_and_lookup+0x1b0/0x1b0 [ 104.607430][ T5260] gfs2_atomic_open+0x9e/0x230 [ 104.612183][ T5260] path_openat+0x1044/0x3180 [ 104.616777][ T5260] ? gfs2_rename2+0x25a0/0x25a0 [ 104.621622][ T5260] ? do_filp_open+0x490/0x490 [ 104.626377][ T5260] do_filp_open+0x234/0x490 [ 104.630872][ T5260] ? vfs_tmpfile+0x4b0/0x4b0 [ 104.635457][ T5260] ? _raw_spin_unlock+0x28/0x40 [ 104.640292][ T5260] ? alloc_fd+0x59c/0x640 [ 104.644615][ T5260] do_sys_openat2+0x13e/0x1d0 [ 104.649369][ T5260] ? do_sys_open+0x230/0x230 [ 104.654029][ T5260] ? lockdep_hardirqs_on+0x98/0x140 [ 104.659215][ T5260] ? _raw_spin_unlock_irq+0x2e/0x50 [ 104.664412][ T5260] ? ptrace_notify+0x278/0x380 [ 104.669160][ T5260] __x64_sys_open+0x225/0x270 [ 104.673846][ T5260] ? do_sys_openat2+0x1d0/0x1d0 [ 104.678784][ T5260] ? syscall_enter_from_user_mode+0x32/0x230 [ 104.684951][ T5260] ? syscall_enter_from_user_mode+0x8c/0x230 [ 104.690941][ T5260] do_syscall_64+0x41/0xc0 [ 104.695452][ T5260] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 104.701338][ T5260] RIP: 0033:0x7f012f71fa59 [ 104.705750][ T5260] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 104.725349][ T5260] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 104.733757][ T5260] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 104.741716][ T5260] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5262] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5260] <... open resumed>) = -1 EIO (Input/output error) [pid 5260] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5259] exit_group(0 [pid 5262] <... futex resumed>) = ? [pid 5259] <... exit_group resumed>) = ? [pid 5262] +++ exited with 0 +++ [pid 5260] <... futex resumed>) = ? [pid 5260] +++ exited with 0 +++ [pid 5259] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5259, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- umount2("./56", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./56/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./56/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./56/binderfs") = 0 [ 104.749676][ T5260] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 104.757634][ T5260] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 104.765603][ T5260] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 104.773666][ T5260] umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./56/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./56/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./56") = 0 mkdir("./57", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5263 ./strace-static-x86_64: Process 5263 attached [pid 5263] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5263] chdir("./57") = 0 [pid 5263] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5263] setpgid(0, 0) = 0 [pid 5263] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5263] write(3, "1000", 4) = 4 [pid 5263] close(3) = 0 [pid 5263] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5263] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5263] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5263] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5263] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5263] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5263] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5264]}, 88) = 5264 [pid 5263] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5263] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5264 attached [pid 5264] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5264] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5264] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5264] memfd_create("syzkaller", 0) = 3 [pid 5264] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5264] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5264] munmap(0x7f01272bc000, 16777216) = 0 [pid 5264] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5264] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5264] close(3) = 0 [pid 5264] mkdir("./file0", 0777) = 0 [ 105.077454][ T5264] loop0: detected capacity change from 0 to 32768 [ 105.089794][ T5264] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 105.097985][ T5264] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 105.107141][ T5264] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 105.115911][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 105.122814][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5264] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5264] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5264] chdir("./file0") = 0 [pid 5264] ioctl(4, LOOP_CLR_FD) = 0 [pid 5264] close(4) = 0 [pid 5264] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5263] <... futex resumed>) = 0 [pid 5263] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5264] <... futex resumed>) = 1 [ 105.157404][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 105.165343][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 105.171176][ T5264] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 105.185373][ T5264] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 105.194305][ T5264] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 105.194305][ T5264] inode = 12 2341 [pid 5264] open("./file0", O_RDWR [pid 5263] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5263] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5263] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5263] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5263] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5266]}, 88) = 5266 [pid 5263] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5263] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5266 attached [pid 5266] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5266] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5266] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5266] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5266] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5263] <... futex resumed>) = 0 [pid 5263] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5266] <... futex resumed>) = 1 [pid 5266] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5266] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5263] <... futex resumed>) = 0 [pid 5266] <... futex resumed>) = 1 [ 105.194305][ T5264] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 105.213421][ T5264] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 105.222929][ T5264] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5264 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 105.234919][ T5264] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 105.244184][ T5264] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 105.251935][ T5264] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 105.261269][ T5264] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 105.268774][ T5264] gfs2: fsid=syz:syz.0: File system withdrawn [ 105.275351][ T5264] CPU: 0 PID: 5264 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 105.285759][ T5264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 105.296006][ T5264] Call Trace: [ 105.299327][ T5264] [ 105.302246][ T5264] dump_stack_lvl+0x1e7/0x2d0 [ 105.306915][ T5264] ? nf_tcp_handle_invalid+0x650/0x650 [ 105.312375][ T5264] ? panic+0x770/0x770 [ 105.316447][ T5264] gfs2_withdraw+0xc94/0x11e0 [ 105.321132][ T5264] gfs2_dirent_scan+0x512/0x640 [ 105.325995][ T5264] ? gfs2_permission+0x268/0x3c0 [ 105.330935][ T5264] ? gfs2_dirent_search+0x8c0/0x8c0 [ 105.336239][ T5264] gfs2_dirent_search+0x30e/0x8c0 [ 105.341270][ T5264] ? gfs2_dirent_search+0x8c0/0x8c0 [ 105.346469][ T5264] ? generic_permission+0x1df/0x550 [ 105.351663][ T5264] ? gfs2_dir_search+0x2f0/0x2f0 [ 105.356599][ T5264] ? gfs2_permission+0x34a/0x3c0 [ 105.361535][ T5264] gfs2_dir_search+0xb2/0x2f0 [ 105.366300][ T5264] ? do_filldir_main+0x520/0x520 [ 105.371232][ T5264] ? inode_go_held+0xea/0x200 [ 105.375905][ T5264] ? gfs2_glock_wait+0x21a/0x2b0 [ 105.380838][ T5264] gfs2_lookupi+0x460/0x5d0 [ 105.385347][ T5264] ? gfs2_lookup_simple+0x180/0x180 [ 105.390543][ T5264] ? __gfs2_lookup+0xa4/0x270 [ 105.395220][ T5264] __gfs2_lookup+0xa4/0x270 [ 105.399720][ T5264] ? gfs2_atomic_open+0x230/0x230 [ 105.404746][ T5264] ? __d_lookup+0x675/0x730 [ 105.409249][ T5264] ? d_hash_and_lookup+0x1b0/0x1b0 [ 105.414367][ T5264] gfs2_atomic_open+0x9e/0x230 [ 105.419127][ T5264] path_openat+0x1044/0x3180 [ 105.423720][ T5264] ? gfs2_rename2+0x25a0/0x25a0 [ 105.428577][ T5264] ? do_filp_open+0x490/0x490 [ 105.433264][ T5264] do_filp_open+0x234/0x490 [ 105.437760][ T5264] ? vfs_tmpfile+0x4b0/0x4b0 [ 105.442361][ T5264] ? _raw_spin_unlock+0x28/0x40 [ 105.447217][ T5264] ? alloc_fd+0x59c/0x640 [ 105.451659][ T5264] do_sys_openat2+0x13e/0x1d0 [ 105.456359][ T5264] ? do_sys_open+0x230/0x230 [ 105.461057][ T5264] ? lockdep_hardirqs_on+0x98/0x140 [ 105.466264][ T5264] ? _raw_spin_unlock_irq+0x2e/0x50 [ 105.471647][ T5264] ? ptrace_notify+0x278/0x380 [ 105.476504][ T5264] __x64_sys_open+0x225/0x270 [ 105.481191][ T5264] ? do_sys_openat2+0x1d0/0x1d0 [ 105.486044][ T5264] ? syscall_enter_from_user_mode+0x32/0x230 [ 105.492020][ T5264] ? syscall_enter_from_user_mode+0x8c/0x230 [ 105.498256][ T5264] do_syscall_64+0x41/0xc0 [ 105.502666][ T5264] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 105.508558][ T5264] RIP: 0033:0x7f012f71fa59 [ 105.512983][ T5264] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 105.532856][ T5264] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 105.541273][ T5264] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 105.549241][ T5264] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5266] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5264] <... open resumed>) = -1 EIO (Input/output error) [pid 5264] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5263] exit_group(0 [pid 5266] <... futex resumed>) = ? [pid 5263] <... exit_group resumed>) = ? [pid 5266] +++ exited with 0 +++ [pid 5264] <... futex resumed>) = ? [pid 5264] +++ exited with 0 +++ [pid 5263] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5263, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./57", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./57/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./57/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./57/binderfs") = 0 [ 105.557205][ T5264] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 105.565346][ T5264] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 105.573313][ T5264] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 105.581288][ T5264] umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./57/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./57/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./57") = 0 mkdir("./58", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5267 ./strace-static-x86_64: Process 5267 attached [pid 5267] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5267] chdir("./58") = 0 [pid 5267] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5267] setpgid(0, 0) = 0 [pid 5267] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5267] write(3, "1000", 4) = 4 [pid 5267] close(3) = 0 [pid 5267] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5267] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5267] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5267] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5267] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5267] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5267] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5268]}, 88) = 5268 [pid 5267] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5267] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5268 attached [pid 5268] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5268] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5268] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5268] memfd_create("syzkaller", 0) = 3 [pid 5268] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5268] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5268] munmap(0x7f01272bc000, 16777216) = 0 [pid 5268] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5268] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5268] close(3) = 0 [pid 5268] mkdir("./file0", 0777) = 0 [ 105.908097][ T5268] loop0: detected capacity change from 0 to 32768 [ 105.918380][ T5268] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 105.926668][ T5268] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 105.936736][ T5268] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 105.945411][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 105.952581][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5268] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5268] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5268] chdir("./file0") = 0 [pid 5268] ioctl(4, LOOP_CLR_FD) = 0 [pid 5268] close(4) = 0 [pid 5268] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5267] <... futex resumed>) = 0 [pid 5267] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5268] <... futex resumed>) = 1 [ 105.984898][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 105.992581][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 105.997844][ T5268] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 106.014461][ T5268] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 106.023013][ T5268] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 106.023013][ T5268] inode = 12 2341 [pid 5268] open("./file0", O_RDWR [pid 5267] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5267] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5267] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5267] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5267] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5270]}, 88) = 5270 [pid 5267] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5267] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5270 attached [pid 5270] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5270] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5270] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5270] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5270] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5267] <... futex resumed>) = 0 [pid 5267] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5270] <... futex resumed>) = 1 [pid 5270] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5270] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5267] <... futex resumed>) = 0 [pid 5270] <... futex resumed>) = 1 [ 106.023013][ T5268] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 106.042350][ T5268] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 106.051688][ T5268] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5268 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 106.061942][ T5268] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 106.071039][ T5268] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 106.079029][ T5268] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 106.088157][ T5268] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 106.095663][ T5268] gfs2: fsid=syz:syz.0: File system withdrawn [ 106.102231][ T5268] CPU: 0 PID: 5268 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 106.112819][ T5268] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 106.122897][ T5268] Call Trace: [ 106.126164][ T5268] [ 106.129181][ T5268] dump_stack_lvl+0x1e7/0x2d0 [ 106.133939][ T5268] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.139557][ T5268] ? panic+0x770/0x770 [ 106.143625][ T5268] gfs2_withdraw+0xc94/0x11e0 [ 106.148291][ T5268] gfs2_dirent_scan+0x512/0x640 [ 106.153142][ T5268] ? gfs2_permission+0x268/0x3c0 [ 106.158077][ T5268] ? gfs2_dirent_search+0x8c0/0x8c0 [ 106.163378][ T5268] gfs2_dirent_search+0x30e/0x8c0 [ 106.168399][ T5268] ? gfs2_dirent_search+0x8c0/0x8c0 [ 106.173592][ T5268] ? generic_permission+0x1df/0x550 [ 106.178786][ T5268] ? gfs2_dir_search+0x2f0/0x2f0 [ 106.183905][ T5268] ? gfs2_permission+0x34a/0x3c0 [ 106.188849][ T5268] gfs2_dir_search+0xb2/0x2f0 [ 106.193524][ T5268] ? do_filldir_main+0x520/0x520 [ 106.198456][ T5268] ? inode_go_held+0xea/0x200 [ 106.203219][ T5268] ? gfs2_glock_wait+0x21a/0x2b0 [ 106.208155][ T5268] gfs2_lookupi+0x460/0x5d0 [ 106.212659][ T5268] ? gfs2_lookup_simple+0x180/0x180 [ 106.217942][ T5268] ? __gfs2_lookup+0xa4/0x270 [ 106.222622][ T5268] __gfs2_lookup+0xa4/0x270 [ 106.227125][ T5268] ? gfs2_atomic_open+0x230/0x230 [ 106.232239][ T5268] ? __d_lookup+0x675/0x730 [ 106.236861][ T5268] ? d_hash_and_lookup+0x1b0/0x1b0 [ 106.241975][ T5268] gfs2_atomic_open+0x9e/0x230 [ 106.246765][ T5268] path_openat+0x1044/0x3180 [ 106.251374][ T5268] ? gfs2_rename2+0x25a0/0x25a0 [ 106.256244][ T5268] ? do_filp_open+0x490/0x490 [ 106.260934][ T5268] do_filp_open+0x234/0x490 [ 106.265436][ T5268] ? vfs_tmpfile+0x4b0/0x4b0 [ 106.270037][ T5268] ? _raw_spin_unlock+0x28/0x40 [ 106.274882][ T5268] ? alloc_fd+0x59c/0x640 [ 106.279216][ T5268] do_sys_openat2+0x13e/0x1d0 [ 106.283899][ T5268] ? do_sys_open+0x230/0x230 [ 106.288486][ T5268] ? lockdep_hardirqs_on+0x98/0x140 [ 106.293687][ T5268] ? _raw_spin_unlock_irq+0x2e/0x50 [ 106.298883][ T5268] ? ptrace_notify+0x278/0x380 [ 106.303728][ T5268] __x64_sys_open+0x225/0x270 [ 106.308412][ T5268] ? do_sys_openat2+0x1d0/0x1d0 [ 106.313259][ T5268] ? syscall_enter_from_user_mode+0x32/0x230 [ 106.319241][ T5268] ? syscall_enter_from_user_mode+0x8c/0x230 [ 106.325225][ T5268] do_syscall_64+0x41/0xc0 [ 106.329637][ T5268] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 106.335532][ T5268] RIP: 0033:0x7f012f71fa59 [ 106.339944][ T5268] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 106.359563][ T5268] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 106.367986][ T5268] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 106.375968][ T5268] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5270] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5268] <... open resumed>) = -1 EIO (Input/output error) [pid 5268] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5267] exit_group(0) = ? [pid 5270] <... futex resumed>) = ? [pid 5268] <... futex resumed>) = ? [pid 5268] +++ exited with 0 +++ [pid 5270] +++ exited with 0 +++ [pid 5267] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5267, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- umount2("./58", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./58/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./58/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./58/binderfs") = 0 [ 106.383942][ T5268] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 106.391929][ T5268] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 106.399897][ T5268] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 106.407881][ T5268] umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./58/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./58/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./58") = 0 mkdir("./59", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5271 ./strace-static-x86_64: Process 5271 attached [pid 5271] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5271] chdir("./59") = 0 [pid 5271] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5271] setpgid(0, 0) = 0 [pid 5271] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5271] write(3, "1000", 4) = 4 [pid 5271] close(3) = 0 [pid 5271] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5271] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5271] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5271] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5271] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5271] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5271] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5272 attached [pid 5272] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5272] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5272] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5271] <... clone3 resumed> => {parent_tid=[5272]}, 88) = 5272 [pid 5271] rt_sigprocmask(SIG_SETMASK, [], [pid 5272] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5271] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5271] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5272] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5271] <... futex resumed>) = 0 [pid 5271] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5272] memfd_create("syzkaller", 0) = 3 [pid 5272] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5272] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5272] munmap(0x7f01272bc000, 16777216) = 0 [pid 5272] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5272] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5272] close(3) = 0 [pid 5272] mkdir("./file0", 0777) = 0 [ 106.723114][ T5272] loop0: detected capacity change from 0 to 32768 [ 106.734636][ T5272] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 106.742999][ T5272] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 106.752678][ T5272] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 106.761022][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 106.767886][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5272] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5272] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5272] chdir("./file0") = 0 [pid 5272] ioctl(4, LOOP_CLR_FD) = 0 [pid 5272] close(4) = 0 [pid 5272] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5272] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5271] <... futex resumed>) = 0 [pid 5271] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5271] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5272] <... futex resumed>) = 0 [ 106.802394][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 106.810711][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 106.816065][ T5272] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 106.836196][ T5272] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 106.845117][ T5272] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5272] open("./file0", O_RDWR [pid 5271] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5271] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5271] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5271] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5271] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5274]}, 88) = 5274 [pid 5271] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5271] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5274 attached [pid 5274] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5274] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5274] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5274] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5274] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5271] <... futex resumed>) = 0 [pid 5271] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5274] <... futex resumed>) = 1 [pid 5274] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5274] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5271] <... futex resumed>) = 0 [ 106.845117][ T5272] inode = 12 2341 [ 106.845117][ T5272] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 106.863978][ T5272] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 106.873610][ T5272] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5272 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 106.883938][ T5272] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 106.892511][ T5272] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5274] <... futex resumed>) = 1 [ 106.899844][ T5272] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 106.908619][ T5272] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 106.917267][ T5272] gfs2: fsid=syz:syz.0: File system withdrawn [ 106.923745][ T5272] CPU: 1 PID: 5272 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 106.934173][ T5272] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 106.944235][ T5272] Call Trace: [ 106.947519][ T5272] [ 106.950469][ T5272] dump_stack_lvl+0x1e7/0x2d0 [ 106.955251][ T5272] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.960711][ T5272] ? panic+0x770/0x770 [ 106.964786][ T5272] gfs2_withdraw+0xc94/0x11e0 [ 106.969461][ T5272] gfs2_dirent_scan+0x512/0x640 [ 106.974310][ T5272] ? gfs2_permission+0x268/0x3c0 [ 106.979252][ T5272] ? gfs2_dirent_search+0x8c0/0x8c0 [ 106.984501][ T5272] gfs2_dirent_search+0x30e/0x8c0 [ 106.989528][ T5272] ? gfs2_dirent_search+0x8c0/0x8c0 [ 106.994721][ T5272] ? generic_permission+0x1df/0x550 [ 106.999914][ T5272] ? gfs2_dir_search+0x2f0/0x2f0 [ 107.004848][ T5272] ? gfs2_permission+0x34a/0x3c0 [ 107.009789][ T5272] gfs2_dir_search+0xb2/0x2f0 [ 107.014467][ T5272] ? do_filldir_main+0x520/0x520 [ 107.019492][ T5272] ? inode_go_held+0xea/0x200 [ 107.024167][ T5272] ? gfs2_glock_wait+0x21a/0x2b0 [ 107.029122][ T5272] gfs2_lookupi+0x460/0x5d0 [ 107.033641][ T5272] ? gfs2_lookup_simple+0x180/0x180 [ 107.038850][ T5272] ? __gfs2_lookup+0xa4/0x270 [ 107.043536][ T5272] __gfs2_lookup+0xa4/0x270 [ 107.048047][ T5272] ? gfs2_atomic_open+0x230/0x230 [ 107.053073][ T5272] ? __d_lookup+0x675/0x730 [ 107.057577][ T5272] ? d_hash_and_lookup+0x1b0/0x1b0 [ 107.062686][ T5272] gfs2_atomic_open+0x9e/0x230 [ 107.067449][ T5272] path_openat+0x1044/0x3180 [ 107.072040][ T5272] ? gfs2_rename2+0x25a0/0x25a0 [ 107.076897][ T5272] ? do_filp_open+0x490/0x490 [ 107.081669][ T5272] do_filp_open+0x234/0x490 [ 107.086343][ T5272] ? vfs_tmpfile+0x4b0/0x4b0 [ 107.090941][ T5272] ? _raw_spin_unlock+0x28/0x40 [ 107.095789][ T5272] ? alloc_fd+0x59c/0x640 [ 107.100126][ T5272] do_sys_openat2+0x13e/0x1d0 [ 107.104821][ T5272] ? do_sys_open+0x230/0x230 [ 107.109410][ T5272] ? lockdep_hardirqs_on+0x98/0x140 [ 107.114690][ T5272] ? _raw_spin_unlock_irq+0x2e/0x50 [ 107.119971][ T5272] ? ptrace_notify+0x278/0x380 [ 107.124727][ T5272] __x64_sys_open+0x225/0x270 [ 107.129403][ T5272] ? do_sys_openat2+0x1d0/0x1d0 [ 107.134256][ T5272] ? syscall_enter_from_user_mode+0x32/0x230 [ 107.140238][ T5272] ? syscall_enter_from_user_mode+0x8c/0x230 [ 107.146215][ T5272] do_syscall_64+0x41/0xc0 [ 107.150808][ T5272] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 107.156698][ T5272] RIP: 0033:0x7f012f71fa59 [ 107.161117][ T5272] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 107.180742][ T5272] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 107.189274][ T5272] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5274] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5272] <... open resumed>) = -1 EIO (Input/output error) [pid 5272] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5272] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5271] exit_group(0 [pid 5274] <... futex resumed>) = ? [pid 5272] <... futex resumed>) = ? [pid 5271] <... exit_group resumed>) = ? [pid 5272] +++ exited with 0 +++ [pid 5274] +++ exited with 0 +++ [pid 5271] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5271, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=29 /* 0.29 s */} --- umount2("./59", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./59/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./59/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./59/binderfs") = 0 [ 107.197254][ T5272] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 107.205228][ T5272] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 107.213292][ T5272] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 107.221258][ T5272] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 107.229238][ T5272] umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./59/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./59/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./59") = 0 mkdir("./60", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5275 ./strace-static-x86_64: Process 5275 attached [pid 5275] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5275] chdir("./60") = 0 [pid 5275] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5275] setpgid(0, 0) = 0 [pid 5275] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5275] write(3, "1000", 4) = 4 [pid 5275] close(3) = 0 [pid 5275] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5275] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5275] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5275] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5275] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5275] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5275] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5276]}, 88) = 5276 [pid 5275] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5275] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5276 attached [pid 5276] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5276] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5276] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5276] memfd_create("syzkaller", 0) = 3 [pid 5276] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5276] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5276] munmap(0x7f01272bc000, 16777216) = 0 [pid 5276] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5276] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5276] close(3) = 0 [pid 5276] mkdir("./file0", 0777) = 0 [ 107.529191][ T5276] loop0: detected capacity change from 0 to 32768 [ 107.541739][ T5276] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 107.550231][ T5276] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 107.560798][ T5276] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 107.569206][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 107.576049][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5276] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5276] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5276] chdir("./file0") = 0 [pid 5276] ioctl(4, LOOP_CLR_FD) = 0 [pid 5276] close(4) = 0 [pid 5276] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5275] <... futex resumed>) = 0 [pid 5276] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5275] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5275] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5276] <... futex resumed>) = 0 [ 107.611482][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 107.620560][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 107.625816][ T5276] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 107.642109][ T5276] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 107.650747][ T5276] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 107.650747][ T5276] inode = 12 2341 [pid 5276] open("./file0", O_RDWR [pid 5275] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5275] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5275] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5275] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5275] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5278]}, 88) = 5278 [pid 5275] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5275] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5278 attached [pid 5278] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5278] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5278] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 107.650747][ T5276] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 107.669776][ T5276] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 107.679404][ T5276] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5276 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 107.690105][ T5276] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 107.697724][ T5278] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 107.700250][ T5276] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 107.707294][ T5278] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 107.714593][ T5276] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 107.723381][ T5278] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5276 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 107.732560][ T5276] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 107.742248][ T5278] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5278 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5278] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5275] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5275] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5275] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5275] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5275] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5279]}, 88) = 5279 [pid 5275] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5275] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5279 attached [pid 5279] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5279] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5279] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5279] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5279] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5275] <... futex resumed>) = 0 [pid 5279] <... futex resumed>) = 1 [ 107.751462][ T5276] gfs2: fsid=syz:syz.0: File system withdrawn [ 107.758739][ T5278] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 107.765357][ T5276] CPU: 1 PID: 5276 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 107.783589][ T5276] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 107.793674][ T5276] Call Trace: [ 107.796972][ T5276] [ 107.799909][ T5276] dump_stack_lvl+0x1e7/0x2d0 [ 107.804583][ T5276] ? nf_tcp_handle_invalid+0x650/0x650 [ 107.810035][ T5276] ? panic+0x770/0x770 [ 107.814110][ T5276] gfs2_withdraw+0xc94/0x11e0 [ 107.818812][ T5276] gfs2_dirent_scan+0x512/0x640 [ 107.823728][ T5276] ? gfs2_permission+0x268/0x3c0 [ 107.828672][ T5276] ? gfs2_dirent_search+0x8c0/0x8c0 [ 107.833888][ T5276] gfs2_dirent_search+0x30e/0x8c0 [ 107.838911][ T5276] ? gfs2_dirent_search+0x8c0/0x8c0 [ 107.844103][ T5276] ? generic_permission+0x1df/0x550 [ 107.849302][ T5276] ? gfs2_dir_search+0x2f0/0x2f0 [ 107.854252][ T5276] ? gfs2_permission+0x34a/0x3c0 [pid 5279] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5275] exit_group(0 [pid 5279] <... futex resumed>) = ? [ 107.859196][ T5276] gfs2_dir_search+0xb2/0x2f0 [ 107.863895][ T5276] ? do_filldir_main+0x520/0x520 [ 107.868855][ T5276] ? inode_go_held+0xea/0x200 [ 107.873545][ T5276] ? gfs2_glock_wait+0x21a/0x2b0 [ 107.878490][ T5276] gfs2_lookupi+0x460/0x5d0 [ 107.883010][ T5276] ? gfs2_lookup_simple+0x180/0x180 [ 107.888216][ T5276] ? __gfs2_lookup+0xa4/0x270 [ 107.892907][ T5276] __gfs2_lookup+0xa4/0x270 [ 107.897416][ T5276] ? gfs2_atomic_open+0x230/0x230 [ 107.902433][ T5276] ? __d_lookup+0x675/0x730 [ 107.906940][ T5276] ? d_hash_and_lookup+0x1b0/0x1b0 [ 107.912064][ T5276] gfs2_atomic_open+0x9e/0x230 [ 107.916844][ T5276] path_openat+0x1044/0x3180 [ 107.921448][ T5276] ? gfs2_rename2+0x25a0/0x25a0 [ 107.926326][ T5276] ? do_filp_open+0x490/0x490 [ 107.931024][ T5276] do_filp_open+0x234/0x490 [ 107.935520][ T5276] ? vfs_tmpfile+0x4b0/0x4b0 [ 107.940119][ T5276] ? _raw_spin_unlock+0x28/0x40 [ 107.944962][ T5276] ? alloc_fd+0x59c/0x640 [ 107.949307][ T5276] do_sys_openat2+0x13e/0x1d0 [ 107.954101][ T5276] ? do_sys_open+0x230/0x230 [ 107.958690][ T5276] ? lockdep_hardirqs_on+0x98/0x140 [ 107.963882][ T5276] ? _raw_spin_unlock_irq+0x2e/0x50 [ 107.969073][ T5276] ? ptrace_notify+0x278/0x380 [ 107.973849][ T5276] __x64_sys_open+0x225/0x270 [ 107.978539][ T5276] ? do_sys_openat2+0x1d0/0x1d0 [ 107.983398][ T5276] ? syscall_enter_from_user_mode+0x32/0x230 [ 107.989391][ T5276] ? syscall_enter_from_user_mode+0x8c/0x230 [ 107.995369][ T5276] do_syscall_64+0x41/0xc0 [ 107.999789][ T5276] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 108.005697][ T5276] RIP: 0033:0x7f012f71fa59 [ 108.010103][ T5276] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 108.029809][ T5276] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 108.038219][ T5276] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 108.046183][ T5276] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 108.054156][ T5276] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5275] <... exit_group resumed>) = ? [pid 5279] +++ exited with 0 +++ [pid 5278] <... openat resumed>) = ? [pid 5276] <... open resumed>) = ? [pid 5276] +++ exited with 0 +++ [pid 5278] +++ exited with 0 +++ [pid 5275] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5275, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=38 /* 0.38 s */} --- umount2("./60", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./60/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./60/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./60/binderfs") = 0 [ 108.062142][ T5276] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 108.070118][ T5276] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 108.078096][ T5276] umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./60/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./60/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./60") = 0 mkdir("./61", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5280 attached , child_tidptr=0x555556d1b690) = 5280 [pid 5280] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5280] chdir("./61") = 0 [pid 5280] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5280] setpgid(0, 0) = 0 [pid 5280] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5280] write(3, "1000", 4) = 4 [pid 5280] close(3) = 0 [pid 5280] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5280] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5280] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5280] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5280] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5280] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5280] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5281 attached => {parent_tid=[5281]}, 88) = 5281 [pid 5280] rt_sigprocmask(SIG_SETMASK, [], [pid 5281] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5280] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5281] <... rseq resumed>) = 0 [pid 5280] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5281] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5281] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5281] memfd_create("syzkaller", 0) = 3 [pid 5281] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5281] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5281] munmap(0x7f01272bc000, 16777216) = 0 [pid 5281] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5281] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5281] close(3) = 0 [pid 5281] mkdir("./file0", 0777) = 0 [ 108.388361][ T5281] loop0: detected capacity change from 0 to 32768 [ 108.399573][ T5281] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 108.407767][ T5281] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 108.417528][ T5281] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 108.426267][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 108.433515][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5281] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5281] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5281] chdir("./file0") = 0 [pid 5281] ioctl(4, LOOP_CLR_FD) = 0 [pid 5281] close(4) = 0 [pid 5281] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5280] <... futex resumed>) = 0 [pid 5280] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5281] <... futex resumed>) = 1 [ 108.469386][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 108.478269][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 108.483613][ T5281] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 108.498194][ T5281] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 108.507387][ T5281] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 108.507387][ T5281] inode = 12 2341 [pid 5281] open("./file0", O_RDWR [pid 5280] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5280] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5280] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5280] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5280] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5280] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5283]}, 88) = 5283 [pid 5280] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5280] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5283 attached [ 108.507387][ T5281] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 108.526300][ T5281] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 108.536047][ T5281] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5281 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 108.546159][ T5281] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 108.554667][ T5281] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5280] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5283] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5283] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5283] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5283] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5283] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5280] <... futex resumed>) = 0 [pid 5280] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5283] <... futex resumed>) = 1 [pid 5283] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5283] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5280] <... futex resumed>) = 0 [pid 5283] <... futex resumed>) = 1 [ 108.562012][ T5281] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 108.571356][ T5281] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 108.579409][ T5281] gfs2: fsid=syz:syz.0: File system withdrawn [ 108.585722][ T5281] CPU: 1 PID: 5281 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 108.596238][ T5281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 108.606309][ T5281] Call Trace: [ 108.609592][ T5281] [ 108.612529][ T5281] dump_stack_lvl+0x1e7/0x2d0 [ 108.617213][ T5281] ? nf_tcp_handle_invalid+0x650/0x650 [ 108.622726][ T5281] ? panic+0x770/0x770 [ 108.626805][ T5281] gfs2_withdraw+0xc94/0x11e0 [ 108.631590][ T5281] gfs2_dirent_scan+0x512/0x640 [ 108.636458][ T5281] ? gfs2_permission+0x268/0x3c0 [ 108.641402][ T5281] ? gfs2_dirent_search+0x8c0/0x8c0 [ 108.646616][ T5281] gfs2_dirent_search+0x30e/0x8c0 [ 108.651638][ T5281] ? gfs2_dirent_search+0x8c0/0x8c0 [ 108.656829][ T5281] ? generic_permission+0x1df/0x550 [ 108.662042][ T5281] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5283] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5280] exit_group(0 [pid 5283] <... futex resumed>) = ? [pid 5280] <... exit_group resumed>) = ? [pid 5283] +++ exited with 0 +++ [ 108.666997][ T5281] ? gfs2_permission+0x34a/0x3c0 [ 108.671946][ T5281] gfs2_dir_search+0xb2/0x2f0 [ 108.676636][ T5281] ? do_filldir_main+0x520/0x520 [ 108.681576][ T5281] ? inode_go_held+0xea/0x200 [ 108.686268][ T5281] ? gfs2_glock_wait+0x21a/0x2b0 [ 108.691230][ T5281] gfs2_lookupi+0x460/0x5d0 [ 108.695754][ T5281] ? gfs2_lookup_simple+0x180/0x180 [ 108.700958][ T5281] ? __gfs2_lookup+0xa4/0x270 [ 108.705652][ T5281] __gfs2_lookup+0xa4/0x270 [ 108.710157][ T5281] ? gfs2_atomic_open+0x230/0x230 [ 108.715215][ T5281] ? __d_lookup+0x675/0x730 [ 108.719819][ T5281] ? d_hash_and_lookup+0x1b0/0x1b0 [ 108.724936][ T5281] gfs2_atomic_open+0x9e/0x230 [ 108.729703][ T5281] path_openat+0x1044/0x3180 [ 108.734305][ T5281] ? gfs2_rename2+0x25a0/0x25a0 [ 108.739171][ T5281] ? do_filp_open+0x490/0x490 [ 108.743870][ T5281] do_filp_open+0x234/0x490 [ 108.748389][ T5281] ? vfs_tmpfile+0x4b0/0x4b0 [ 108.752995][ T5281] ? _raw_spin_unlock+0x28/0x40 [ 108.757852][ T5281] ? alloc_fd+0x59c/0x640 [ 108.762178][ T5281] do_sys_openat2+0x13e/0x1d0 [ 108.766866][ T5281] ? do_sys_open+0x230/0x230 [ 108.771472][ T5281] ? lockdep_hardirqs_on+0x98/0x140 [ 108.776664][ T5281] ? _raw_spin_unlock_irq+0x2e/0x50 [ 108.781868][ T5281] ? ptrace_notify+0x278/0x380 [ 108.786637][ T5281] __x64_sys_open+0x225/0x270 [ 108.791323][ T5281] ? do_sys_openat2+0x1d0/0x1d0 [ 108.796195][ T5281] ? syscall_enter_from_user_mode+0x32/0x230 [ 108.802445][ T5281] ? syscall_enter_from_user_mode+0x8c/0x230 [ 108.808426][ T5281] do_syscall_64+0x41/0xc0 [ 108.812837][ T5281] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 108.818742][ T5281] RIP: 0033:0x7f012f71fa59 [ 108.823242][ T5281] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 108.842851][ T5281] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 108.851287][ T5281] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 108.859258][ T5281] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5281] <... open resumed>) = ? [pid 5281] +++ exited with 0 +++ [pid 5280] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5280, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=28 /* 0.28 s */} --- umount2("./61", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./61/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./61/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./61/binderfs") = 0 [ 108.867239][ T5281] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 108.875215][ T5281] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 108.883173][ T5281] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 108.891145][ T5281] umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./61/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./61/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./61") = 0 mkdir("./62", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5284 ./strace-static-x86_64: Process 5284 attached [pid 5284] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5284] chdir("./62") = 0 [pid 5284] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5284] setpgid(0, 0) = 0 [pid 5284] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5284] write(3, "1000", 4) = 4 [pid 5284] close(3) = 0 [pid 5284] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5284] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5284] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5284] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5284] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5284] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5284] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5285]}, 88) = 5285 [pid 5284] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5284] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5285 attached [pid 5285] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5285] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5285] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5285] memfd_create("syzkaller", 0) = 3 [pid 5285] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5285] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5285] munmap(0x7f01272bc000, 16777216) = 0 [pid 5285] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5285] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5285] close(3) = 0 [pid 5285] mkdir("./file0", 0777) = 0 [ 109.194906][ T5285] loop0: detected capacity change from 0 to 32768 [ 109.205290][ T5285] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 109.214059][ T5285] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 109.224678][ T5285] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 109.233283][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 109.240355][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5285] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5285] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5285] chdir("./file0") = 0 [pid 5285] ioctl(4, LOOP_CLR_FD) = 0 [pid 5285] close(4) = 0 [pid 5285] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] <... futex resumed>) = 0 [pid 5284] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5285] <... futex resumed>) = 1 [ 109.274807][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 109.289945][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 109.296004][ T5285] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 109.310316][ T5285] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5285] open("./file0", O_RDWR [pid 5284] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5284] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5284] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5284] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5284] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5287]}, 88) = 5287 [pid 5284] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5284] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5287 attached [pid 5287] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5287] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5287] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5287] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5287] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] <... futex resumed>) = 0 [pid 5284] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5287] <... futex resumed>) = 1 [pid 5287] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5287] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] <... futex resumed>) = 0 [pid 5287] <... futex resumed>) = 1 [ 109.319131][ T5285] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 109.319131][ T5285] inode = 12 2341 [ 109.319131][ T5285] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 109.338358][ T5285] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 109.347864][ T5285] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5285 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 109.358211][ T5285] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 109.366786][ T5285] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 109.374410][ T5285] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 109.383235][ T5285] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 109.391218][ T5285] gfs2: fsid=syz:syz.0: File system withdrawn [ 109.397594][ T5285] CPU: 0 PID: 5285 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 109.408517][ T5285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 109.418649][ T5285] Call Trace: [ 109.422004][ T5285] [ 109.424921][ T5285] dump_stack_lvl+0x1e7/0x2d0 [ 109.429589][ T5285] ? nf_tcp_handle_invalid+0x650/0x650 [ 109.435032][ T5285] ? panic+0x770/0x770 [ 109.439089][ T5285] gfs2_withdraw+0xc94/0x11e0 [ 109.443756][ T5285] gfs2_dirent_scan+0x512/0x640 [ 109.448678][ T5285] ? gfs2_permission+0x268/0x3c0 [ 109.453608][ T5285] ? gfs2_dirent_search+0x8c0/0x8c0 [ 109.458805][ T5285] gfs2_dirent_search+0x30e/0x8c0 [ 109.464956][ T5285] ? gfs2_dirent_search+0x8c0/0x8c0 [ 109.470161][ T5285] ? generic_permission+0x1df/0x550 [ 109.475351][ T5285] ? gfs2_dir_search+0x2f0/0x2f0 [ 109.480307][ T5285] ? gfs2_permission+0x34a/0x3c0 [ 109.485253][ T5285] gfs2_dir_search+0xb2/0x2f0 [ 109.489952][ T5285] ? do_filldir_main+0x520/0x520 [ 109.495333][ T5285] ? inode_go_held+0xea/0x200 [ 109.500009][ T5285] ? gfs2_glock_wait+0x21a/0x2b0 [ 109.504937][ T5285] gfs2_lookupi+0x460/0x5d0 [ 109.509443][ T5285] ? gfs2_lookup_simple+0x180/0x180 [ 109.514643][ T5285] ? __gfs2_lookup+0xa4/0x270 [ 109.519356][ T5285] __gfs2_lookup+0xa4/0x270 [ 109.523856][ T5285] ? gfs2_atomic_open+0x230/0x230 [ 109.528877][ T5285] ? __d_lookup+0x675/0x730 [ 109.533382][ T5285] ? d_hash_and_lookup+0x1b0/0x1b0 [ 109.538497][ T5285] gfs2_atomic_open+0x9e/0x230 [ 109.543454][ T5285] path_openat+0x1044/0x3180 [ 109.548065][ T5285] ? gfs2_rename2+0x25a0/0x25a0 [ 109.552942][ T5285] ? do_filp_open+0x490/0x490 [ 109.557651][ T5285] do_filp_open+0x234/0x490 [ 109.562150][ T5285] ? vfs_tmpfile+0x4b0/0x4b0 [ 109.566748][ T5285] ? _raw_spin_unlock+0x28/0x40 [ 109.571682][ T5285] ? alloc_fd+0x59c/0x640 [ 109.576011][ T5285] do_sys_openat2+0x13e/0x1d0 [ 109.580694][ T5285] ? do_sys_open+0x230/0x230 [ 109.585287][ T5285] ? lockdep_hardirqs_on+0x98/0x140 [ 109.590483][ T5285] ? _raw_spin_unlock_irq+0x2e/0x50 [ 109.595673][ T5285] ? ptrace_notify+0x278/0x380 [ 109.600431][ T5285] __x64_sys_open+0x225/0x270 [ 109.605110][ T5285] ? do_sys_openat2+0x1d0/0x1d0 [ 109.609995][ T5285] ? syscall_enter_from_user_mode+0x32/0x230 [ 109.616156][ T5285] ? syscall_enter_from_user_mode+0x8c/0x230 [ 109.622309][ T5285] do_syscall_64+0x41/0xc0 [ 109.626721][ T5285] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 109.632616][ T5285] RIP: 0033:0x7f012f71fa59 [ 109.637025][ T5285] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 109.657146][ T5285] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 109.665561][ T5285] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5287] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5285] <... open resumed>) = -1 EIO (Input/output error) [pid 5285] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] exit_group(0 [pid 5287] <... futex resumed>) = ? [pid 5284] <... exit_group resumed>) = ? [pid 5287] +++ exited with 0 +++ [pid 5285] <... futex resumed>) = ? [pid 5285] +++ exited with 0 +++ [pid 5284] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5284, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./62", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./62/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./62/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./62/binderfs") = 0 [ 109.673526][ T5285] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 109.681497][ T5285] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 109.689461][ T5285] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 109.697451][ T5285] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 109.705467][ T5285] umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./62/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./62/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./62") = 0 mkdir("./63", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5288 ./strace-static-x86_64: Process 5288 attached [pid 5288] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5288] chdir("./63") = 0 [pid 5288] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5288] setpgid(0, 0) = 0 [pid 5288] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5288] write(3, "1000", 4) = 4 [pid 5288] close(3) = 0 [pid 5288] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5288] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5288] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5288] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5288] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5288] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5288] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5289]}, 88) = 5289 ./strace-static-x86_64: Process 5289 attached [pid 5288] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5288] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5289] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5289] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5289] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5289] memfd_create("syzkaller", 0) = 3 [pid 5289] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5289] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5289] munmap(0x7f01272bc000, 16777216) = 0 [pid 5289] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5289] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5289] close(3) = 0 [pid 5289] mkdir("./file0", 0777) = 0 [ 110.014905][ T5289] loop0: detected capacity change from 0 to 32768 [ 110.027914][ T5289] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 110.036610][ T5289] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 110.045844][ T5289] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 110.054923][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 110.061988][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5289] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5289] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5289] chdir("./file0") = 0 [pid 5289] ioctl(4, LOOP_CLR_FD) = 0 [pid 5289] close(4) = 0 [pid 5289] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5288] <... futex resumed>) = 0 [pid 5288] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5289] <... futex resumed>) = 1 [ 110.103489][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 110.112559][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 110.117817][ T5289] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 110.134814][ T5289] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 110.144041][ T5289] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5289] open("./file0", O_RDWR [pid 5288] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5288] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5288] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5288] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5288] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5291]}, 88) = 5291 [pid 5288] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5288] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5291 attached [pid 5291] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5291] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5291] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 110.144041][ T5289] inode = 12 2341 [ 110.144041][ T5289] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 110.163150][ T5289] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 110.172558][ T5289] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5289 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 110.183119][ T5289] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 110.192051][ T5291] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 110.192748][ T5289] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 110.200879][ T5291] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 110.207864][ T5289] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 110.217069][ T5291] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5289 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 110.226260][ T5289] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 110.236303][ T5291] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5291 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5291] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5288] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5288] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5288] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5288] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5288] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5292]}, 88) = 5292 [pid 5288] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5288] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5292 attached [pid 5292] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5292] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5292] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5292] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5292] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5288] <... futex resumed>) = 0 [pid 5292] <... futex resumed>) = 1 [ 110.244692][ T5289] gfs2: fsid=syz:syz.0: File system withdrawn [ 110.252529][ T5291] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 110.259019][ T5289] CPU: 1 PID: 5289 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 110.277506][ T5289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 110.287576][ T5289] Call Trace: [ 110.290871][ T5289] [ 110.293791][ T5289] dump_stack_lvl+0x1e7/0x2d0 [ 110.298473][ T5289] ? nf_tcp_handle_invalid+0x650/0x650 [ 110.303956][ T5289] ? panic+0x770/0x770 [ 110.308064][ T5289] gfs2_withdraw+0xc94/0x11e0 [ 110.312787][ T5289] gfs2_dirent_scan+0x512/0x640 [ 110.317657][ T5289] ? gfs2_permission+0x268/0x3c0 [ 110.322599][ T5289] ? gfs2_dirent_search+0x8c0/0x8c0 [ 110.327847][ T5289] gfs2_dirent_search+0x30e/0x8c0 [ 110.332966][ T5289] ? gfs2_dirent_search+0x8c0/0x8c0 [ 110.338160][ T5289] ? generic_permission+0x1df/0x550 [ 110.343366][ T5289] ? gfs2_dir_search+0x2f0/0x2f0 [ 110.348320][ T5289] ? gfs2_permission+0x34a/0x3c0 [ 110.353269][ T5289] gfs2_dir_search+0xb2/0x2f0 [ 110.358137][ T5289] ? do_filldir_main+0x520/0x520 [ 110.363103][ T5289] ? inode_go_held+0xea/0x200 [ 110.367791][ T5289] ? gfs2_glock_wait+0x21a/0x2b0 [ 110.372823][ T5289] gfs2_lookupi+0x460/0x5d0 [ 110.377344][ T5289] ? gfs2_lookup_simple+0x180/0x180 [ 110.382589][ T5289] ? __gfs2_lookup+0xa4/0x270 [ 110.387311][ T5289] __gfs2_lookup+0xa4/0x270 [ 110.391919][ T5289] ? gfs2_atomic_open+0x230/0x230 [ 110.396966][ T5289] ? __d_lookup+0x675/0x730 [pid 5292] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5288] exit_group(0 [pid 5292] <... futex resumed>) = ? [pid 5288] <... exit_group resumed>) = ? [pid 5292] +++ exited with 0 +++ [ 110.401490][ T5289] ? d_hash_and_lookup+0x1b0/0x1b0 [ 110.406697][ T5289] gfs2_atomic_open+0x9e/0x230 [ 110.411563][ T5289] path_openat+0x1044/0x3180 [ 110.416164][ T5289] ? gfs2_rename2+0x25a0/0x25a0 [ 110.421032][ T5289] ? do_filp_open+0x490/0x490 [ 110.425710][ T5289] do_filp_open+0x234/0x490 [ 110.430216][ T5289] ? vfs_tmpfile+0x4b0/0x4b0 [ 110.434824][ T5289] ? _raw_spin_unlock+0x28/0x40 [ 110.439673][ T5289] ? alloc_fd+0x59c/0x640 [ 110.444104][ T5289] do_sys_openat2+0x13e/0x1d0 [ 110.448779][ T5289] ? do_sys_open+0x230/0x230 [ 110.453374][ T5289] ? lockdep_hardirqs_on+0x98/0x140 [ 110.458620][ T5289] ? _raw_spin_unlock_irq+0x2e/0x50 [ 110.463809][ T5289] ? ptrace_notify+0x278/0x380 [ 110.468590][ T5289] __x64_sys_open+0x225/0x270 [ 110.473278][ T5289] ? do_sys_openat2+0x1d0/0x1d0 [ 110.478125][ T5289] ? syscall_enter_from_user_mode+0x32/0x230 [ 110.484102][ T5289] ? syscall_enter_from_user_mode+0x8c/0x230 [ 110.490178][ T5289] do_syscall_64+0x41/0xc0 [ 110.494721][ T5289] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 110.501055][ T5289] RIP: 0033:0x7f012f71fa59 [ 110.505596][ T5289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 110.525232][ T5289] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 110.533661][ T5289] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 110.541651][ T5289] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5289] <... open resumed>) = ? [pid 5291] <... openat resumed>) = ? [pid 5289] +++ exited with 0 +++ [pid 5291] +++ exited with 0 +++ [pid 5288] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5288, si_uid=0, si_status=0, si_utime=0, si_stime=45 /* 0.45 s */} --- umount2("./63", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./63/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./63/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./63/binderfs") = 0 [ 110.549638][ T5289] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 110.557618][ T5289] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 110.565684][ T5289] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 110.573766][ T5289] umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./63/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./63/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./63") = 0 mkdir("./64", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5293 ./strace-static-x86_64: Process 5293 attached [pid 5293] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5293] chdir("./64") = 0 [pid 5293] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5293] setpgid(0, 0) = 0 [pid 5293] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5293] write(3, "1000", 4) = 4 [pid 5293] close(3) = 0 [pid 5293] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5293] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5293] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5293] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5293] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5293] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5293] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5294]}, 88) = 5294 [pid 5293] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5293] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5294 attached [pid 5294] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5294] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5294] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5294] memfd_create("syzkaller", 0) = 3 [pid 5294] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5294] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5294] munmap(0x7f01272bc000, 16777216) = 0 [pid 5294] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5294] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5294] close(3) = 0 [pid 5294] mkdir("./file0", 0777) = 0 [ 110.891200][ T5294] loop0: detected capacity change from 0 to 32768 [ 110.905482][ T5294] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 110.914033][ T5294] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 110.923585][ T5294] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 110.932254][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 110.939590][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5294] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5294] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5294] chdir("./file0") = 0 [pid 5294] ioctl(4, LOOP_CLR_FD) = 0 [pid 5294] close(4) = 0 [pid 5294] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5293] <... futex resumed>) = 0 [pid 5293] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5294] <... futex resumed>) = 1 [ 110.971624][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 110.980669][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 110.985937][ T5294] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 111.009976][ T5294] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5294] open("./file0", O_RDWR [pid 5293] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5293] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5293] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5293] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5293] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5296]}, 88) = 5296 [pid 5293] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5293] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 111.019537][ T5294] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 111.019537][ T5294] inode = 12 2341 [ 111.019537][ T5294] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 111.038886][ T5294] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 111.048355][ T5294] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5294 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 111.058656][ T5294] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5293] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5296 attached [pid 5296] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5296] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5296] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5296] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5296] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5293] <... futex resumed>) = 0 [pid 5293] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5296] <... futex resumed>) = 1 [pid 5296] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5296] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5293] <... futex resumed>) = 0 [pid 5296] <... futex resumed>) = 1 [ 111.067433][ T5294] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 111.075301][ T5294] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 111.084596][ T5294] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 111.092262][ T5294] gfs2: fsid=syz:syz.0: File system withdrawn [ 111.098361][ T5294] CPU: 1 PID: 5294 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 111.108790][ T5294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 111.118865][ T5294] Call Trace: [ 111.122148][ T5294] [ 111.125086][ T5294] dump_stack_lvl+0x1e7/0x2d0 [ 111.129795][ T5294] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.135252][ T5294] ? panic+0x770/0x770 [ 111.139345][ T5294] gfs2_withdraw+0xc94/0x11e0 [ 111.144071][ T5294] gfs2_dirent_scan+0x512/0x640 [ 111.148956][ T5294] ? gfs2_permission+0x268/0x3c0 [ 111.153915][ T5294] ? gfs2_dirent_search+0x8c0/0x8c0 [ 111.159124][ T5294] gfs2_dirent_search+0x30e/0x8c0 [ 111.164182][ T5294] ? gfs2_dirent_search+0x8c0/0x8c0 [ 111.169404][ T5294] ? generic_permission+0x1df/0x550 [ 111.174606][ T5294] ? gfs2_dir_search+0x2f0/0x2f0 [ 111.179643][ T5294] ? gfs2_permission+0x34a/0x3c0 [ 111.184587][ T5294] gfs2_dir_search+0xb2/0x2f0 [ 111.189276][ T5294] ? do_filldir_main+0x520/0x520 [ 111.194211][ T5294] ? inode_go_held+0xea/0x200 [ 111.198886][ T5294] ? gfs2_glock_wait+0x21a/0x2b0 [ 111.203818][ T5294] gfs2_lookupi+0x460/0x5d0 [ 111.208321][ T5294] ? gfs2_lookup_simple+0x180/0x180 [ 111.213521][ T5294] ? __gfs2_lookup+0xa4/0x270 [ 111.218231][ T5294] __gfs2_lookup+0xa4/0x270 [ 111.222734][ T5294] ? gfs2_atomic_open+0x230/0x230 [ 111.227778][ T5294] ? __d_lookup+0x675/0x730 [ 111.232298][ T5294] ? d_hash_and_lookup+0x1b0/0x1b0 [ 111.237434][ T5294] gfs2_atomic_open+0x9e/0x230 [ 111.242221][ T5294] path_openat+0x1044/0x3180 [ 111.246825][ T5294] ? gfs2_rename2+0x25a0/0x25a0 [ 111.251871][ T5294] ? do_filp_open+0x490/0x490 [ 111.256559][ T5294] do_filp_open+0x234/0x490 [ 111.261060][ T5294] ? vfs_tmpfile+0x4b0/0x4b0 [ 111.265659][ T5294] ? _raw_spin_unlock+0x28/0x40 [ 111.270540][ T5294] ? alloc_fd+0x59c/0x640 [ 111.274983][ T5294] do_sys_openat2+0x13e/0x1d0 [ 111.279773][ T5294] ? do_sys_open+0x230/0x230 [ 111.284356][ T5294] ? lockdep_hardirqs_on+0x98/0x140 [ 111.289555][ T5294] ? _raw_spin_unlock_irq+0x2e/0x50 [ 111.294749][ T5294] ? ptrace_notify+0x278/0x380 [ 111.299509][ T5294] __x64_sys_open+0x225/0x270 [ 111.304271][ T5294] ? do_sys_openat2+0x1d0/0x1d0 [ 111.309118][ T5294] ? syscall_enter_from_user_mode+0x32/0x230 [ 111.315099][ T5294] ? syscall_enter_from_user_mode+0x8c/0x230 [ 111.321082][ T5294] do_syscall_64+0x41/0xc0 [ 111.325493][ T5294] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 111.331386][ T5294] RIP: 0033:0x7f012f71fa59 [ 111.335816][ T5294] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 111.355479][ T5294] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 111.363903][ T5294] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5296] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5294] <... open resumed>) = -1 EIO (Input/output error) [pid 5294] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] exit_group(0 [pid 5296] <... futex resumed>) = ? [pid 5293] <... exit_group resumed>) = ? [pid 5296] +++ exited with 0 +++ [pid 5294] +++ exited with 0 +++ [pid 5293] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5293, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./64", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./64/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./64/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./64/binderfs") = 0 [ 111.371868][ T5294] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 111.379834][ T5294] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 111.387799][ T5294] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 111.395764][ T5294] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 111.403744][ T5294] umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./64/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./64/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./64") = 0 mkdir("./65", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5297 ./strace-static-x86_64: Process 5297 attached [pid 5297] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5297] chdir("./65") = 0 [pid 5297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5297] setpgid(0, 0) = 0 [pid 5297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "1000", 4) = 4 [pid 5297] close(3) = 0 [pid 5297] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5297] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5297] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5297] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5298]}, 88) = 5298 [pid 5297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5297] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5298 attached [pid 5298] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5298] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5298] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5298] memfd_create("syzkaller", 0) = 3 [pid 5298] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5298] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5298] munmap(0x7f01272bc000, 16777216) = 0 [pid 5298] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5298] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5298] close(3) = 0 [pid 5298] mkdir("./file0", 0777) = 0 [ 111.711083][ T5298] loop0: detected capacity change from 0 to 32768 [ 111.723671][ T5298] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 111.732176][ T5298] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 111.742359][ T5298] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 111.751308][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 111.758078][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5298] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5298] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5298] chdir("./file0") = 0 [pid 5298] ioctl(4, LOOP_CLR_FD) = 0 [pid 5298] close(4) = 0 [pid 5298] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5298] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5297] <... futex resumed>) = 0 [pid 5297] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5298] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 111.790446][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 111.797959][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 111.803517][ T5298] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 111.819922][ T5298] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 111.830827][ T5298] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5298] open("./file0", O_RDWR [pid 5297] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5297] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5297] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5300]}, 88) = 5300 [pid 5297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5297] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5300 attached [pid 5300] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5300] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5300] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5300] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5300] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5297] <... futex resumed>) = 0 [pid 5297] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5300] <... futex resumed>) = 1 [pid 5300] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5300] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5297] <... futex resumed>) = 0 [pid 5300] <... futex resumed>) = 1 [ 111.830827][ T5298] inode = 12 2341 [ 111.830827][ T5298] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 111.849802][ T5298] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 111.858947][ T5298] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5298 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 111.869721][ T5298] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 111.878948][ T5298] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 111.887183][ T5298] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 111.896532][ T5298] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 111.903320][ T5298] gfs2: fsid=syz:syz.0: File system withdrawn [ 111.909619][ T5298] CPU: 0 PID: 5298 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 111.920053][ T5298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 111.930127][ T5298] Call Trace: [ 111.933423][ T5298] [ 111.936369][ T5298] dump_stack_lvl+0x1e7/0x2d0 [ 111.941058][ T5298] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.946527][ T5298] ? panic+0x770/0x770 [ 111.950625][ T5298] gfs2_withdraw+0xc94/0x11e0 [ 111.955324][ T5298] gfs2_dirent_scan+0x512/0x640 [ 111.960186][ T5298] ? gfs2_permission+0x268/0x3c0 [ 111.965156][ T5298] ? gfs2_dirent_search+0x8c0/0x8c0 [ 111.970355][ T5298] gfs2_dirent_search+0x30e/0x8c0 [ 111.975378][ T5298] ? gfs2_dirent_search+0x8c0/0x8c0 [ 111.980568][ T5298] ? generic_permission+0x1df/0x550 [ 111.985857][ T5298] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5300] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5297] exit_group(0) = ? [pid 5300] <... futex resumed>) = ? [pid 5300] +++ exited with 0 +++ [ 111.990813][ T5298] ? gfs2_permission+0x34a/0x3c0 [ 111.995770][ T5298] gfs2_dir_search+0xb2/0x2f0 [ 112.000452][ T5298] ? do_filldir_main+0x520/0x520 [ 112.005403][ T5298] ? inode_go_held+0xea/0x200 [ 112.010173][ T5298] ? gfs2_glock_wait+0x21a/0x2b0 [ 112.015120][ T5298] gfs2_lookupi+0x460/0x5d0 [ 112.019632][ T5298] ? gfs2_lookup_simple+0x180/0x180 [ 112.024862][ T5298] ? __gfs2_lookup+0xa4/0x270 [ 112.029564][ T5298] __gfs2_lookup+0xa4/0x270 [ 112.034063][ T5298] ? gfs2_atomic_open+0x230/0x230 [ 112.039085][ T5298] ? __d_lookup+0x675/0x730 [ 112.043579][ T5298] ? d_hash_and_lookup+0x1b0/0x1b0 [ 112.048683][ T5298] gfs2_atomic_open+0x9e/0x230 [ 112.053460][ T5298] path_openat+0x1044/0x3180 [ 112.059716][ T5298] ? gfs2_rename2+0x25a0/0x25a0 [ 112.064577][ T5298] ? do_filp_open+0x490/0x490 [ 112.069272][ T5298] do_filp_open+0x234/0x490 [ 112.073801][ T5298] ? vfs_tmpfile+0x4b0/0x4b0 [ 112.078411][ T5298] ? _raw_spin_unlock+0x28/0x40 [ 112.083435][ T5298] ? alloc_fd+0x59c/0x640 [ 112.087955][ T5298] do_sys_openat2+0x13e/0x1d0 [ 112.092628][ T5298] ? do_sys_open+0x230/0x230 [ 112.097223][ T5298] ? lockdep_hardirqs_on+0x98/0x140 [ 112.102457][ T5298] ? _raw_spin_unlock_irq+0x2e/0x50 [ 112.107672][ T5298] ? ptrace_notify+0x278/0x380 [ 112.112439][ T5298] __x64_sys_open+0x225/0x270 [ 112.117110][ T5298] ? do_sys_openat2+0x1d0/0x1d0 [ 112.121955][ T5298] ? syscall_enter_from_user_mode+0x32/0x230 [ 112.127955][ T5298] ? syscall_enter_from_user_mode+0x8c/0x230 [ 112.133949][ T5298] do_syscall_64+0x41/0xc0 [ 112.138378][ T5298] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 112.144268][ T5298] RIP: 0033:0x7f012f71fa59 [ 112.148681][ T5298] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 112.168289][ T5298] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 112.176699][ T5298] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5298] <... open resumed>) = ? [pid 5298] +++ exited with 0 +++ [pid 5297] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5297, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./65", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./65/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./65/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./65/binderfs") = 0 [ 112.184662][ T5298] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 112.192636][ T5298] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 112.200612][ T5298] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 112.208594][ T5298] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 112.216571][ T5298] umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./65/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./65/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./65") = 0 mkdir("./66", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5301 ./strace-static-x86_64: Process 5301 attached [pid 5301] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5301] chdir("./66") = 0 [pid 5301] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5301] setpgid(0, 0) = 0 [pid 5301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5301] write(3, "1000", 4) = 4 [pid 5301] close(3) = 0 [pid 5301] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5301] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5301] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5301] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5301] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5301] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5301] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5301] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5302]}, 88) = 5302 [pid 5301] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5301] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5301] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5302 attached [pid 5302] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5302] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5302] memfd_create("syzkaller", 0) = 3 [pid 5302] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5302] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5302] munmap(0x7f01272bc000, 16777216) = 0 [pid 5302] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5302] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5302] close(3) = 0 [pid 5302] mkdir("./file0", 0777) = 0 [ 112.522685][ T5302] loop0: detected capacity change from 0 to 32768 [ 112.534382][ T5302] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 112.543081][ T5302] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 112.553249][ T5302] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 112.562232][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 112.569009][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5302] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5302] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5302] chdir("./file0") = 0 [pid 5302] ioctl(4, LOOP_CLR_FD) = 0 [pid 5302] close(4) = 0 [pid 5302] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5301] <... futex resumed>) = 0 [pid 5302] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5301] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5302] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5301] <... futex resumed>) = 0 [pid 5302] open("./file0", O_RDWR [ 112.607074][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 112.614752][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 112.620101][ T5302] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 112.639214][ T5302] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 112.648197][ T5302] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 112.648197][ T5302] inode = 12 2341 [ 112.648197][ T5302] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 112.667311][ T5302] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 112.676602][ T5302] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5302 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 112.686744][ T5302] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 112.695257][ T5302] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5301] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5301] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5301] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5301] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5301] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5301] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5304]}, 88) = 5304 [pid 5301] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5301] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5301] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5304 attached [pid 5304] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5304] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5304] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5304] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5301] <... futex resumed>) = 0 [pid 5301] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5301] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5304] <... futex resumed>) = 1 [pid 5304] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5304] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5301] <... futex resumed>) = 0 [pid 5304] <... futex resumed>) = 1 [ 112.702622][ T5302] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 112.711947][ T5302] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 112.719207][ T5302] gfs2: fsid=syz:syz.0: File system withdrawn [ 112.725706][ T5302] CPU: 1 PID: 5302 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 112.736151][ T5302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 112.746227][ T5302] Call Trace: [ 112.749529][ T5302] [ 112.752469][ T5302] dump_stack_lvl+0x1e7/0x2d0 [ 112.757155][ T5302] ? nf_tcp_handle_invalid+0x650/0x650 [ 112.762627][ T5302] ? panic+0x770/0x770 [ 112.766911][ T5302] gfs2_withdraw+0xc94/0x11e0 [ 112.771705][ T5302] gfs2_dirent_scan+0x512/0x640 [ 112.776572][ T5302] ? gfs2_permission+0x268/0x3c0 [ 112.781531][ T5302] ? gfs2_dirent_search+0x8c0/0x8c0 [ 112.786755][ T5302] gfs2_dirent_search+0x30e/0x8c0 [ 112.791816][ T5302] ? gfs2_dirent_search+0x8c0/0x8c0 [ 112.797031][ T5302] ? generic_permission+0x1df/0x550 [ 112.802264][ T5302] ? gfs2_dir_search+0x2f0/0x2f0 [ 112.807232][ T5302] ? gfs2_permission+0x34a/0x3c0 [ 112.812188][ T5302] gfs2_dir_search+0xb2/0x2f0 [ 112.816881][ T5302] ? do_filldir_main+0x520/0x520 [ 112.821828][ T5302] ? inode_go_held+0xea/0x200 [ 112.826550][ T5302] ? gfs2_glock_wait+0x21a/0x2b0 [ 112.831518][ T5302] gfs2_lookupi+0x460/0x5d0 [ 112.836060][ T5302] ? gfs2_lookup_simple+0x180/0x180 [ 112.841282][ T5302] ? __gfs2_lookup+0xa4/0x270 [ 112.845961][ T5302] __gfs2_lookup+0xa4/0x270 [ 112.850462][ T5302] ? gfs2_atomic_open+0x230/0x230 [ 112.855493][ T5302] ? __d_lookup+0x675/0x730 [ 112.859988][ T5302] ? d_hash_and_lookup+0x1b0/0x1b0 [ 112.865179][ T5302] gfs2_atomic_open+0x9e/0x230 [ 112.869970][ T5302] path_openat+0x1044/0x3180 [ 112.874601][ T5302] ? gfs2_rename2+0x25a0/0x25a0 [ 112.879474][ T5302] ? do_filp_open+0x490/0x490 [ 112.884167][ T5302] do_filp_open+0x234/0x490 [ 112.888671][ T5302] ? vfs_tmpfile+0x4b0/0x4b0 [ 112.893356][ T5302] ? _raw_spin_unlock+0x28/0x40 [ 112.898200][ T5302] ? alloc_fd+0x59c/0x640 [ 112.902529][ T5302] do_sys_openat2+0x13e/0x1d0 [ 112.907206][ T5302] ? do_sys_open+0x230/0x230 [ 112.911793][ T5302] ? lockdep_hardirqs_on+0x98/0x140 [ 112.916987][ T5302] ? _raw_spin_unlock_irq+0x2e/0x50 [ 112.922179][ T5302] ? ptrace_notify+0x278/0x380 [ 112.926940][ T5302] __x64_sys_open+0x225/0x270 [ 112.931634][ T5302] ? do_sys_openat2+0x1d0/0x1d0 [ 112.936500][ T5302] ? syscall_enter_from_user_mode+0x32/0x230 [ 112.942572][ T5302] ? syscall_enter_from_user_mode+0x8c/0x230 [ 112.948559][ T5302] do_syscall_64+0x41/0xc0 [ 112.952993][ T5302] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 112.958906][ T5302] RIP: 0033:0x7f012f71fa59 [ 112.963322][ T5302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 112.982944][ T5302] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 112.991362][ T5302] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 112.999324][ T5302] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5304] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5302] <... open resumed>) = -1 EIO (Input/output error) [pid 5302] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5302] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5301] exit_group(0 [pid 5304] <... futex resumed>) = ? [pid 5301] <... exit_group resumed>) = ? [pid 5304] +++ exited with 0 +++ [pid 5302] <... futex resumed>) = ? [pid 5302] +++ exited with 0 +++ [pid 5301] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5301, si_uid=0, si_status=0, si_utime=0, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./66", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./66/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./66/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./66/binderfs") = 0 [ 113.007289][ T5302] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 113.015251][ T5302] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 113.023248][ T5302] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 113.031230][ T5302] umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./66/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./66/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./66") = 0 mkdir("./67", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5305 ./strace-static-x86_64: Process 5305 attached [pid 5305] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5305] chdir("./67") = 0 [pid 5305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5305] setpgid(0, 0) = 0 [pid 5305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5305] write(3, "1000", 4) = 4 [pid 5305] close(3) = 0 [pid 5305] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5305] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5305] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5305] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5305] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5305] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5305] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5305] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5306]}, 88) = 5306 [pid 5305] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5305] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5305] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5306 attached [pid 5306] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5306] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5306] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5306] memfd_create("syzkaller", 0) = 3 [pid 5306] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5306] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5306] munmap(0x7f01272bc000, 16777216) = 0 [pid 5306] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5306] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5306] close(3) = 0 [pid 5306] mkdir("./file0", 0777) = 0 [ 113.333118][ T5306] loop0: detected capacity change from 0 to 32768 [ 113.344553][ T5306] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 113.352925][ T5306] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 113.362607][ T5306] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 113.371953][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 113.378853][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5306] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5306] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5306] chdir("./file0") = 0 [pid 5306] ioctl(4, LOOP_CLR_FD) = 0 [pid 5306] close(4) = 0 [pid 5306] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5305] <... futex resumed>) = 0 [pid 5306] open("./file0", O_RDWR [pid 5305] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 113.410617][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 31ms [ 113.419048][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 113.424419][ T5306] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 113.447376][ T5306] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 113.457249][ T5306] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 113.457249][ T5306] inode = 12 2341 [ 113.457249][ T5306] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 113.476435][ T5306] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 113.485919][ T5306] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5306 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 113.496693][ T5306] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5305] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5305] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5305] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5305] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5305] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5305] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5308]}, 88) = 5308 [pid 5305] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5305] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5305] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5308 attached [pid 5308] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5308] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5308] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5308] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5308] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5305] <... futex resumed>) = 0 [pid 5305] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5305] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5308] <... futex resumed>) = 1 [pid 5308] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5308] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5305] <... futex resumed>) = 0 [pid 5308] <... futex resumed>) = 1 [ 113.505409][ T5306] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 113.512960][ T5306] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 113.522315][ T5306] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 113.531576][ T5306] gfs2: fsid=syz:syz.0: File system withdrawn [ 113.537834][ T5306] CPU: 1 PID: 5306 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 113.548271][ T5306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 113.558333][ T5306] Call Trace: [ 113.561620][ T5306] [ 113.564557][ T5306] dump_stack_lvl+0x1e7/0x2d0 [ 113.569252][ T5306] ? nf_tcp_handle_invalid+0x650/0x650 [ 113.574727][ T5306] ? panic+0x770/0x770 [ 113.578812][ T5306] gfs2_withdraw+0xc94/0x11e0 [ 113.584731][ T5306] gfs2_dirent_scan+0x512/0x640 [ 113.589682][ T5306] ? gfs2_permission+0x268/0x3c0 [ 113.595404][ T5306] ? gfs2_dirent_search+0x8c0/0x8c0 [ 113.600697][ T5306] gfs2_dirent_search+0x30e/0x8c0 [ 113.605736][ T5306] ? gfs2_dirent_search+0x8c0/0x8c0 [ 113.610929][ T5306] ? generic_permission+0x1df/0x550 [ 113.616123][ T5306] ? gfs2_dir_search+0x2f0/0x2f0 [ 113.621064][ T5306] ? gfs2_permission+0x34a/0x3c0 [ 113.626107][ T5306] gfs2_dir_search+0xb2/0x2f0 [ 113.630792][ T5306] ? do_filldir_main+0x520/0x520 [ 113.635748][ T5306] ? inode_go_held+0xea/0x200 [ 113.640433][ T5306] ? gfs2_glock_wait+0x21a/0x2b0 [ 113.645369][ T5306] gfs2_lookupi+0x460/0x5d0 [ 113.649882][ T5306] ? gfs2_lookup_simple+0x180/0x180 [ 113.655086][ T5306] ? __gfs2_lookup+0xa4/0x270 [ 113.659945][ T5306] __gfs2_lookup+0xa4/0x270 [ 113.664446][ T5306] ? gfs2_atomic_open+0x230/0x230 [ 113.669636][ T5306] ? __d_lookup+0x675/0x730 [ 113.674132][ T5306] ? d_hash_and_lookup+0x1b0/0x1b0 [ 113.679240][ T5306] gfs2_atomic_open+0x9e/0x230 [ 113.684003][ T5306] path_openat+0x1044/0x3180 [ 113.688602][ T5306] ? gfs2_rename2+0x25a0/0x25a0 [ 113.693458][ T5306] ? do_filp_open+0x490/0x490 [ 113.698138][ T5306] do_filp_open+0x234/0x490 [ 113.702635][ T5306] ? vfs_tmpfile+0x4b0/0x4b0 [ 113.707232][ T5306] ? _raw_spin_unlock+0x28/0x40 [ 113.712172][ T5306] ? alloc_fd+0x59c/0x640 [ 113.716519][ T5306] do_sys_openat2+0x13e/0x1d0 [ 113.721195][ T5306] ? do_sys_open+0x230/0x230 [ 113.725805][ T5306] ? lockdep_hardirqs_on+0x98/0x140 [ 113.731207][ T5306] ? _raw_spin_unlock_irq+0x2e/0x50 [ 113.736416][ T5306] ? ptrace_notify+0x278/0x380 [ 113.741278][ T5306] __x64_sys_open+0x225/0x270 [ 113.745963][ T5306] ? do_sys_openat2+0x1d0/0x1d0 [ 113.750904][ T5306] ? syscall_enter_from_user_mode+0x32/0x230 [ 113.756892][ T5306] ? syscall_enter_from_user_mode+0x8c/0x230 [ 113.762869][ T5306] do_syscall_64+0x41/0xc0 [ 113.767279][ T5306] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 113.773165][ T5306] RIP: 0033:0x7f012f71fa59 [ 113.777575][ T5306] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 113.797262][ T5306] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [pid 5308] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5306] <... open resumed>) = -1 EIO (Input/output error) [pid 5306] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5306] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5305] exit_group(0 [pid 5308] <... futex resumed>) = ? [pid 5306] <... futex resumed>) = ? [pid 5305] <... exit_group resumed>) = ? [pid 5308] +++ exited with 0 +++ [pid 5306] +++ exited with 0 +++ [pid 5305] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5305, si_uid=0, si_status=0, si_utime=0, si_stime=32 /* 0.32 s */} --- umount2("./67", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./67/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./67/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./67/binderfs") = 0 [ 113.805757][ T5306] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 113.813720][ T5306] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 113.821680][ T5306] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 113.829643][ T5306] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 113.837605][ T5306] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 113.850622][ T5306] umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./67/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./67/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./67") = 0 mkdir("./68", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5309 ./strace-static-x86_64: Process 5309 attached [pid 5309] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5309] chdir("./68") = 0 [pid 5309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5309] setpgid(0, 0) = 0 [pid 5309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5309] write(3, "1000", 4) = 4 [pid 5309] close(3) = 0 [pid 5309] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5309] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5309] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5309] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5309] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5309] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5310]}, 88) = 5310 [pid 5309] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5309] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5310 attached [pid 5310] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5310] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5310] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5310] memfd_create("syzkaller", 0) = 3 [pid 5310] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5310] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5310] munmap(0x7f01272bc000, 16777216) = 0 [pid 5310] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5310] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5310] close(3) = 0 [pid 5310] mkdir("./file0", 0777) = 0 [ 114.162944][ T5310] loop0: detected capacity change from 0 to 32768 [ 114.174470][ T5310] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 114.188164][ T5310] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 114.197846][ T5310] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 114.206617][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 114.213735][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 114.247355][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 114.255002][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [pid 5310] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5310] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5310] chdir("./file0") = 0 [pid 5310] ioctl(4, LOOP_CLR_FD) = 0 [pid 5310] close(4) = 0 [pid 5310] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] <... futex resumed>) = 0 [pid 5309] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5310] <... futex resumed>) = 1 [ 114.260439][ T5310] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 114.275111][ T5310] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 114.284321][ T5310] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 114.284321][ T5310] inode = 12 2341 [ 114.284321][ T5310] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 114.303546][ T5310] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [pid 5310] open("./file0", O_RDWR [pid 5309] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5309] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5309] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5309] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5309] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5312]}, 88) = 5312 [pid 5309] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5309] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5312 attached [pid 5312] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5312] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5312] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5312] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5312] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] <... futex resumed>) = 0 [pid 5309] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5312] <... futex resumed>) = 1 [pid 5312] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5312] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] <... futex resumed>) = 0 [pid 5312] <... futex resumed>) = 1 [ 114.312957][ T5310] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5310 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 114.323270][ T5310] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 114.332132][ T5310] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 114.339713][ T5310] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 114.348504][ T5310] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 114.355461][ T5310] gfs2: fsid=syz:syz.0: File system withdrawn [ 114.361717][ T5310] CPU: 1 PID: 5310 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 114.372141][ T5310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 114.382273][ T5310] Call Trace: [ 114.385535][ T5310] [ 114.388454][ T5310] dump_stack_lvl+0x1e7/0x2d0 [ 114.393118][ T5310] ? nf_tcp_handle_invalid+0x650/0x650 [ 114.398644][ T5310] ? panic+0x770/0x770 [ 114.402704][ T5310] gfs2_withdraw+0xc94/0x11e0 [ 114.407370][ T5310] gfs2_dirent_scan+0x512/0x640 [ 114.412210][ T5310] ? gfs2_permission+0x268/0x3c0 [ 114.417134][ T5310] ? gfs2_dirent_search+0x8c0/0x8c0 [ 114.422319][ T5310] gfs2_dirent_search+0x30e/0x8c0 [ 114.427345][ T5310] ? gfs2_dirent_search+0x8c0/0x8c0 [ 114.432616][ T5310] ? generic_permission+0x1df/0x550 [ 114.438085][ T5310] ? gfs2_dir_search+0x2f0/0x2f0 [ 114.443007][ T5310] ? gfs2_permission+0x34a/0x3c0 [ 114.447970][ T5310] gfs2_dir_search+0xb2/0x2f0 [ 114.452634][ T5310] ? do_filldir_main+0x520/0x520 [ 114.457557][ T5310] ? inode_go_held+0xea/0x200 [ 114.462223][ T5310] ? gfs2_glock_wait+0x21a/0x2b0 [ 114.467231][ T5310] gfs2_lookupi+0x460/0x5d0 [ 114.471730][ T5310] ? gfs2_lookup_simple+0x180/0x180 [ 114.477019][ T5310] ? __gfs2_lookup+0xa4/0x270 [ 114.481684][ T5310] __gfs2_lookup+0xa4/0x270 [ 114.486173][ T5310] ? gfs2_atomic_open+0x230/0x230 [ 114.491272][ T5310] ? __d_lookup+0x675/0x730 [ 114.495757][ T5310] ? d_hash_and_lookup+0x1b0/0x1b0 [ 114.500856][ T5310] gfs2_atomic_open+0x9e/0x230 [ 114.505779][ T5310] path_openat+0x1044/0x3180 [ 114.510360][ T5310] ? gfs2_rename2+0x25a0/0x25a0 [ 114.515200][ T5310] ? do_filp_open+0x490/0x490 [ 114.519869][ T5310] do_filp_open+0x234/0x490 [ 114.524354][ T5310] ? vfs_tmpfile+0x4b0/0x4b0 [ 114.528944][ T5310] ? _raw_spin_unlock+0x28/0x40 [ 114.533797][ T5310] ? alloc_fd+0x59c/0x640 [ 114.538132][ T5310] do_sys_openat2+0x13e/0x1d0 [ 114.542810][ T5310] ? do_sys_open+0x230/0x230 [ 114.547393][ T5310] ? lockdep_hardirqs_on+0x98/0x140 [ 114.552585][ T5310] ? _raw_spin_unlock_irq+0x2e/0x50 [ 114.557769][ T5310] ? ptrace_notify+0x278/0x380 [ 114.562535][ T5310] __x64_sys_open+0x225/0x270 [ 114.567226][ T5310] ? do_sys_openat2+0x1d0/0x1d0 [ 114.572082][ T5310] ? syscall_enter_from_user_mode+0x32/0x230 [ 114.578063][ T5310] ? syscall_enter_from_user_mode+0x8c/0x230 [ 114.584041][ T5310] do_syscall_64+0x41/0xc0 [ 114.588451][ T5310] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.594335][ T5310] RIP: 0033:0x7f012f71fa59 [ 114.598753][ T5310] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 114.618347][ T5310] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 114.626837][ T5310] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 114.634793][ T5310] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 114.642838][ T5310] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 114.650795][ T5310] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [pid 5312] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5310] <... open resumed>) = -1 EIO (Input/output error) [pid 5310] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] exit_group(0 [pid 5312] <... futex resumed>) = ? [pid 5309] <... exit_group resumed>) = ? [pid 5312] +++ exited with 0 +++ [pid 5310] <... futex resumed>) = ? [pid 5310] +++ exited with 0 +++ [pid 5309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5309, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- umount2("./68", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./68/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./68/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./68/binderfs") = 0 [ 114.658752][ T5310] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 114.666725][ T5310] umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./68/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./68/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./68") = 0 mkdir("./69", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5313 ./strace-static-x86_64: Process 5313 attached [pid 5313] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5313] chdir("./69") = 0 [pid 5313] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5313] setpgid(0, 0) = 0 [pid 5313] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5313] write(3, "1000", 4) = 4 [pid 5313] close(3) = 0 [pid 5313] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5313] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5313] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5313] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5313] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5313] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5313] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5314]}, 88) = 5314 [pid 5313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5313] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5314 attached [pid 5314] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5314] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5314] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5314] memfd_create("syzkaller", 0) = 3 [pid 5314] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5314] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5314] munmap(0x7f01272bc000, 16777216) = 0 [pid 5314] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5314] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5314] close(3) = 0 [pid 5314] mkdir("./file0", 0777) = 0 [ 114.972676][ T5314] loop0: detected capacity change from 0 to 32768 [ 114.983243][ T5314] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 114.991544][ T5314] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 115.000846][ T5314] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 115.009126][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 115.016225][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5314] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5314] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5314] chdir("./file0") = 0 [pid 5314] ioctl(4, LOOP_CLR_FD) = 0 [pid 5314] close(4) = 0 [pid 5314] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5313] <... futex resumed>) = 0 [pid 5313] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5314] <... futex resumed>) = 1 [ 115.052368][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 115.060715][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 115.066157][ T5314] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5314] open("./file0", O_RDWR [pid 5313] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5313] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [ 115.103765][ T5314] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 115.112167][ T5314] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 115.112167][ T5314] inode = 12 2341 [ 115.112167][ T5314] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 115.131561][ T5314] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 115.141871][ T5314] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5314 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5313] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5313] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5313] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5316]}, 88) = 5316 [pid 5313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5313] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5316 attached [pid 5316] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5316] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5316] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5316] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5316] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5313] <... futex resumed>) = 0 [pid 5313] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5316] <... futex resumed>) = 1 [pid 5316] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5316] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5313] <... futex resumed>) = 0 [pid 5316] <... futex resumed>) = 1 [ 115.152219][ T5314] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 115.161031][ T5314] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 115.168700][ T5314] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 115.177910][ T5314] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 115.184681][ T5314] gfs2: fsid=syz:syz.0: File system withdrawn [ 115.191218][ T5314] CPU: 0 PID: 5314 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 115.201654][ T5314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 115.211699][ T5314] Call Trace: [ 115.214981][ T5314] [ 115.218012][ T5314] dump_stack_lvl+0x1e7/0x2d0 [ 115.222723][ T5314] ? nf_tcp_handle_invalid+0x650/0x650 [ 115.228174][ T5314] ? panic+0x770/0x770 [ 115.232281][ T5314] gfs2_withdraw+0xc94/0x11e0 [ 115.237184][ T5314] gfs2_dirent_scan+0x512/0x640 [ 115.242055][ T5314] ? gfs2_permission+0x268/0x3c0 [ 115.247020][ T5314] ? gfs2_dirent_search+0x8c0/0x8c0 [pid 5316] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5313] exit_group(0 [pid 5316] <... futex resumed>) = ? [pid 5313] <... exit_group resumed>) = ? [pid 5316] +++ exited with 0 +++ [ 115.252250][ T5314] gfs2_dirent_search+0x30e/0x8c0 [ 115.257287][ T5314] ? gfs2_dirent_search+0x8c0/0x8c0 [ 115.262498][ T5314] ? generic_permission+0x1df/0x550 [ 115.267688][ T5314] ? gfs2_dir_search+0x2f0/0x2f0 [ 115.272720][ T5314] ? gfs2_permission+0x34a/0x3c0 [ 115.277943][ T5314] gfs2_dir_search+0xb2/0x2f0 [ 115.282641][ T5314] ? do_filldir_main+0x520/0x520 [ 115.287581][ T5314] ? inode_go_held+0xea/0x200 [ 115.292259][ T5314] ? gfs2_glock_wait+0x21a/0x2b0 [ 115.297215][ T5314] gfs2_lookupi+0x460/0x5d0 [ 115.301740][ T5314] ? gfs2_lookup_simple+0x180/0x180 [ 115.306962][ T5314] ? __gfs2_lookup+0xa4/0x270 [ 115.311734][ T5314] __gfs2_lookup+0xa4/0x270 [ 115.316257][ T5314] ? gfs2_atomic_open+0x230/0x230 [ 115.321295][ T5314] ? __d_lookup+0x675/0x730 [ 115.325804][ T5314] ? d_hash_and_lookup+0x1b0/0x1b0 [ 115.330927][ T5314] gfs2_atomic_open+0x9e/0x230 [ 115.335691][ T5314] path_openat+0x1044/0x3180 [ 115.340276][ T5314] ? gfs2_rename2+0x25a0/0x25a0 [ 115.345216][ T5314] ? do_filp_open+0x490/0x490 [ 115.349896][ T5314] do_filp_open+0x234/0x490 [ 115.354403][ T5314] ? vfs_tmpfile+0x4b0/0x4b0 [ 115.359196][ T5314] ? _raw_spin_unlock+0x28/0x40 [ 115.364068][ T5314] ? alloc_fd+0x59c/0x640 [ 115.368441][ T5314] do_sys_openat2+0x13e/0x1d0 [ 115.373145][ T5314] ? do_sys_open+0x230/0x230 [ 115.377739][ T5314] ? lockdep_hardirqs_on+0x98/0x140 [ 115.382949][ T5314] ? _raw_spin_unlock_irq+0x2e/0x50 [ 115.388225][ T5314] ? ptrace_notify+0x278/0x380 [ 115.393038][ T5314] __x64_sys_open+0x225/0x270 [ 115.397716][ T5314] ? do_sys_openat2+0x1d0/0x1d0 [ 115.402559][ T5314] ? syscall_enter_from_user_mode+0x32/0x230 [ 115.408537][ T5314] ? syscall_enter_from_user_mode+0x8c/0x230 [ 115.414528][ T5314] do_syscall_64+0x41/0xc0 [ 115.418956][ T5314] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 115.424866][ T5314] RIP: 0033:0x7f012f71fa59 [ 115.429288][ T5314] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [pid 5314] <... open resumed>) = ? [pid 5314] +++ exited with 0 +++ [pid 5313] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5313, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./69", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./69/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./69/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./69/binderfs") = 0 [ 115.448994][ T5314] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 115.457418][ T5314] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 115.465487][ T5314] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 115.473465][ T5314] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 115.481447][ T5314] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 115.489423][ T5314] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 115.497673][ T5314] umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./69/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./69/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./69") = 0 mkdir("./70", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5317 ./strace-static-x86_64: Process 5317 attached [pid 5317] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5317] chdir("./70") = 0 [pid 5317] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5317] setpgid(0, 0) = 0 [pid 5317] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5317] write(3, "1000", 4) = 4 [pid 5317] close(3) = 0 [pid 5317] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5317] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5317] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5317] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5317] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5317] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5317] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5317] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5318]}, 88) = 5318 [pid 5317] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5317] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5317] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5318 attached [pid 5318] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5318] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5318] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5318] memfd_create("syzkaller", 0) = 3 [pid 5318] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5318] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5318] munmap(0x7f01272bc000, 16777216) = 0 [pid 5318] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5318] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5318] close(3) = 0 [pid 5318] mkdir("./file0", 0777) = 0 [ 115.797891][ T5318] loop0: detected capacity change from 0 to 32768 [ 115.818317][ T5318] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 115.826640][ T5318] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 115.836934][ T5318] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 115.845951][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 115.853049][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 115.887199][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [pid 5318] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5318] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5318] chdir("./file0") = 0 [pid 5318] ioctl(4, LOOP_CLR_FD) = 0 [pid 5318] close(4) = 0 [pid 5318] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5317] <... futex resumed>) = 0 [pid 5317] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5317] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5318] <... futex resumed>) = 1 [ 115.895525][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 115.901270][ T5318] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 115.915944][ T5318] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 115.924804][ T5318] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 115.924804][ T5318] inode = 12 2341 [ 115.924804][ T5318] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [pid 5318] open("./file0", O_RDWR [pid 5317] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5317] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5317] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5317] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5317] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5317] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5320]}, 88) = 5320 [pid 5317] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5317] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5317] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5320 attached [pid 5320] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5320] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5320] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5320] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5320] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5317] <... futex resumed>) = 0 [pid 5317] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5317] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5320] <... futex resumed>) = 1 [pid 5320] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5320] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5317] <... futex resumed>) = 0 [pid 5320] <... futex resumed>) = 1 [ 115.943669][ T5318] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 115.953164][ T5318] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5318 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 115.963389][ T5318] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 115.974016][ T5318] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 115.984111][ T5318] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 115.993207][ T5318] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 116.000013][ T5318] gfs2: fsid=syz:syz.0: File system withdrawn [ 116.006138][ T5318] CPU: 0 PID: 5318 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 116.016733][ T5318] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 116.026783][ T5318] Call Trace: [ 116.030064][ T5318] [ 116.033007][ T5318] dump_stack_lvl+0x1e7/0x2d0 [ 116.037686][ T5318] ? nf_tcp_handle_invalid+0x650/0x650 [ 116.043142][ T5318] ? panic+0x770/0x770 [ 116.047217][ T5318] gfs2_withdraw+0xc94/0x11e0 [ 116.051917][ T5318] gfs2_dirent_scan+0x512/0x640 [ 116.056788][ T5318] ? gfs2_permission+0x268/0x3c0 [ 116.061745][ T5318] ? gfs2_dirent_search+0x8c0/0x8c0 [ 116.066972][ T5318] gfs2_dirent_search+0x30e/0x8c0 [ 116.072051][ T5318] ? gfs2_dirent_search+0x8c0/0x8c0 [ 116.077272][ T5318] ? generic_permission+0x1df/0x550 [ 116.082485][ T5318] ? gfs2_dir_search+0x2f0/0x2f0 [ 116.087432][ T5318] ? gfs2_permission+0x34a/0x3c0 [ 116.092390][ T5318] gfs2_dir_search+0xb2/0x2f0 [pid 5320] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5317] exit_group(0 [pid 5320] <... futex resumed>) = ? [pid 5317] <... exit_group resumed>) = ? [pid 5320] +++ exited with 0 +++ [ 116.097080][ T5318] ? do_filldir_main+0x520/0x520 [ 116.102120][ T5318] ? inode_go_held+0xea/0x200 [ 116.106822][ T5318] ? gfs2_glock_wait+0x21a/0x2b0 [ 116.111781][ T5318] gfs2_lookupi+0x460/0x5d0 [ 116.116304][ T5318] ? gfs2_lookup_simple+0x180/0x180 [ 116.121527][ T5318] ? __gfs2_lookup+0xa4/0x270 [ 116.126227][ T5318] __gfs2_lookup+0xa4/0x270 [ 116.130779][ T5318] ? gfs2_atomic_open+0x230/0x230 [ 116.135804][ T5318] ? __d_lookup+0x675/0x730 [ 116.140304][ T5318] ? d_hash_and_lookup+0x1b0/0x1b0 [ 116.145412][ T5318] gfs2_atomic_open+0x9e/0x230 [ 116.150272][ T5318] path_openat+0x1044/0x3180 [ 116.154878][ T5318] ? gfs2_rename2+0x25a0/0x25a0 [ 116.159739][ T5318] ? do_filp_open+0x490/0x490 [ 116.164431][ T5318] do_filp_open+0x234/0x490 [ 116.168925][ T5318] ? vfs_tmpfile+0x4b0/0x4b0 [ 116.173547][ T5318] ? _raw_spin_unlock+0x28/0x40 [ 116.178410][ T5318] ? alloc_fd+0x59c/0x640 [ 116.182737][ T5318] do_sys_openat2+0x13e/0x1d0 [ 116.187415][ T5318] ? do_sys_open+0x230/0x230 [ 116.192002][ T5318] ? lockdep_hardirqs_on+0x98/0x140 [ 116.197457][ T5318] ? _raw_spin_unlock_irq+0x2e/0x50 [ 116.202647][ T5318] ? ptrace_notify+0x278/0x380 [ 116.207408][ T5318] __x64_sys_open+0x225/0x270 [ 116.212099][ T5318] ? do_sys_openat2+0x1d0/0x1d0 [ 116.216948][ T5318] ? syscall_enter_from_user_mode+0x32/0x230 [ 116.222942][ T5318] ? syscall_enter_from_user_mode+0x8c/0x230 [ 116.228920][ T5318] do_syscall_64+0x41/0xc0 [ 116.233342][ T5318] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 116.239258][ T5318] RIP: 0033:0x7f012f71fa59 [ 116.243680][ T5318] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 116.263386][ T5318] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 116.271819][ T5318] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 116.279794][ T5318] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 116.287783][ T5318] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5318] <... open resumed>) = ? [pid 5318] +++ exited with 0 +++ [pid 5317] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5317, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./70", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./70/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./70/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./70/binderfs") = 0 [ 116.295760][ T5318] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 116.303725][ T5318] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 116.311706][ T5318] umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./70/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./70/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./70") = 0 mkdir("./71", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5321 ./strace-static-x86_64: Process 5321 attached [pid 5321] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5321] chdir("./71") = 0 [pid 5321] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5321] setpgid(0, 0) = 0 [pid 5321] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5321] write(3, "1000", 4) = 4 [pid 5321] close(3) = 0 [pid 5321] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5321] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5321] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5321] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5321] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5321] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5321] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5322 attached => {parent_tid=[5322]}, 88) = 5322 [pid 5321] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5321] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5322] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5322] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5322] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5322] memfd_create("syzkaller", 0) = 3 [pid 5322] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5322] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5322] munmap(0x7f01272bc000, 16777216) = 0 [pid 5322] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5322] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5322] close(3) = 0 [pid 5322] mkdir("./file0", 0777) = 0 [ 116.622923][ T5322] loop0: detected capacity change from 0 to 32768 [ 116.633207][ T5322] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 116.641478][ T5322] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 116.650939][ T5322] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 116.659785][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 116.666561][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5322] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5322] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5322] chdir("./file0") = 0 [pid 5322] ioctl(4, LOOP_CLR_FD) = 0 [pid 5322] close(4) = 0 [pid 5322] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5321] <... futex resumed>) = 0 [pid 5321] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 116.699875][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 116.708809][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 116.715967][ T5322] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 116.735620][ T5322] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5322] open("./file0", O_RDWR [pid 5321] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5321] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5321] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5321] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5321] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5324]}, 88) = 5324 [pid 5321] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5321] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5324 attached [pid 5324] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5324] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5324] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5324] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5324] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5321] <... futex resumed>) = 0 [pid 5321] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5324] <... futex resumed>) = 1 [ 116.744808][ T5322] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 116.744808][ T5322] inode = 12 2341 [ 116.744808][ T5322] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 116.764110][ T5322] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 116.773855][ T5322] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5322 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 116.784513][ T5322] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 116.793287][ T5322] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5324] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5324] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5321] <... futex resumed>) = 0 [pid 5324] <... futex resumed>) = 1 [ 116.800880][ T5322] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 116.809898][ T5322] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 116.817408][ T5322] gfs2: fsid=syz:syz.0: File system withdrawn [ 116.823779][ T5322] CPU: 0 PID: 5322 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 116.834393][ T5322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 116.844531][ T5322] Call Trace: [ 116.847890][ T5322] [ 116.850824][ T5322] dump_stack_lvl+0x1e7/0x2d0 [ 116.855526][ T5322] ? nf_tcp_handle_invalid+0x650/0x650 [ 116.861072][ T5322] ? panic+0x770/0x770 [ 116.865140][ T5322] gfs2_withdraw+0xc94/0x11e0 [ 116.869819][ T5322] gfs2_dirent_scan+0x512/0x640 [ 116.874703][ T5322] ? gfs2_permission+0x268/0x3c0 [ 116.879656][ T5322] ? gfs2_dirent_search+0x8c0/0x8c0 [ 116.884868][ T5322] gfs2_dirent_search+0x30e/0x8c0 [ 116.889906][ T5322] ? gfs2_dirent_search+0x8c0/0x8c0 [ 116.895120][ T5322] ? generic_permission+0x1df/0x550 [pid 5324] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5321] exit_group(0 [pid 5324] <... futex resumed>) = ? [pid 5321] <... exit_group resumed>) = ? [pid 5324] +++ exited with 0 +++ [ 116.900842][ T5322] ? gfs2_dir_search+0x2f0/0x2f0 [ 116.905799][ T5322] ? gfs2_permission+0x34a/0x3c0 [ 116.910749][ T5322] gfs2_dir_search+0xb2/0x2f0 [ 116.915437][ T5322] ? do_filldir_main+0x520/0x520 [ 116.920379][ T5322] ? inode_go_held+0xea/0x200 [ 116.925080][ T5322] ? gfs2_glock_wait+0x21a/0x2b0 [ 116.930041][ T5322] gfs2_lookupi+0x460/0x5d0 [ 116.934559][ T5322] ? gfs2_lookup_simple+0x180/0x180 [ 116.939774][ T5322] ? __gfs2_lookup+0xa4/0x270 [ 116.944462][ T5322] __gfs2_lookup+0xa4/0x270 [ 116.948967][ T5322] ? gfs2_atomic_open+0x230/0x230 [ 116.953990][ T5322] ? __d_lookup+0x675/0x730 [ 116.958486][ T5322] ? d_hash_and_lookup+0x1b0/0x1b0 [ 116.963594][ T5322] gfs2_atomic_open+0x9e/0x230 [ 116.968372][ T5322] path_openat+0x1044/0x3180 [ 116.972993][ T5322] ? gfs2_rename2+0x25a0/0x25a0 [ 116.977845][ T5322] ? do_filp_open+0x490/0x490 [ 116.982530][ T5322] do_filp_open+0x234/0x490 [ 116.987026][ T5322] ? vfs_tmpfile+0x4b0/0x4b0 [ 116.991635][ T5322] ? _raw_spin_unlock+0x28/0x40 [ 116.996493][ T5322] ? alloc_fd+0x59c/0x640 [ 117.000818][ T5322] do_sys_openat2+0x13e/0x1d0 [ 117.005491][ T5322] ? do_sys_open+0x230/0x230 [ 117.010075][ T5322] ? lockdep_hardirqs_on+0x98/0x140 [ 117.016153][ T5322] ? _raw_spin_unlock_irq+0x2e/0x50 [ 117.021364][ T5322] ? ptrace_notify+0x278/0x380 [ 117.026122][ T5322] __x64_sys_open+0x225/0x270 [ 117.030885][ T5322] ? do_sys_openat2+0x1d0/0x1d0 [ 117.035727][ T5322] ? syscall_enter_from_user_mode+0x32/0x230 [ 117.041791][ T5322] ? syscall_enter_from_user_mode+0x8c/0x230 [ 117.047764][ T5322] do_syscall_64+0x41/0xc0 [ 117.052183][ T5322] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 117.058070][ T5322] RIP: 0033:0x7f012f71fa59 [ 117.062482][ T5322] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 117.082098][ T5322] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 117.090510][ T5322] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5322] <... open resumed>) = ? [pid 5322] +++ exited with 0 +++ [pid 5321] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5321, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./71", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./71/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./71/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./71/binderfs") = 0 [ 117.098564][ T5322] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 117.106618][ T5322] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 117.114591][ T5322] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 117.123335][ T5322] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 117.131397][ T5322] umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./71/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./71/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./71") = 0 mkdir("./72", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5325 ./strace-static-x86_64: Process 5325 attached [pid 5325] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5325] chdir("./72") = 0 [pid 5325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5325] setpgid(0, 0) = 0 [pid 5325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5325] write(3, "1000", 4) = 4 [pid 5325] close(3) = 0 [pid 5325] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5325] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5325] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5325] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5325] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5325] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5326]}, 88) = 5326 [pid 5325] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5325] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5326 attached [pid 5326] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5326] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5326] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5326] memfd_create("syzkaller", 0) = 3 [pid 5326] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5326] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5326] munmap(0x7f01272bc000, 16777216) = 0 [pid 5326] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5326] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5326] close(3) = 0 [pid 5326] mkdir("./file0", 0777) = 0 [ 117.436342][ T5326] loop0: detected capacity change from 0 to 32768 [ 117.447729][ T5326] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 117.456494][ T5326] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 117.466611][ T5326] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 117.475589][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 117.482578][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5326] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5326] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5326] chdir("./file0") = 0 [pid 5326] ioctl(4, LOOP_CLR_FD) = 0 [pid 5326] close(4) = 0 [pid 5326] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5325] <... futex resumed>) = 0 [pid 5326] open("./file0", O_RDWR [pid 5325] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 117.517299][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 117.525572][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 117.530923][ T5326] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 117.544152][ T5326] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 117.553285][ T5326] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 117.553285][ T5326] inode = 12 2341 [pid 5325] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5325] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5325] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5325] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5325] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5328]}, 88) = 5328 [pid 5325] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5325] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5328 attached [pid 5328] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5328] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5328] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5328] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5328] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5325] <... futex resumed>) = 0 [pid 5325] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5328] <... futex resumed>) = 1 [pid 5328] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5328] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5325] <... futex resumed>) = 0 [pid 5328] <... futex resumed>) = 1 [ 117.553285][ T5326] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 117.572459][ T5326] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 117.582071][ T5326] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5326 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 117.592459][ T5326] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 117.601277][ T5326] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 117.608956][ T5326] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 117.618224][ T5326] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 117.624925][ T5326] gfs2: fsid=syz:syz.0: File system withdrawn [ 117.631126][ T5326] CPU: 1 PID: 5326 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 117.642079][ T5326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 117.652243][ T5326] Call Trace: [ 117.655523][ T5326] [ 117.658443][ T5326] dump_stack_lvl+0x1e7/0x2d0 [ 117.663136][ T5326] ? nf_tcp_handle_invalid+0x650/0x650 [ 117.670016][ T5326] ? panic+0x770/0x770 [ 117.674114][ T5326] gfs2_withdraw+0xc94/0x11e0 [ 117.678819][ T5326] gfs2_dirent_scan+0x512/0x640 [ 117.683666][ T5326] ? gfs2_permission+0x268/0x3c0 [ 117.688680][ T5326] ? gfs2_dirent_search+0x8c0/0x8c0 [ 117.693891][ T5326] gfs2_dirent_search+0x30e/0x8c0 [ 117.698938][ T5326] ? gfs2_dirent_search+0x8c0/0x8c0 [ 117.704134][ T5326] ? generic_permission+0x1df/0x550 [ 117.709440][ T5326] ? gfs2_dir_search+0x2f0/0x2f0 [ 117.714600][ T5326] ? gfs2_permission+0x34a/0x3c0 [ 117.719667][ T5326] gfs2_dir_search+0xb2/0x2f0 [ 117.724343][ T5326] ? do_filldir_main+0x520/0x520 [ 117.729286][ T5326] ? inode_go_held+0xea/0x200 [ 117.733967][ T5326] ? gfs2_glock_wait+0x21a/0x2b0 [ 117.738929][ T5326] gfs2_lookupi+0x460/0x5d0 [ 117.743496][ T5326] ? gfs2_lookup_simple+0x180/0x180 [ 117.748692][ T5326] ? __gfs2_lookup+0xa4/0x270 [ 117.753627][ T5326] __gfs2_lookup+0xa4/0x270 [ 117.758122][ T5326] ? gfs2_atomic_open+0x230/0x230 [ 117.763144][ T5326] ? __d_lookup+0x675/0x730 [ 117.767647][ T5326] ? d_hash_and_lookup+0x1b0/0x1b0 [ 117.772761][ T5326] gfs2_atomic_open+0x9e/0x230 [ 117.777527][ T5326] path_openat+0x1044/0x3180 [ 117.782128][ T5326] ? gfs2_rename2+0x25a0/0x25a0 [ 117.786989][ T5326] ? do_filp_open+0x490/0x490 [ 117.791676][ T5326] do_filp_open+0x234/0x490 [ 117.796186][ T5326] ? vfs_tmpfile+0x4b0/0x4b0 [ 117.800783][ T5326] ? _raw_spin_unlock+0x28/0x40 [ 117.805632][ T5326] ? alloc_fd+0x59c/0x640 [ 117.809966][ T5326] do_sys_openat2+0x13e/0x1d0 [ 117.814654][ T5326] ? do_sys_open+0x230/0x230 [ 117.819277][ T5326] ? lockdep_hardirqs_on+0x98/0x140 [ 117.824578][ T5326] ? _raw_spin_unlock_irq+0x2e/0x50 [ 117.829773][ T5326] ? ptrace_notify+0x278/0x380 [ 117.834619][ T5326] __x64_sys_open+0x225/0x270 [ 117.839302][ T5326] ? do_sys_openat2+0x1d0/0x1d0 [ 117.844243][ T5326] ? syscall_enter_from_user_mode+0x32/0x230 [ 117.850220][ T5326] ? syscall_enter_from_user_mode+0x8c/0x230 [ 117.856195][ T5326] do_syscall_64+0x41/0xc0 [ 117.860611][ T5326] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 117.866499][ T5326] RIP: 0033:0x7f012f71fa59 [ 117.870909][ T5326] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 117.890508][ T5326] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 117.899024][ T5326] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 117.907097][ T5326] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5328] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5326] <... open resumed>) = -1 EIO (Input/output error) [pid 5326] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5325] exit_group(0 [pid 5328] <... futex resumed>) = ? [pid 5326] <... futex resumed>) = ? [pid 5325] <... exit_group resumed>) = ? [pid 5328] +++ exited with 0 +++ [pid 5326] +++ exited with 0 +++ [pid 5325] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5325, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./72", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./72/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./72/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./72/binderfs") = 0 [ 117.915174][ T5326] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 117.923164][ T5326] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 117.931234][ T5326] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 117.939213][ T5326] umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./72/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./72/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./72") = 0 mkdir("./73", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5329 ./strace-static-x86_64: Process 5329 attached [pid 5329] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5329] chdir("./73") = 0 [pid 5329] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5329] setpgid(0, 0) = 0 [pid 5329] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5329] write(3, "1000", 4) = 4 [pid 5329] close(3) = 0 [pid 5329] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5329] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5329] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5329] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5329] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5329] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5329] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5330]}, 88) = 5330 [pid 5329] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5329] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5330 attached [pid 5330] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5330] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5330] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5330] memfd_create("syzkaller", 0) = 3 [pid 5330] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5330] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5330] munmap(0x7f01272bc000, 16777216) = 0 [pid 5330] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5330] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5330] close(3) = 0 [pid 5330] mkdir("./file0", 0777) = 0 [ 118.255904][ T5330] loop0: detected capacity change from 0 to 32768 [ 118.266277][ T5330] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 118.274563][ T5330] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 118.284938][ T5330] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 118.293501][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 118.300767][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5330] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5330] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5330] chdir("./file0") = 0 [pid 5330] ioctl(4, LOOP_CLR_FD) = 0 [pid 5330] close(4) = 0 [pid 5330] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5329] <... futex resumed>) = 0 [pid 5329] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5330] <... futex resumed>) = 1 [ 118.333711][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 118.343342][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 118.349036][ T5330] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 118.364948][ T5330] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 118.373706][ T5330] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5330] open("./file0", O_RDWR [pid 5329] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 118.373706][ T5330] inode = 12 2341 [ 118.373706][ T5330] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 118.392688][ T5330] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 118.401890][ T5330] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5330 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 118.412199][ T5330] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 118.420816][ T5330] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5329] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5329] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5329] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5329] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5332]}, 88) = 5332 [pid 5329] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5329] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5332 attached [pid 5332] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5332] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5332] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5332] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5332] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5329] <... futex resumed>) = 0 [pid 5329] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5332] <... futex resumed>) = 1 [pid 5332] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5332] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5329] <... futex resumed>) = 0 [pid 5332] <... futex resumed>) = 1 [ 118.428269][ T5330] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 118.437856][ T5330] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 118.445513][ T5330] gfs2: fsid=syz:syz.0: File system withdrawn [ 118.451959][ T5330] CPU: 0 PID: 5330 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 118.462393][ T5330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 118.472438][ T5330] Call Trace: [ 118.475704][ T5330] [ 118.478622][ T5330] dump_stack_lvl+0x1e7/0x2d0 [ 118.483291][ T5330] ? nf_tcp_handle_invalid+0x650/0x650 [ 118.488821][ T5330] ? panic+0x770/0x770 [ 118.492894][ T5330] gfs2_withdraw+0xc94/0x11e0 [ 118.499484][ T5330] gfs2_dirent_scan+0x512/0x640 [ 118.504323][ T5330] ? gfs2_permission+0x268/0x3c0 [ 118.509260][ T5330] ? gfs2_dirent_search+0x8c0/0x8c0 [ 118.514463][ T5330] gfs2_dirent_search+0x30e/0x8c0 [ 118.519473][ T5330] ? gfs2_dirent_search+0x8c0/0x8c0 [ 118.524655][ T5330] ? generic_permission+0x1df/0x550 [ 118.529836][ T5330] ? gfs2_dir_search+0x2f0/0x2f0 [ 118.534763][ T5330] ? gfs2_permission+0x34a/0x3c0 [ 118.539699][ T5330] gfs2_dir_search+0xb2/0x2f0 [ 118.544372][ T5330] ? do_filldir_main+0x520/0x520 [ 118.550604][ T5330] ? inode_go_held+0xea/0x200 [ 118.555284][ T5330] ? gfs2_glock_wait+0x21a/0x2b0 [ 118.560398][ T5330] gfs2_lookupi+0x460/0x5d0 [ 118.564932][ T5330] ? gfs2_lookup_simple+0x180/0x180 [ 118.570137][ T5330] ? __gfs2_lookup+0xa4/0x270 [ 118.574829][ T5330] __gfs2_lookup+0xa4/0x270 [ 118.579338][ T5330] ? gfs2_atomic_open+0x230/0x230 [ 118.584375][ T5330] ? __d_lookup+0x675/0x730 [ 118.588964][ T5330] ? d_hash_and_lookup+0x1b0/0x1b0 [ 118.594072][ T5330] gfs2_atomic_open+0x9e/0x230 [ 118.598848][ T5330] path_openat+0x1044/0x3180 [ 118.603445][ T5330] ? gfs2_rename2+0x25a0/0x25a0 [ 118.608300][ T5330] ? do_filp_open+0x490/0x490 [ 118.612982][ T5330] do_filp_open+0x234/0x490 [ 118.617478][ T5330] ? vfs_tmpfile+0x4b0/0x4b0 [ 118.622073][ T5330] ? _raw_spin_unlock+0x28/0x40 [ 118.627007][ T5330] ? alloc_fd+0x59c/0x640 [ 118.631339][ T5330] do_sys_openat2+0x13e/0x1d0 [ 118.636129][ T5330] ? do_sys_open+0x230/0x230 [ 118.640712][ T5330] ? lockdep_hardirqs_on+0x98/0x140 [ 118.646083][ T5330] ? _raw_spin_unlock_irq+0x2e/0x50 [ 118.651363][ T5330] ? ptrace_notify+0x278/0x380 [ 118.656295][ T5330] __x64_sys_open+0x225/0x270 [ 118.660972][ T5330] ? do_sys_openat2+0x1d0/0x1d0 [ 118.665838][ T5330] ? syscall_enter_from_user_mode+0x32/0x230 [ 118.671821][ T5330] ? syscall_enter_from_user_mode+0x8c/0x230 [ 118.677795][ T5330] do_syscall_64+0x41/0xc0 [ 118.682229][ T5330] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 118.688139][ T5330] RIP: 0033:0x7f012f71fa59 [ 118.692558][ T5330] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 118.712348][ T5330] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 118.720949][ T5330] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5332] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5330] <... open resumed>) = -1 EIO (Input/output error) [pid 5330] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5330] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5329] exit_group(0 [pid 5332] <... futex resumed>) = ? [pid 5329] <... exit_group resumed>) = ? [pid 5332] +++ exited with 0 +++ [pid 5330] <... futex resumed>) = ? [pid 5330] +++ exited with 0 +++ [pid 5329] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5329, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./73", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./73/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./73/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./73/binderfs") = 0 [ 118.728916][ T5330] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 118.736881][ T5330] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 118.744845][ T5330] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 118.753154][ T5330] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 118.761150][ T5330] umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./73/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./73/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./73") = 0 mkdir("./74", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5333 ./strace-static-x86_64: Process 5333 attached [pid 5333] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5333] chdir("./74") = 0 [pid 5333] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5333] setpgid(0, 0) = 0 [pid 5333] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5333] write(3, "1000", 4) = 4 [pid 5333] close(3) = 0 [pid 5333] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5333] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5333] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5333] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5333] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5333] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5333] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5334]}, 88) = 5334 ./strace-static-x86_64: Process 5334 attached [pid 5334] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5333] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5333] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5334] <... rseq resumed>) = 0 [pid 5334] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5334] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5334] memfd_create("syzkaller", 0) = 3 [pid 5334] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5334] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5334] munmap(0x7f01272bc000, 16777216) = 0 [pid 5334] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5334] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5334] close(3) = 0 [pid 5334] mkdir("./file0", 0777) = 0 [ 119.072559][ T5334] loop0: detected capacity change from 0 to 32768 [ 119.083108][ T5334] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 119.091346][ T5334] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 119.101274][ T5334] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 119.109977][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 119.116746][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5334] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5334] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5334] chdir("./file0") = 0 [pid 5334] ioctl(4, LOOP_CLR_FD) = 0 [pid 5334] close(4) = 0 [pid 5334] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5333] <... futex resumed>) = 0 [pid 5333] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5334] <... futex resumed>) = 1 [ 119.151520][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 119.159932][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 119.165199][ T5334] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 119.180194][ T5334] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 119.188864][ T5334] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 119.188864][ T5334] inode = 12 2341 [pid 5334] open("./file0", O_RDWR [pid 5333] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5333] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5333] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5333] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5333] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5333] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5336]}, 88) = 5336 [pid 5333] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5333] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5336 attached [pid 5336] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5336] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5336] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5336] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5336] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5333] <... futex resumed>) = 0 [pid 5333] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5336] <... futex resumed>) = 1 [pid 5336] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5336] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5333] <... futex resumed>) = 0 [pid 5336] <... futex resumed>) = 1 [ 119.188864][ T5334] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 119.207999][ T5334] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 119.217543][ T5334] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5334 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 119.228099][ T5334] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 119.236857][ T5334] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 119.244209][ T5334] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 119.253048][ T5334] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 119.260221][ T5334] gfs2: fsid=syz:syz.0: File system withdrawn [ 119.266984][ T5334] CPU: 1 PID: 5334 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 119.277391][ T5334] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 119.287446][ T5334] Call Trace: [ 119.291008][ T5334] [ 119.293940][ T5334] dump_stack_lvl+0x1e7/0x2d0 [ 119.298670][ T5334] ? nf_tcp_handle_invalid+0x650/0x650 [ 119.304121][ T5334] ? panic+0x770/0x770 [ 119.308267][ T5334] gfs2_withdraw+0xc94/0x11e0 [ 119.312945][ T5334] gfs2_dirent_scan+0x512/0x640 [ 119.317785][ T5334] ? gfs2_permission+0x268/0x3c0 [ 119.322708][ T5334] ? gfs2_dirent_search+0x8c0/0x8c0 [ 119.327981][ T5334] gfs2_dirent_search+0x30e/0x8c0 [ 119.332997][ T5334] ? gfs2_dirent_search+0x8c0/0x8c0 [ 119.338183][ T5334] ? generic_permission+0x1df/0x550 [ 119.343412][ T5334] ? gfs2_dir_search+0x2f0/0x2f0 [ 119.348365][ T5334] ? gfs2_permission+0x34a/0x3c0 [ 119.353307][ T5334] gfs2_dir_search+0xb2/0x2f0 [ 119.357986][ T5334] ? do_filldir_main+0x520/0x520 [ 119.362917][ T5334] ? inode_go_held+0xea/0x200 [ 119.367615][ T5334] ? gfs2_glock_wait+0x21a/0x2b0 [ 119.372564][ T5334] gfs2_lookupi+0x460/0x5d0 [ 119.377086][ T5334] ? gfs2_lookup_simple+0x180/0x180 [ 119.382290][ T5334] ? __gfs2_lookup+0xa4/0x270 [ 119.386969][ T5334] __gfs2_lookup+0xa4/0x270 [ 119.391468][ T5334] ? gfs2_atomic_open+0x230/0x230 [ 119.396487][ T5334] ? __d_lookup+0x675/0x730 [ 119.400982][ T5334] ? d_hash_and_lookup+0x1b0/0x1b0 [ 119.406086][ T5334] gfs2_atomic_open+0x9e/0x230 [ 119.410856][ T5334] path_openat+0x1044/0x3180 [ 119.415444][ T5334] ? gfs2_rename2+0x25a0/0x25a0 [ 119.420296][ T5334] ? do_filp_open+0x490/0x490 [ 119.424977][ T5334] do_filp_open+0x234/0x490 [ 119.429473][ T5334] ? vfs_tmpfile+0x4b0/0x4b0 [ 119.434071][ T5334] ? _raw_spin_unlock+0x28/0x40 [ 119.438936][ T5334] ? alloc_fd+0x59c/0x640 [ 119.443280][ T5334] do_sys_openat2+0x13e/0x1d0 [ 119.447968][ T5334] ? do_sys_open+0x230/0x230 [ 119.452559][ T5334] ? lockdep_hardirqs_on+0x98/0x140 [ 119.457760][ T5334] ? _raw_spin_unlock_irq+0x2e/0x50 [ 119.462988][ T5334] ? ptrace_notify+0x278/0x380 [ 119.467763][ T5334] __x64_sys_open+0x225/0x270 [ 119.472452][ T5334] ? do_sys_openat2+0x1d0/0x1d0 [ 119.477304][ T5334] ? syscall_enter_from_user_mode+0x32/0x230 [ 119.483305][ T5334] ? syscall_enter_from_user_mode+0x8c/0x230 [ 119.489305][ T5334] do_syscall_64+0x41/0xc0 [ 119.493814][ T5334] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 119.499725][ T5334] RIP: 0033:0x7f012f71fa59 [ 119.504159][ T5334] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 119.523778][ T5334] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 119.532207][ T5334] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 119.540178][ T5334] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5336] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5334] <... open resumed>) = -1 EIO (Input/output error) [pid 5334] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5333] exit_group(0 [pid 5336] <... futex resumed>) = ? [pid 5333] <... exit_group resumed>) = ? [pid 5336] +++ exited with 0 +++ [pid 5334] <... futex resumed>) = ? [pid 5334] +++ exited with 0 +++ [pid 5333] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5333, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=27 /* 0.27 s */} --- umount2("./74", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./74/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./74/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./74/binderfs") = 0 [ 119.548143][ T5334] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 119.556107][ T5334] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 119.564076][ T5334] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 119.572058][ T5334] umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./74/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./74/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./74") = 0 mkdir("./75", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5337 ./strace-static-x86_64: Process 5337 attached [pid 5337] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5337] chdir("./75") = 0 [pid 5337] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5337] setpgid(0, 0) = 0 [pid 5337] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5337] write(3, "1000", 4) = 4 [pid 5337] close(3) = 0 [pid 5337] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5337] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5337] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5337] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5337] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5337] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5337] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5338]}, 88) = 5338 [pid 5337] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5337] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5338 attached [pid 5338] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5338] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5338] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5338] memfd_create("syzkaller", 0) = 3 [pid 5338] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5338] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5338] munmap(0x7f01272bc000, 16777216) = 0 [pid 5338] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5338] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5338] close(3) = 0 [pid 5338] mkdir("./file0", 0777) = 0 [ 119.880617][ T5338] loop0: detected capacity change from 0 to 32768 [ 119.891573][ T5338] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 119.900156][ T5338] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 119.909468][ T5338] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 119.917881][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 119.924730][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5338] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5338] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5338] chdir("./file0") = 0 [pid 5338] ioctl(4, LOOP_CLR_FD) = 0 [pid 5338] close(4) = 0 [pid 5338] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5337] <... futex resumed>) = 0 [pid 5337] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5338] <... futex resumed>) = 1 [ 119.964657][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 119.973577][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 119.978830][ T5338] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 119.993573][ T5338] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 120.002380][ T5338] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 120.002380][ T5338] inode = 12 2341 [pid 5338] open("./file0", O_RDWR [pid 5337] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5337] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 120.002380][ T5338] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 120.021311][ T5338] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 120.030675][ T5338] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5338 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 120.040903][ T5338] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 120.049482][ T5338] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5337] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5337] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5337] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5337] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5340]}, 88) = 5340 [pid 5337] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5337] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5340 attached [pid 5340] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5340] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5340] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5340] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5340] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5337] <... futex resumed>) = 0 [pid 5337] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5340] <... futex resumed>) = 1 [pid 5340] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5340] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5337] <... futex resumed>) = 0 [pid 5340] <... futex resumed>) = 1 [ 120.056689][ T5338] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 120.065852][ T5338] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 120.076587][ T5338] gfs2: fsid=syz:syz.0: File system withdrawn [ 120.083273][ T5338] CPU: 1 PID: 5338 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 120.093708][ T5338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 120.103790][ T5338] Call Trace: [ 120.107252][ T5338] [ 120.110173][ T5338] dump_stack_lvl+0x1e7/0x2d0 [ 120.114845][ T5338] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.120296][ T5338] ? panic+0x770/0x770 [ 120.124384][ T5338] gfs2_withdraw+0xc94/0x11e0 [ 120.129098][ T5338] gfs2_dirent_scan+0x512/0x640 [ 120.133961][ T5338] ? gfs2_permission+0x268/0x3c0 [ 120.138901][ T5338] ? gfs2_dirent_search+0x8c0/0x8c0 [ 120.144113][ T5338] gfs2_dirent_search+0x30e/0x8c0 [ 120.149131][ T5338] ? gfs2_dirent_search+0x8c0/0x8c0 [ 120.154433][ T5338] ? generic_permission+0x1df/0x550 [ 120.159632][ T5338] ? gfs2_dir_search+0x2f0/0x2f0 [ 120.164579][ T5338] ? gfs2_permission+0x34a/0x3c0 [ 120.169526][ T5338] gfs2_dir_search+0xb2/0x2f0 [ 120.174214][ T5338] ? do_filldir_main+0x520/0x520 [ 120.179149][ T5338] ? inode_go_held+0xea/0x200 [ 120.183838][ T5338] ? gfs2_glock_wait+0x21a/0x2b0 [ 120.189196][ T5338] gfs2_lookupi+0x460/0x5d0 [ 120.193697][ T5338] ? gfs2_lookup_simple+0x180/0x180 [ 120.198892][ T5338] ? __gfs2_lookup+0xa4/0x270 [ 120.203565][ T5338] __gfs2_lookup+0xa4/0x270 [ 120.208069][ T5338] ? gfs2_atomic_open+0x230/0x230 [ 120.213090][ T5338] ? __d_lookup+0x675/0x730 [ 120.217585][ T5338] ? d_hash_and_lookup+0x1b0/0x1b0 [ 120.222691][ T5338] gfs2_atomic_open+0x9e/0x230 [ 120.227454][ T5338] path_openat+0x1044/0x3180 [ 120.232041][ T5338] ? gfs2_rename2+0x25a0/0x25a0 [ 120.236893][ T5338] ? do_filp_open+0x490/0x490 [ 120.241599][ T5338] do_filp_open+0x234/0x490 [ 120.246099][ T5338] ? vfs_tmpfile+0x4b0/0x4b0 [ 120.250694][ T5338] ? _raw_spin_unlock+0x28/0x40 [ 120.255542][ T5338] ? alloc_fd+0x59c/0x640 [ 120.259871][ T5338] do_sys_openat2+0x13e/0x1d0 [ 120.264545][ T5338] ? do_sys_open+0x230/0x230 [ 120.269128][ T5338] ? lockdep_hardirqs_on+0x98/0x140 [ 120.274318][ T5338] ? _raw_spin_unlock_irq+0x2e/0x50 [ 120.279509][ T5338] ? ptrace_notify+0x278/0x380 [ 120.284265][ T5338] __x64_sys_open+0x225/0x270 [ 120.288940][ T5338] ? do_sys_openat2+0x1d0/0x1d0 [ 120.293902][ T5338] ? syscall_enter_from_user_mode+0x32/0x230 [ 120.299882][ T5338] ? syscall_enter_from_user_mode+0x8c/0x230 [ 120.305869][ T5338] do_syscall_64+0x41/0xc0 [ 120.310292][ T5338] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 120.316202][ T5338] RIP: 0033:0x7f012f71fa59 [ 120.320618][ T5338] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 120.340420][ T5338] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 120.348858][ T5338] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 120.356944][ T5338] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5340] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5338] <... open resumed>) = -1 EIO (Input/output error) [pid 5338] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5338] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5337] exit_group(0 [pid 5340] <... futex resumed>) = ? [pid 5338] <... futex resumed>) = ? [pid 5337] <... exit_group resumed>) = ? [pid 5340] +++ exited with 0 +++ [pid 5338] +++ exited with 0 +++ [pid 5337] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5337, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./75", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./75/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./75/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./75/binderfs") = 0 [ 120.364919][ T5338] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 120.372890][ T5338] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 120.380871][ T5338] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 120.388874][ T5338] umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./75/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./75/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./75") = 0 mkdir("./76", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5341 ./strace-static-x86_64: Process 5341 attached [pid 5341] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5341] chdir("./76") = 0 [pid 5341] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5341] setpgid(0, 0) = 0 [pid 5341] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5341] write(3, "1000", 4) = 4 [pid 5341] close(3) = 0 [pid 5341] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5341] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5341] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5341] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5341] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5341] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5341] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5342]}, 88) = 5342 [pid 5341] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5341] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5342 attached [pid 5342] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5342] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5342] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5342] memfd_create("syzkaller", 0) = 3 [pid 5342] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5342] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5342] munmap(0x7f01272bc000, 16777216) = 0 [pid 5342] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5342] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5342] close(3) = 0 [pid 5342] mkdir("./file0", 0777) = 0 [ 120.699672][ T5342] loop0: detected capacity change from 0 to 32768 [ 120.710663][ T5342] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 120.718900][ T5342] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 120.728166][ T5342] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 120.736665][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 120.743790][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5342] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5342] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5342] chdir("./file0") = 0 [pid 5342] ioctl(4, LOOP_CLR_FD) = 0 [pid 5342] close(4) = 0 [pid 5342] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5341] <... futex resumed>) = 0 [pid 5341] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5342] <... futex resumed>) = 1 [ 120.776942][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 120.785870][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 120.791251][ T5342] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 120.804980][ T5342] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 120.813933][ T5342] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 120.813933][ T5342] inode = 12 2341 [pid 5342] open("./file0", O_RDWR [pid 5341] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5341] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5341] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5341] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5341] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5344]}, 88) = 5344 [pid 5341] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5341] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5344 attached [pid 5344] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5344] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5344] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 120.813933][ T5342] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 120.833390][ T5342] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 120.842546][ T5342] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5342 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 120.852647][ T5342] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 120.858788][ T5344] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 120.861517][ T5342] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5344] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5341] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5341] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5341] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5341] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5341] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5345]}, 88) = 5345 [pid 5341] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5341] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5341] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5345 attached [pid 5345] rseq(0x7f012829afe0, 0x20, 0, 0x53053053) = 0 [pid 5345] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5345] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5345] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5345] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5341] <... futex resumed>) = 0 [pid 5345] <... futex resumed>) = 1 [ 120.870224][ T5344] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 120.876890][ T5342] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 120.876904][ T5342] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 120.878854][ T5342] gfs2: fsid=syz:syz.0: File system withdrawn [ 120.886792][ T5344] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5342 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 120.886836][ T5344] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5344 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 120.895669][ T5342] CPU: 1 PID: 5342 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 120.903426][ T5344] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 120.908117][ T5342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 120.908131][ T5342] Call Trace: [ 120.908138][ T5342] [ 120.908146][ T5342] dump_stack_lvl+0x1e7/0x2d0 [ 120.908172][ T5342] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.973416][ T5342] ? panic+0x770/0x770 [ 120.977501][ T5342] gfs2_withdraw+0xc94/0x11e0 [ 120.982215][ T5342] gfs2_dirent_scan+0x512/0x640 [ 120.987096][ T5342] ? gfs2_permission+0x268/0x3c0 [ 120.992147][ T5342] ? gfs2_dirent_search+0x8c0/0x8c0 [ 120.997445][ T5342] gfs2_dirent_search+0x30e/0x8c0 [ 121.002471][ T5342] ? gfs2_dirent_search+0x8c0/0x8c0 [ 121.008881][ T5342] ? generic_permission+0x1df/0x550 [ 121.014182][ T5342] ? gfs2_dir_search+0x2f0/0x2f0 [ 121.019132][ T5342] ? gfs2_permission+0x34a/0x3c0 [ 121.024091][ T5342] gfs2_dir_search+0xb2/0x2f0 [ 121.028774][ T5342] ? do_filldir_main+0x520/0x520 [ 121.033726][ T5342] ? inode_go_held+0xea/0x200 [ 121.038414][ T5342] ? gfs2_glock_wait+0x21a/0x2b0 [ 121.043536][ T5342] gfs2_lookupi+0x460/0x5d0 [ 121.048044][ T5342] ? gfs2_lookup_simple+0x180/0x180 [ 121.053843][ T5342] ? __gfs2_lookup+0xa4/0x270 [ 121.058512][ T5342] ? preempt_schedule_thunk+0x1a/0x30 [ 121.063894][ T5342] ? d_alloc_parallel+0x12b3/0x13a0 [ 121.069087][ T5342] __gfs2_lookup+0xa4/0x270 [ 121.073585][ T5342] ? gfs2_atomic_open+0x230/0x230 [ 121.078606][ T5342] ? __d_lookup+0x675/0x730 [ 121.083098][ T5342] ? d_hash_and_lookup+0x1b0/0x1b0 [ 121.088204][ T5342] gfs2_atomic_open+0x9e/0x230 [ 121.093052][ T5342] path_openat+0x1044/0x3180 [ 121.097645][ T5342] ? gfs2_rename2+0x25a0/0x25a0 [ 121.102501][ T5342] ? do_filp_open+0x490/0x490 [ 121.107182][ T5342] do_filp_open+0x234/0x490 [ 121.111689][ T5342] ? vfs_tmpfile+0x4b0/0x4b0 [ 121.116296][ T5342] ? _raw_spin_unlock+0x28/0x40 [ 121.121140][ T5342] ? alloc_fd+0x59c/0x640 [ 121.125470][ T5342] do_sys_openat2+0x13e/0x1d0 [ 121.130145][ T5342] ? do_sys_open+0x230/0x230 [ 121.134731][ T5342] ? lockdep_hardirqs_on+0x98/0x140 [ 121.140012][ T5342] ? _raw_spin_unlock_irq+0x2e/0x50 [ 121.145216][ T5342] ? ptrace_notify+0x278/0x380 [ 121.149975][ T5342] __x64_sys_open+0x225/0x270 [ 121.154737][ T5342] ? do_sys_openat2+0x1d0/0x1d0 [ 121.159582][ T5342] ? syscall_enter_from_user_mode+0x32/0x230 [ 121.165649][ T5342] ? syscall_enter_from_user_mode+0x8c/0x230 [ 121.171630][ T5342] do_syscall_64+0x41/0xc0 [ 121.176044][ T5342] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 121.181933][ T5342] RIP: 0033:0x7f012f71fa59 [ 121.186350][ T5342] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 121.205957][ T5342] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 121.214378][ T5342] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5345] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5344] <... openat resumed>) = -1 EIO (Input/output error) [pid 5342] <... open resumed>) = -1 EIO (Input/output error) [pid 5342] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5342] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5344] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5344] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5341] exit_group(0 [pid 5342] <... futex resumed>) = ? [pid 5341] <... exit_group resumed>) = ? [pid 5345] <... futex resumed>) = ? [pid 5344] <... futex resumed>) = ? [pid 5342] +++ exited with 0 +++ [pid 5345] +++ exited with 0 +++ [pid 5344] +++ exited with 0 +++ [pid 5341] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5341, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=36 /* 0.36 s */} --- umount2("./76", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./76/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./76/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./76/binderfs") = 0 [ 121.222442][ T5342] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 121.230422][ T5342] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 121.238402][ T5342] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 121.246365][ T5342] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 121.254342][ T5342] umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./76/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./76/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./76") = 0 mkdir("./77", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5346 ./strace-static-x86_64: Process 5346 attached [pid 5346] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5346] chdir("./77") = 0 [pid 5346] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5346] setpgid(0, 0) = 0 [pid 5346] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5346] write(3, "1000", 4) = 4 [pid 5346] close(3) = 0 [pid 5346] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5346] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5346] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5346] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5346] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5346] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5346] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5347 attached => {parent_tid=[5347]}, 88) = 5347 [pid 5347] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5347] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5347] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5347] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5346] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5346] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5346] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5347] <... futex resumed>) = 0 [pid 5347] memfd_create("syzkaller", 0) = 3 [pid 5347] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5347] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5347] munmap(0x7f01272bc000, 16777216) = 0 [pid 5347] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5347] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5347] close(3) = 0 [pid 5347] mkdir("./file0", 0777) = 0 [ 121.561894][ T5347] loop0: detected capacity change from 0 to 32768 [ 121.572914][ T5347] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 121.581535][ T5347] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 121.590879][ T5347] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 121.600114][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 121.607128][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5347] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5347] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5347] chdir("./file0") = 0 [pid 5347] ioctl(4, LOOP_CLR_FD) = 0 [pid 5347] close(4) = 0 [pid 5347] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5346] <... futex resumed>) = 0 [pid 5346] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5347] <... futex resumed>) = 1 [pid 5346] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 121.642595][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 121.650238][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 121.655470][ T5347] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 121.669942][ T5347] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 121.678466][ T5347] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 121.678466][ T5347] inode = 12 2341 [pid 5347] open("./file0", O_RDWR [pid 5346] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5346] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5346] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5346] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5346] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5349]}, 88) = 5349 [pid 5346] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5346] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5349 attached [pid 5349] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5349] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5349] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5349] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5349] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5346] <... futex resumed>) = 0 [pid 5346] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5349] <... futex resumed>) = 1 [pid 5349] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5349] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5346] <... futex resumed>) = 0 [ 121.678466][ T5347] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 121.697490][ T5347] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 121.706938][ T5347] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5347 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 121.717143][ T5347] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 121.725872][ T5347] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 121.733410][ T5347] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5349] <... futex resumed>) = 1 [ 121.745934][ T5347] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 121.752964][ T5347] gfs2: fsid=syz:syz.0: File system withdrawn [ 121.759460][ T5347] CPU: 1 PID: 5347 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 121.769902][ T5347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 121.780223][ T5347] Call Trace: [ 121.783509][ T5347] [ 121.786455][ T5347] dump_stack_lvl+0x1e7/0x2d0 [ 121.791198][ T5347] ? nf_tcp_handle_invalid+0x650/0x650 [ 121.796672][ T5347] ? panic+0x770/0x770 [ 121.800798][ T5347] gfs2_withdraw+0xc94/0x11e0 [ 121.805497][ T5347] gfs2_dirent_scan+0x512/0x640 [ 121.810345][ T5347] ? gfs2_permission+0x268/0x3c0 [ 121.815281][ T5347] ? gfs2_dirent_search+0x8c0/0x8c0 [ 121.820499][ T5347] gfs2_dirent_search+0x30e/0x8c0 [ 121.825546][ T5347] ? gfs2_dirent_search+0x8c0/0x8c0 [ 121.830749][ T5347] ? generic_permission+0x1df/0x550 [ 121.835953][ T5347] ? gfs2_dir_search+0x2f0/0x2f0 [ 121.840895][ T5347] ? gfs2_permission+0x34a/0x3c0 [pid 5349] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5346] exit_group(0) = ? [pid 5349] <... futex resumed>) = ? [pid 5349] +++ exited with 0 +++ [ 121.845844][ T5347] gfs2_dir_search+0xb2/0x2f0 [ 121.850521][ T5347] ? do_filldir_main+0x520/0x520 [ 121.855494][ T5347] ? inode_go_held+0xea/0x200 [ 121.860166][ T5347] ? gfs2_glock_wait+0x21a/0x2b0 [ 121.865102][ T5347] gfs2_lookupi+0x460/0x5d0 [ 121.869604][ T5347] ? gfs2_lookup_simple+0x180/0x180 [ 121.874810][ T5347] ? __gfs2_lookup+0xa4/0x270 [ 121.879506][ T5347] __gfs2_lookup+0xa4/0x270 [ 121.884022][ T5347] ? gfs2_atomic_open+0x230/0x230 [ 121.889069][ T5347] ? __d_lookup+0x675/0x730 [ 121.893676][ T5347] ? d_hash_and_lookup+0x1b0/0x1b0 [ 121.898803][ T5347] gfs2_atomic_open+0x9e/0x230 [ 121.903671][ T5347] path_openat+0x1044/0x3180 [ 121.908285][ T5347] ? gfs2_rename2+0x25a0/0x25a0 [ 121.913168][ T5347] ? do_filp_open+0x490/0x490 [ 121.917876][ T5347] do_filp_open+0x234/0x490 [ 121.922396][ T5347] ? vfs_tmpfile+0x4b0/0x4b0 [ 121.926991][ T5347] ? _raw_spin_unlock+0x28/0x40 [ 121.931837][ T5347] ? alloc_fd+0x59c/0x640 [ 121.936163][ T5347] do_sys_openat2+0x13e/0x1d0 [ 121.940842][ T5347] ? do_sys_open+0x230/0x230 [ 121.945443][ T5347] ? lockdep_hardirqs_on+0x98/0x140 [ 121.950652][ T5347] ? _raw_spin_unlock_irq+0x2e/0x50 [ 121.955873][ T5347] ? ptrace_notify+0x278/0x380 [ 121.960650][ T5347] __x64_sys_open+0x225/0x270 [ 121.965324][ T5347] ? do_sys_openat2+0x1d0/0x1d0 [ 121.970191][ T5347] ? syscall_enter_from_user_mode+0x32/0x230 [ 121.976168][ T5347] ? syscall_enter_from_user_mode+0x8c/0x230 [ 121.982145][ T5347] do_syscall_64+0x41/0xc0 [ 121.986556][ T5347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 121.992448][ T5347] RIP: 0033:0x7f012f71fa59 [ 121.996874][ T5347] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 122.016494][ T5347] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 122.024907][ T5347] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 122.032872][ T5347] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5347] <... open resumed>) = ? [pid 5347] +++ exited with 0 +++ [pid 5346] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5346, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./77", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./77/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./77/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./77/binderfs") = 0 [ 122.040843][ T5347] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 122.048809][ T5347] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 122.056787][ T5347] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 122.064784][ T5347] umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./77/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./77/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./77") = 0 mkdir("./78", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5350 ./strace-static-x86_64: Process 5350 attached [pid 5350] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5350] chdir("./78") = 0 [pid 5350] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5350] setpgid(0, 0) = 0 [pid 5350] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5350] write(3, "1000", 4) = 4 [pid 5350] close(3) = 0 [pid 5350] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5350] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5350] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5350] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5350] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5350] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5350] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5351]}, 88) = 5351 ./strace-static-x86_64: Process 5351 attached [pid 5350] rt_sigprocmask(SIG_SETMASK, [], [pid 5351] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5350] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5350] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5351] <... rseq resumed>) = 0 [pid 5351] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5351] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5351] memfd_create("syzkaller", 0) = 3 [pid 5351] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5351] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5351] munmap(0x7f01272bc000, 16777216) = 0 [pid 5351] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5351] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5351] close(3) = 0 [pid 5351] mkdir("./file0", 0777) = 0 [ 122.362979][ T5351] loop0: detected capacity change from 0 to 32768 [ 122.374014][ T5351] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 122.382301][ T5351] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 122.391530][ T5351] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 122.400352][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 122.407370][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5351] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5351] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5351] chdir("./file0") = 0 [pid 5351] ioctl(4, LOOP_CLR_FD) = 0 [pid 5351] close(4) = 0 [pid 5351] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5350] <... futex resumed>) = 0 [pid 5350] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5351] <... futex resumed>) = 1 [ 122.447974][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 122.456885][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 122.462372][ T5351] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 122.482766][ T5351] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5351] open("./file0", O_RDWR [pid 5350] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5350] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5350] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5350] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5350] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5353]}, 88) = 5353 [pid 5350] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5350] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5353 attached [pid 5353] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5353] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5353] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5353] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5353] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5350] <... futex resumed>) = 0 [pid 5350] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5353] <... futex resumed>) = 1 [pid 5353] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5353] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5350] <... futex resumed>) = 0 [pid 5353] <... futex resumed>) = 1 [ 122.491633][ T5351] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 122.491633][ T5351] inode = 12 2341 [ 122.491633][ T5351] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 122.510695][ T5351] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 122.520475][ T5351] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5351 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 122.530753][ T5351] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 122.539213][ T5351] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 122.546714][ T5351] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 122.555654][ T5351] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 122.562798][ T5351] gfs2: fsid=syz:syz.0: File system withdrawn [ 122.569331][ T5351] CPU: 1 PID: 5351 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 122.579774][ T5351] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 122.589822][ T5351] Call Trace: [ 122.593087][ T5351] [ 122.596009][ T5351] dump_stack_lvl+0x1e7/0x2d0 [ 122.600679][ T5351] ? nf_tcp_handle_invalid+0x650/0x650 [ 122.606129][ T5351] ? panic+0x770/0x770 [ 122.610202][ T5351] gfs2_withdraw+0xc94/0x11e0 [ 122.614871][ T5351] gfs2_dirent_scan+0x512/0x640 [ 122.619713][ T5351] ? gfs2_permission+0x268/0x3c0 [ 122.624637][ T5351] ? gfs2_dirent_search+0x8c0/0x8c0 [ 122.629824][ T5351] gfs2_dirent_search+0x30e/0x8c0 [ 122.634834][ T5351] ? gfs2_dirent_search+0x8c0/0x8c0 [ 122.640020][ T5351] ? generic_permission+0x1df/0x550 [ 122.645207][ T5351] ? gfs2_dir_search+0x2f0/0x2f0 [ 122.650134][ T5351] ? gfs2_permission+0x34a/0x3c0 [ 122.655236][ T5351] gfs2_dir_search+0xb2/0x2f0 [ 122.659906][ T5351] ? do_filldir_main+0x520/0x520 [ 122.664835][ T5351] ? inode_go_held+0xea/0x200 [ 122.669506][ T5351] ? gfs2_glock_wait+0x21a/0x2b0 [ 122.674441][ T5351] gfs2_lookupi+0x460/0x5d0 [ 122.678946][ T5351] ? gfs2_lookup_simple+0x180/0x180 [ 122.684138][ T5351] ? __gfs2_lookup+0xa4/0x270 [ 122.688816][ T5351] __gfs2_lookup+0xa4/0x270 [ 122.693318][ T5351] ? gfs2_atomic_open+0x230/0x230 [ 122.698430][ T5351] ? __d_lookup+0x675/0x730 [ 122.702929][ T5351] ? d_hash_and_lookup+0x1b0/0x1b0 [ 122.708035][ T5351] gfs2_atomic_open+0x9e/0x230 [ 122.712799][ T5351] path_openat+0x1044/0x3180 [ 122.717388][ T5351] ? gfs2_rename2+0x25a0/0x25a0 [ 122.722247][ T5351] ? do_filp_open+0x490/0x490 [ 122.726932][ T5351] do_filp_open+0x234/0x490 [ 122.731433][ T5351] ? vfs_tmpfile+0x4b0/0x4b0 [ 122.736029][ T5351] ? _raw_spin_unlock+0x28/0x40 [ 122.740877][ T5351] ? alloc_fd+0x59c/0x640 [ 122.745212][ T5351] do_sys_openat2+0x13e/0x1d0 [ 122.749976][ T5351] ? do_sys_open+0x230/0x230 [ 122.754569][ T5351] ? lockdep_hardirqs_on+0x98/0x140 [ 122.759767][ T5351] ? _raw_spin_unlock_irq+0x2e/0x50 [ 122.764963][ T5351] ? ptrace_notify+0x278/0x380 [ 122.769724][ T5351] __x64_sys_open+0x225/0x270 [ 122.774401][ T5351] ? do_sys_openat2+0x1d0/0x1d0 [ 122.779253][ T5351] ? syscall_enter_from_user_mode+0x32/0x230 [ 122.785233][ T5351] ? syscall_enter_from_user_mode+0x8c/0x230 [ 122.791217][ T5351] do_syscall_64+0x41/0xc0 [ 122.795635][ T5351] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 122.801615][ T5351] RIP: 0033:0x7f012f71fa59 [ 122.806026][ T5351] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 122.825652][ T5351] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 122.834062][ T5351] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 122.842049][ T5351] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5353] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5351] <... open resumed>) = -1 EIO (Input/output error) [pid 5351] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5350] exit_group(0 [pid 5353] <... futex resumed>) = ? [pid 5350] <... exit_group resumed>) = ? [pid 5353] +++ exited with 0 +++ [pid 5351] <... futex resumed>) = ? [pid 5351] +++ exited with 0 +++ [pid 5350] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5350, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=27 /* 0.27 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./78", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./78/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./78/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./78/binderfs") = 0 [ 122.850012][ T5351] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 122.857999][ T5351] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 122.866010][ T5351] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 122.874001][ T5351] umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./78/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./78/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./78") = 0 mkdir("./79", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5354 ./strace-static-x86_64: Process 5354 attached [pid 5354] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5354] chdir("./79") = 0 [pid 5354] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5354] setpgid(0, 0) = 0 [pid 5354] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5354] write(3, "1000", 4) = 4 [pid 5354] close(3) = 0 [pid 5354] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5354] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5354] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5354] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5354] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5354] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5354] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5354] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5355 attached => {parent_tid=[5355]}, 88) = 5355 [pid 5354] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5354] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5354] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5355] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5355] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5355] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5355] memfd_create("syzkaller", 0) = 3 [pid 5355] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5355] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5355] munmap(0x7f01272bc000, 16777216) = 0 [pid 5355] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5355] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5355] close(3) = 0 [pid 5355] mkdir("./file0", 0777) = 0 [ 123.178634][ T5355] loop0: detected capacity change from 0 to 32768 [ 123.189747][ T5355] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 123.197943][ T5355] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 123.207466][ T5355] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 123.216258][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 123.223376][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5355] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5355] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5355] chdir("./file0") = 0 [pid 5355] ioctl(4, LOOP_CLR_FD) = 0 [pid 5355] close(4) = 0 [pid 5355] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5354] <... futex resumed>) = 0 [pid 5354] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5354] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5355] <... futex resumed>) = 1 [ 123.260114][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 123.269121][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 123.274585][ T5355] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 123.292920][ T5355] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 123.302200][ T5355] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5355] open("./file0", O_RDWR [pid 5354] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5354] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5354] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5354] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5354] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5354] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5357]}, 88) = 5357 [pid 5354] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5354] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5354] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5357 attached [pid 5357] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5357] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5357] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5357] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5357] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5354] <... futex resumed>) = 0 [pid 5354] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5354] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5357] <... futex resumed>) = 1 [pid 5357] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5357] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5354] <... futex resumed>) = 0 [pid 5357] <... futex resumed>) = 1 [ 123.302200][ T5355] inode = 12 2341 [ 123.302200][ T5355] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 123.321439][ T5355] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 123.330993][ T5355] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5355 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 123.341359][ T5355] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 123.349886][ T5355] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 123.357111][ T5355] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 123.366298][ T5355] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 123.373004][ T5355] gfs2: fsid=syz:syz.0: File system withdrawn [ 123.379356][ T5355] CPU: 0 PID: 5355 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 123.389789][ T5355] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 123.399840][ T5355] Call Trace: [ 123.403117][ T5355] [ 123.406044][ T5355] dump_stack_lvl+0x1e7/0x2d0 [ 123.410731][ T5355] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.416210][ T5355] ? panic+0x770/0x770 [ 123.420314][ T5355] gfs2_withdraw+0xc94/0x11e0 [ 123.425016][ T5355] gfs2_dirent_scan+0x512/0x640 [ 123.429870][ T5355] ? gfs2_permission+0x268/0x3c0 [ 123.434804][ T5355] ? gfs2_dirent_search+0x8c0/0x8c0 [ 123.440015][ T5355] gfs2_dirent_search+0x30e/0x8c0 [ 123.445059][ T5355] ? gfs2_dirent_search+0x8c0/0x8c0 [ 123.450252][ T5355] ? generic_permission+0x1df/0x550 [ 123.455446][ T5355] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5357] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5354] exit_group(0 [pid 5357] <... futex resumed>) = ? [pid 5354] <... exit_group resumed>) = ? [pid 5357] +++ exited with 0 +++ [ 123.460378][ T5355] ? gfs2_permission+0x34a/0x3c0 [ 123.465313][ T5355] gfs2_dir_search+0xb2/0x2f0 [ 123.469985][ T5355] ? do_filldir_main+0x520/0x520 [ 123.474915][ T5355] ? inode_go_held+0xea/0x200 [ 123.479587][ T5355] ? gfs2_glock_wait+0x21a/0x2b0 [ 123.484528][ T5355] gfs2_lookupi+0x460/0x5d0 [ 123.489055][ T5355] ? gfs2_lookup_simple+0x180/0x180 [ 123.494275][ T5355] ? __gfs2_lookup+0xa4/0x270 [ 123.498964][ T5355] __gfs2_lookup+0xa4/0x270 [ 123.503486][ T5355] ? gfs2_atomic_open+0x230/0x230 [ 123.508529][ T5355] ? __d_lookup+0x675/0x730 [ 123.513036][ T5355] ? d_hash_and_lookup+0x1b0/0x1b0 [ 123.518181][ T5355] gfs2_atomic_open+0x9e/0x230 [ 123.522951][ T5355] path_openat+0x1044/0x3180 [ 123.527550][ T5355] ? gfs2_rename2+0x25a0/0x25a0 [ 123.532426][ T5355] ? do_filp_open+0x490/0x490 [ 123.537123][ T5355] do_filp_open+0x234/0x490 [ 123.541642][ T5355] ? vfs_tmpfile+0x4b0/0x4b0 [ 123.546240][ T5355] ? _raw_spin_unlock+0x28/0x40 [ 123.551095][ T5355] ? alloc_fd+0x59c/0x640 [ 123.555441][ T5355] do_sys_openat2+0x13e/0x1d0 [ 123.560143][ T5355] ? do_sys_open+0x230/0x230 [ 123.564739][ T5355] ? lockdep_hardirqs_on+0x98/0x140 [ 123.569940][ T5355] ? _raw_spin_unlock_irq+0x2e/0x50 [ 123.575145][ T5355] ? ptrace_notify+0x278/0x380 [ 123.579911][ T5355] __x64_sys_open+0x225/0x270 [ 123.584633][ T5355] ? do_sys_openat2+0x1d0/0x1d0 [ 123.589503][ T5355] ? syscall_enter_from_user_mode+0x32/0x230 [ 123.595494][ T5355] ? syscall_enter_from_user_mode+0x8c/0x230 [ 123.601489][ T5355] do_syscall_64+0x41/0xc0 [ 123.605902][ T5355] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 123.611809][ T5355] RIP: 0033:0x7f012f71fa59 [ 123.616250][ T5355] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 123.635862][ T5355] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 123.644290][ T5355] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 123.652257][ T5355] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5355] <... open resumed>) = ? [pid 5355] +++ exited with 0 +++ [pid 5354] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5354, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- umount2("./79", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./79/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./79/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./79/binderfs") = 0 [ 123.660310][ T5355] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 123.668276][ T5355] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 123.676261][ T5355] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 123.684258][ T5355] umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./79/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./79/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./79") = 0 mkdir("./80", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5358 ./strace-static-x86_64: Process 5358 attached [pid 5358] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5358] chdir("./80") = 0 [pid 5358] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5358] setpgid(0, 0) = 0 [pid 5358] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5358] write(3, "1000", 4) = 4 [pid 5358] close(3) = 0 [pid 5358] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5358] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5358] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5358] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5358] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5358] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5358] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5359]}, 88) = 5359 [pid 5358] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5358] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5359 attached [pid 5359] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5359] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5359] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5359] memfd_create("syzkaller", 0) = 3 [pid 5359] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5359] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5359] munmap(0x7f01272bc000, 16777216) = 0 [pid 5359] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5359] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5359] close(3) = 0 [pid 5359] mkdir("./file0", 0777) = 0 [ 123.985921][ T5359] loop0: detected capacity change from 0 to 32768 [ 123.997241][ T5359] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 124.005478][ T5359] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 124.014573][ T5359] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 124.023301][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 124.030323][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5359] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5359] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5359] chdir("./file0") = 0 [pid 5359] ioctl(4, LOOP_CLR_FD) = 0 [pid 5359] close(4) = 0 [pid 5359] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5358] <... futex resumed>) = 0 [pid 5358] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5359] <... futex resumed>) = 1 [ 124.066279][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 124.073866][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 124.079118][ T5359] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 124.093008][ T5359] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 124.101642][ T5359] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 124.101642][ T5359] inode = 12 2341 [pid 5359] open("./file0", O_RDWR [pid 5358] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5358] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5358] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5358] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5358] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5361]}, 88) = 5361 [pid 5358] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5358] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5361 attached [pid 5361] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5361] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5361] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5361] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5361] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5358] <... futex resumed>) = 0 [pid 5358] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5361] <... futex resumed>) = 1 [pid 5361] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5361] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5358] <... futex resumed>) = 0 [pid 5361] <... futex resumed>) = 1 [ 124.101642][ T5359] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 124.120911][ T5359] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 124.130515][ T5359] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5359 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 124.140886][ T5359] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 124.151062][ T5359] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 124.158303][ T5359] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 124.167209][ T5359] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 124.174013][ T5359] gfs2: fsid=syz:syz.0: File system withdrawn [ 124.180357][ T5359] CPU: 0 PID: 5359 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 124.190891][ T5359] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 124.200971][ T5359] Call Trace: [ 124.204271][ T5359] [ 124.207198][ T5359] dump_stack_lvl+0x1e7/0x2d0 [ 124.211894][ T5359] ? nf_tcp_handle_invalid+0x650/0x650 [ 124.217380][ T5359] ? panic+0x770/0x770 [ 124.221498][ T5359] gfs2_withdraw+0xc94/0x11e0 [ 124.226214][ T5359] gfs2_dirent_scan+0x512/0x640 [ 124.231070][ T5359] ? gfs2_permission+0x268/0x3c0 [ 124.236149][ T5359] ? gfs2_dirent_search+0x8c0/0x8c0 [ 124.241350][ T5359] gfs2_dirent_search+0x30e/0x8c0 [ 124.246370][ T5359] ? gfs2_dirent_search+0x8c0/0x8c0 [ 124.251585][ T5359] ? generic_permission+0x1df/0x550 [ 124.256776][ T5359] ? gfs2_dir_search+0x2f0/0x2f0 [ 124.261709][ T5359] ? gfs2_permission+0x34a/0x3c0 [pid 5361] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5358] exit_group(0) = ? [pid 5361] <... futex resumed>) = ? [pid 5361] +++ exited with 0 +++ [ 124.266641][ T5359] gfs2_dir_search+0xb2/0x2f0 [ 124.271323][ T5359] ? do_filldir_main+0x520/0x520 [ 124.276284][ T5359] ? inode_go_held+0xea/0x200 [ 124.281155][ T5359] ? gfs2_glock_wait+0x21a/0x2b0 [ 124.286102][ T5359] gfs2_lookupi+0x460/0x5d0 [ 124.290603][ T5359] ? gfs2_lookup_simple+0x180/0x180 [ 124.295802][ T5359] ? __gfs2_lookup+0xa4/0x270 [ 124.300476][ T5359] __gfs2_lookup+0xa4/0x270 [ 124.304979][ T5359] ? gfs2_atomic_open+0x230/0x230 [ 124.310005][ T5359] ? __d_lookup+0x675/0x730 [ 124.315200][ T5359] ? d_hash_and_lookup+0x1b0/0x1b0 [ 124.320319][ T5359] gfs2_atomic_open+0x9e/0x230 [ 124.325109][ T5359] path_openat+0x1044/0x3180 [ 124.329790][ T5359] ? gfs2_rename2+0x25a0/0x25a0 [ 124.334670][ T5359] ? do_filp_open+0x490/0x490 [ 124.339384][ T5359] do_filp_open+0x234/0x490 [ 124.343893][ T5359] ? vfs_tmpfile+0x4b0/0x4b0 [ 124.348508][ T5359] ? _raw_spin_unlock+0x28/0x40 [ 124.353452][ T5359] ? alloc_fd+0x59c/0x640 [ 124.357837][ T5359] do_sys_openat2+0x13e/0x1d0 [ 124.362540][ T5359] ? do_sys_open+0x230/0x230 [ 124.367133][ T5359] ? lockdep_hardirqs_on+0x98/0x140 [ 124.372333][ T5359] ? _raw_spin_unlock_irq+0x2e/0x50 [ 124.377526][ T5359] ? ptrace_notify+0x278/0x380 [ 124.382283][ T5359] __x64_sys_open+0x225/0x270 [ 124.386959][ T5359] ? do_sys_openat2+0x1d0/0x1d0 [ 124.391808][ T5359] ? syscall_enter_from_user_mode+0x32/0x230 [ 124.397812][ T5359] ? syscall_enter_from_user_mode+0x8c/0x230 [ 124.403801][ T5359] do_syscall_64+0x41/0xc0 [ 124.408307][ T5359] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 124.414220][ T5359] RIP: 0033:0x7f012f71fa59 [ 124.418628][ T5359] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 124.439278][ T5359] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 124.447704][ T5359] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 124.455678][ T5359] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5359] <... open resumed>) = ? [pid 5359] +++ exited with 0 +++ [pid 5358] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5358, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- umount2("./80", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./80/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./80/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./80/binderfs") = 0 [ 124.463750][ T5359] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 124.471815][ T5359] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 124.479796][ T5359] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 124.487814][ T5359] umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./80/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./80/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./80") = 0 mkdir("./81", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5362 ./strace-static-x86_64: Process 5362 attached [pid 5362] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5362] chdir("./81") = 0 [pid 5362] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5362] setpgid(0, 0) = 0 [pid 5362] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5362] write(3, "1000", 4) = 4 [pid 5362] close(3) = 0 [pid 5362] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5362] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5362] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5362] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5362] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5362] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5362] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5362] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0}./strace-static-x86_64: Process 5363 attached [pid 5363] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053 [pid 5362] <... clone3 resumed> => {parent_tid=[5363]}, 88) = 5363 [pid 5362] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5362] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5362] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5363] <... rseq resumed>) = 0 [pid 5363] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5363] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5363] memfd_create("syzkaller", 0) = 3 [pid 5363] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5363] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5363] munmap(0x7f01272bc000, 16777216) = 0 [pid 5363] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5363] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5363] close(3) = 0 [pid 5363] mkdir("./file0", 0777) = 0 [ 124.800392][ T5363] loop0: detected capacity change from 0 to 32768 [ 124.811671][ T5363] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 124.820246][ T5363] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 124.831302][ T5363] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 124.840287][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 124.847315][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5363] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5363] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5363] chdir("./file0") = 0 [pid 5363] ioctl(4, LOOP_CLR_FD) = 0 [pid 5363] close(4) = 0 [pid 5363] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5362] <... futex resumed>) = 0 [pid 5363] <... futex resumed>) = 1 [pid 5362] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5363] open("./file0", O_RDWR [pid 5362] <... futex resumed>) = 0 [ 124.881617][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 124.889131][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 124.894600][ T5363] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 124.927353][ T5363] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 124.936014][ T5363] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 124.936014][ T5363] inode = 12 2341 [ 124.936014][ T5363] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 124.955171][ T5363] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 124.965102][ T5363] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5363 [syz-executor198] __gfs2_lookup+0xa4/0x270 [pid 5362] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5362] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5362] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5362] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5362] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5362] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5365]}, 88) = 5365 [pid 5362] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5362] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5362] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5365 attached [pid 5365] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5365] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5365] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5365] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5365] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5362] <... futex resumed>) = 0 [pid 5362] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5362] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5365] <... futex resumed>) = 1 [pid 5365] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5365] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5362] <... futex resumed>) = 0 [pid 5365] <... futex resumed>) = 1 [ 124.975349][ T5363] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 124.983869][ T5363] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 124.991201][ T5363] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 125.001534][ T5363] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 125.011143][ T5363] gfs2: fsid=syz:syz.0: File system withdrawn [ 125.017709][ T5363] CPU: 1 PID: 5363 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 125.028141][ T5363] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 125.038190][ T5363] Call Trace: [ 125.041464][ T5363] [ 125.044390][ T5363] dump_stack_lvl+0x1e7/0x2d0 [ 125.049063][ T5363] ? nf_tcp_handle_invalid+0x650/0x650 [ 125.054513][ T5363] ? panic+0x770/0x770 [ 125.058578][ T5363] gfs2_withdraw+0xc94/0x11e0 [ 125.063276][ T5363] gfs2_dirent_scan+0x512/0x640 [ 125.068152][ T5363] ? gfs2_permission+0x268/0x3c0 [ 125.073107][ T5363] ? gfs2_dirent_search+0x8c0/0x8c0 [ 125.078309][ T5363] gfs2_dirent_search+0x30e/0x8c0 [ 125.083343][ T5363] ? gfs2_dirent_search+0x8c0/0x8c0 [ 125.088544][ T5363] ? generic_permission+0x1df/0x550 [ 125.093736][ T5363] ? gfs2_dir_search+0x2f0/0x2f0 [ 125.098671][ T5363] ? gfs2_permission+0x34a/0x3c0 [ 125.103607][ T5363] gfs2_dir_search+0xb2/0x2f0 [ 125.108296][ T5363] ? do_filldir_main+0x520/0x520 [ 125.113489][ T5363] ? inode_go_held+0xea/0x200 [ 125.118165][ T5363] ? gfs2_glock_wait+0x21a/0x2b0 [ 125.123186][ T5363] gfs2_lookupi+0x460/0x5d0 [ 125.127689][ T5363] ? gfs2_lookup_simple+0x180/0x180 [ 125.132884][ T5363] ? __gfs2_lookup+0xa4/0x270 [ 125.137647][ T5363] __gfs2_lookup+0xa4/0x270 [ 125.142145][ T5363] ? gfs2_atomic_open+0x230/0x230 [ 125.147166][ T5363] ? __d_lookup+0x675/0x730 [ 125.151771][ T5363] ? d_hash_and_lookup+0x1b0/0x1b0 [ 125.156962][ T5363] gfs2_atomic_open+0x9e/0x230 [ 125.161808][ T5363] path_openat+0x1044/0x3180 [ 125.166397][ T5363] ? gfs2_rename2+0x25a0/0x25a0 [ 125.171251][ T5363] ? do_filp_open+0x490/0x490 [ 125.176016][ T5363] do_filp_open+0x234/0x490 [ 125.180514][ T5363] ? vfs_tmpfile+0x4b0/0x4b0 [ 125.185109][ T5363] ? _raw_spin_unlock+0x28/0x40 [ 125.190042][ T5363] ? alloc_fd+0x59c/0x640 [ 125.194382][ T5363] do_sys_openat2+0x13e/0x1d0 [ 125.199052][ T5363] ? do_sys_open+0x230/0x230 [ 125.203635][ T5363] ? lockdep_hardirqs_on+0x98/0x140 [ 125.208833][ T5363] ? _raw_spin_unlock_irq+0x2e/0x50 [ 125.214026][ T5363] ? ptrace_notify+0x278/0x380 [ 125.218783][ T5363] __x64_sys_open+0x225/0x270 [ 125.223455][ T5363] ? do_sys_openat2+0x1d0/0x1d0 [ 125.228391][ T5363] ? syscall_enter_from_user_mode+0x32/0x230 [ 125.234374][ T5363] ? syscall_enter_from_user_mode+0x8c/0x230 [ 125.240441][ T5363] do_syscall_64+0x41/0xc0 [ 125.244936][ T5363] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 125.250835][ T5363] RIP: 0033:0x7f012f71fa59 [ 125.255240][ T5363] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [pid 5365] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5363] <... open resumed>) = -1 EIO (Input/output error) [pid 5363] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5363] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5362] exit_group(0 [pid 5365] <... futex resumed>) = ? [pid 5363] <... futex resumed>) = ? [pid 5362] <... exit_group resumed>) = ? [pid 5365] +++ exited with 0 +++ [pid 5363] +++ exited with 0 +++ [pid 5362] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5362, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=27 /* 0.27 s */} --- umount2("./81", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./81/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./81/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./81/binderfs") = 0 [ 125.274929][ T5363] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 125.283509][ T5363] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 125.291490][ T5363] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 125.299606][ T5363] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 125.307578][ T5363] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 125.315546][ T5363] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 125.323527][ T5363] umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./81/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./81/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./81") = 0 mkdir("./82", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5366 ./strace-static-x86_64: Process 5366 attached [pid 5366] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5366] chdir("./82") = 0 [pid 5366] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5366] setpgid(0, 0) = 0 [pid 5366] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5366] write(3, "1000", 4) = 4 [pid 5366] close(3) = 0 [pid 5366] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5366] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5366] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5366] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5366] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5366] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5366] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5366] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5367]}, 88) = 5367 [pid 5366] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5366] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5366] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5367 attached [pid 5367] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5367] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5367] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5367] memfd_create("syzkaller", 0) = 3 [pid 5367] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5367] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5367] munmap(0x7f01272bc000, 16777216) = 0 [pid 5367] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5367] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5367] close(3) = 0 [pid 5367] mkdir("./file0", 0777) = 0 [ 125.641606][ T5367] loop0: detected capacity change from 0 to 32768 [ 125.653787][ T5367] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 125.662345][ T5367] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 125.671779][ T5367] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 125.681142][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 125.688418][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5367] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5367] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5367] chdir("./file0") = 0 [pid 5367] ioctl(4, LOOP_CLR_FD) = 0 [pid 5367] close(4) = 0 [pid 5367] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5367] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5366] <... futex resumed>) = 0 [pid 5366] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5366] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5367] <... futex resumed>) = 0 [ 125.724682][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 125.732537][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 125.738012][ T5367] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 125.757065][ T5367] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 125.766336][ T5367] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5367] open("./file0", O_RDWR [pid 5366] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5366] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5366] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5366] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5366] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5366] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5369]}, 88) = 5369 [pid 5366] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5366] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5366] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5369 attached [pid 5369] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5369] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5369] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5369] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5369] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5366] <... futex resumed>) = 0 [pid 5366] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5366] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5369] <... futex resumed>) = 1 [pid 5369] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5369] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5366] <... futex resumed>) = 0 [pid 5369] <... futex resumed>) = 1 [ 125.766336][ T5367] inode = 12 2341 [ 125.766336][ T5367] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 125.785450][ T5367] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 125.795019][ T5367] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5367 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 125.805380][ T5367] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 125.814122][ T5367] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 125.821409][ T5367] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 125.830305][ T5367] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 125.837690][ T5367] gfs2: fsid=syz:syz.0: File system withdrawn [ 125.844226][ T5367] CPU: 1 PID: 5367 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 125.854644][ T5367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 125.864779][ T5367] Call Trace: [ 125.868052][ T5367] [ 125.870973][ T5367] dump_stack_lvl+0x1e7/0x2d0 [ 125.875650][ T5367] ? nf_tcp_handle_invalid+0x650/0x650 [ 125.881095][ T5367] ? panic+0x770/0x770 [ 125.885158][ T5367] gfs2_withdraw+0xc94/0x11e0 [ 125.889829][ T5367] gfs2_dirent_scan+0x512/0x640 [ 125.894666][ T5367] ? gfs2_permission+0x268/0x3c0 [ 125.899602][ T5367] ? gfs2_dirent_search+0x8c0/0x8c0 [ 125.905593][ T5367] gfs2_dirent_search+0x30e/0x8c0 [ 125.910633][ T5367] ? gfs2_dirent_search+0x8c0/0x8c0 [ 125.915830][ T5367] ? generic_permission+0x1df/0x550 [ 125.921026][ T5367] ? gfs2_dir_search+0x2f0/0x2f0 [ 125.925977][ T5367] ? gfs2_permission+0x34a/0x3c0 [ 125.930913][ T5367] gfs2_dir_search+0xb2/0x2f0 [ 125.935588][ T5367] ? do_filldir_main+0x520/0x520 [ 125.940527][ T5367] ? inode_go_held+0xea/0x200 [ 125.945244][ T5367] ? gfs2_glock_wait+0x21a/0x2b0 [ 125.950176][ T5367] gfs2_lookupi+0x460/0x5d0 [ 125.954682][ T5367] ? gfs2_lookup_simple+0x180/0x180 [ 125.959877][ T5367] ? __gfs2_lookup+0xa4/0x270 [ 125.964574][ T5367] __gfs2_lookup+0xa4/0x270 [ 125.969073][ T5367] ? gfs2_atomic_open+0x230/0x230 [ 125.974189][ T5367] ? __d_lookup+0x675/0x730 [ 125.978688][ T5367] ? d_hash_and_lookup+0x1b0/0x1b0 [ 125.983816][ T5367] gfs2_atomic_open+0x9e/0x230 [ 125.988586][ T5367] path_openat+0x1044/0x3180 [ 125.993206][ T5367] ? gfs2_rename2+0x25a0/0x25a0 [ 125.998239][ T5367] ? do_filp_open+0x490/0x490 [ 126.002925][ T5367] do_filp_open+0x234/0x490 [ 126.007437][ T5367] ? vfs_tmpfile+0x4b0/0x4b0 [ 126.012035][ T5367] ? _raw_spin_unlock+0x28/0x40 [ 126.016885][ T5367] ? alloc_fd+0x59c/0x640 [ 126.021219][ T5367] do_sys_openat2+0x13e/0x1d0 [ 126.025894][ T5367] ? do_sys_open+0x230/0x230 [ 126.030483][ T5367] ? lockdep_hardirqs_on+0x98/0x140 [ 126.035683][ T5367] ? _raw_spin_unlock_irq+0x2e/0x50 [ 126.040878][ T5367] ? ptrace_notify+0x278/0x380 [ 126.045642][ T5367] __x64_sys_open+0x225/0x270 [ 126.050317][ T5367] ? do_sys_openat2+0x1d0/0x1d0 [ 126.057019][ T5367] ? syscall_enter_from_user_mode+0x32/0x230 [ 126.063035][ T5367] ? syscall_enter_from_user_mode+0x8c/0x230 [ 126.069036][ T5367] do_syscall_64+0x41/0xc0 [ 126.073465][ T5367] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 126.079366][ T5367] RIP: 0033:0x7f012f71fa59 [ 126.083778][ T5367] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 126.103485][ T5367] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 126.111921][ T5367] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5369] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5367] <... open resumed>) = -1 EIO (Input/output error) [pid 5367] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5366] exit_group(0 [pid 5369] <... futex resumed>) = ? [pid 5366] <... exit_group resumed>) = ? [pid 5369] +++ exited with 0 +++ [pid 5367] <... futex resumed>) = ? [pid 5367] +++ exited with 0 +++ [pid 5366] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5366, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./82", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./82/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./82/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./82/binderfs") = 0 [ 126.119903][ T5367] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 126.127876][ T5367] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 126.135931][ T5367] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 126.143984][ T5367] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 126.152050][ T5367] umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./82/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./82/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./82") = 0 mkdir("./83", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5370 ./strace-static-x86_64: Process 5370 attached [pid 5370] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5370] chdir("./83") = 0 [pid 5370] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5370] setpgid(0, 0) = 0 [pid 5370] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5370] write(3, "1000", 4) = 4 [pid 5370] close(3) = 0 [pid 5370] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5370] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5370] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5370] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5370] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5370] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5370] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5371]}, 88) = 5371 [pid 5370] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5370] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5371 attached [pid 5371] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5371] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5371] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5371] memfd_create("syzkaller", 0) = 3 [pid 5371] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5371] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5371] munmap(0x7f01272bc000, 16777216) = 0 [pid 5371] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5371] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5371] close(3) = 0 [pid 5371] mkdir("./file0", 0777) = 0 [ 126.463635][ T5371] loop0: detected capacity change from 0 to 32768 [ 126.475334][ T5371] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 126.483624][ T5371] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 126.493065][ T5371] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 126.501852][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 126.508647][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5371] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5371] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5371] chdir("./file0") = 0 [pid 5371] ioctl(4, LOOP_CLR_FD) = 0 [pid 5371] close(4) = 0 [pid 5371] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5370] <... futex resumed>) = 0 [pid 5370] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5371] <... futex resumed>) = 1 [ 126.543724][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 126.551281][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 126.556540][ T5371] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 126.571635][ T5371] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 126.580544][ T5371] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 126.580544][ T5371] inode = 12 2341 [pid 5371] open("./file0", O_RDWR [pid 5370] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5370] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5370] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5370] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5370] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0}./strace-static-x86_64: Process 5373 attached => {parent_tid=[5373]}, 88) = 5373 [pid 5370] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5370] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5373] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5373] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5373] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5373] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5373] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5370] <... futex resumed>) = 0 [pid 5370] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5373] <... futex resumed>) = 1 [pid 5373] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5373] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5370] <... futex resumed>) = 0 [pid 5373] <... futex resumed>) = 1 [ 126.580544][ T5371] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 126.599741][ T5371] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 126.609638][ T5371] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5371 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 126.620106][ T5371] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 126.632315][ T5371] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 126.639977][ T5371] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 126.648857][ T5371] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 126.655633][ T5371] gfs2: fsid=syz:syz.0: File system withdrawn [ 126.661976][ T5371] CPU: 0 PID: 5371 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 126.672392][ T5371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 126.682622][ T5371] Call Trace: [ 126.685924][ T5371] [ 126.689400][ T5371] dump_stack_lvl+0x1e7/0x2d0 [ 126.694085][ T5371] ? nf_tcp_handle_invalid+0x650/0x650 [ 126.699584][ T5371] ? panic+0x770/0x770 [ 126.703664][ T5371] gfs2_withdraw+0xc94/0x11e0 [ 126.708383][ T5371] gfs2_dirent_scan+0x512/0x640 [ 126.713259][ T5371] ? gfs2_permission+0x268/0x3c0 [ 126.718236][ T5371] ? gfs2_dirent_search+0x8c0/0x8c0 [ 126.723484][ T5371] gfs2_dirent_search+0x30e/0x8c0 [ 126.728540][ T5371] ? gfs2_dirent_search+0x8c0/0x8c0 [ 126.733750][ T5371] ? generic_permission+0x1df/0x550 [ 126.738959][ T5371] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5373] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5370] exit_group(0 [pid 5373] <... futex resumed>) = ? [pid 5370] <... exit_group resumed>) = ? [pid 5373] +++ exited with 0 +++ [ 126.743925][ T5371] ? gfs2_permission+0x34a/0x3c0 [ 126.748884][ T5371] gfs2_dir_search+0xb2/0x2f0 [ 126.753941][ T5371] ? do_filldir_main+0x520/0x520 [ 126.758879][ T5371] ? inode_go_held+0xea/0x200 [ 126.763571][ T5371] ? gfs2_glock_wait+0x21a/0x2b0 [ 126.768715][ T5371] gfs2_lookupi+0x460/0x5d0 [ 126.773255][ T5371] ? gfs2_lookup_simple+0x180/0x180 [ 126.778551][ T5371] ? __gfs2_lookup+0xa4/0x270 [ 126.783236][ T5371] __gfs2_lookup+0xa4/0x270 [ 126.788013][ T5371] ? gfs2_atomic_open+0x230/0x230 [ 126.793048][ T5371] ? __d_lookup+0x675/0x730 [ 126.797565][ T5371] ? d_hash_and_lookup+0x1b0/0x1b0 [ 126.802696][ T5371] gfs2_atomic_open+0x9e/0x230 [ 126.807458][ T5371] path_openat+0x1044/0x3180 [ 126.812137][ T5371] ? gfs2_rename2+0x25a0/0x25a0 [ 126.817000][ T5371] ? do_filp_open+0x490/0x490 [ 126.821683][ T5371] do_filp_open+0x234/0x490 [ 126.826198][ T5371] ? vfs_tmpfile+0x4b0/0x4b0 [ 126.830817][ T5371] ? _raw_spin_unlock+0x28/0x40 [ 126.835691][ T5371] ? alloc_fd+0x59c/0x640 [ 126.840068][ T5371] do_sys_openat2+0x13e/0x1d0 [ 126.844775][ T5371] ? do_sys_open+0x230/0x230 [ 126.849392][ T5371] ? lockdep_hardirqs_on+0x98/0x140 [ 126.854608][ T5371] ? _raw_spin_unlock_irq+0x2e/0x50 [ 126.859811][ T5371] ? ptrace_notify+0x278/0x380 [ 126.864586][ T5371] __x64_sys_open+0x225/0x270 [ 126.869294][ T5371] ? do_sys_openat2+0x1d0/0x1d0 [ 126.874174][ T5371] ? syscall_enter_from_user_mode+0x32/0x230 [ 126.880170][ T5371] ? syscall_enter_from_user_mode+0x8c/0x230 [ 126.886151][ T5371] do_syscall_64+0x41/0xc0 [ 126.890577][ T5371] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 126.896487][ T5371] RIP: 0033:0x7f012f71fa59 [ 126.900896][ T5371] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 126.920608][ T5371] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 126.929038][ T5371] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 126.937019][ T5371] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5371] <... open resumed>) = ? [pid 5371] +++ exited with 0 +++ [pid 5370] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5370, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=33 /* 0.33 s */} --- umount2("./83", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./83/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./83/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./83/binderfs") = 0 [ 126.945430][ T5371] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 126.953425][ T5371] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 126.961416][ T5371] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 126.969421][ T5371] umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./83/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./83/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./83") = 0 mkdir("./84", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5374 ./strace-static-x86_64: Process 5374 attached [pid 5374] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5374] chdir("./84") = 0 [pid 5374] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5374] setpgid(0, 0) = 0 [pid 5374] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5374] write(3, "1000", 4) = 4 [pid 5374] close(3) = 0 [pid 5374] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5374] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5374] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5374] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5374] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5374] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5374] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5375]}, 88) = 5375 [pid 5374] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5374] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5375 attached [pid 5375] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5375] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5375] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5375] memfd_create("syzkaller", 0) = 3 [pid 5375] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5375] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5375] munmap(0x7f01272bc000, 16777216) = 0 [pid 5375] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5375] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5375] close(3) = 0 [pid 5375] mkdir("./file0", 0777) = 0 [ 127.265197][ T5375] loop0: detected capacity change from 0 to 32768 [ 127.275911][ T5375] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 127.284969][ T5375] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 127.294443][ T5375] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 127.303668][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 127.310769][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5375] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5375] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5375] chdir("./file0") = 0 [pid 5375] ioctl(4, LOOP_CLR_FD) = 0 [pid 5375] close(4) = 0 [pid 5375] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5374] <... futex resumed>) = 0 [pid 5374] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5375] <... futex resumed>) = 1 [ 127.348051][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 127.355775][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 127.361153][ T5375] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 127.374988][ T5375] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 127.383524][ T5375] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 127.383524][ T5375] inode = 12 2341 [pid 5375] open("./file0", O_RDWR [pid 5374] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5374] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5374] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [ 127.383524][ T5375] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 127.402290][ T5375] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 127.411446][ T5375] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5375 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 127.421740][ T5375] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 127.430433][ T5375] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 127.437922][ T5375] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5374] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5374] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5377]}, 88) = 5377 [pid 5374] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5374] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5377 attached [pid 5377] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5377] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5377] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5377] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5377] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5374] <... futex resumed>) = 0 [pid 5374] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5377] <... futex resumed>) = 1 [pid 5377] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5377] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5374] <... futex resumed>) = 0 [pid 5377] <... futex resumed>) = 1 [ 127.447007][ T5375] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 127.454208][ T5375] gfs2: fsid=syz:syz.0: File system withdrawn [ 127.461450][ T5375] CPU: 0 PID: 5375 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 127.471903][ T5375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 127.482000][ T5375] Call Trace: [ 127.485276][ T5375] [ 127.488198][ T5375] dump_stack_lvl+0x1e7/0x2d0 [ 127.492906][ T5375] ? nf_tcp_handle_invalid+0x650/0x650 [ 127.498349][ T5375] ? panic+0x770/0x770 [ 127.502412][ T5375] gfs2_withdraw+0xc94/0x11e0 [ 127.507084][ T5375] gfs2_dirent_scan+0x512/0x640 [ 127.511921][ T5375] ? preempt_schedule+0xdd/0xf0 [ 127.516847][ T5375] ? gfs2_dirent_search+0x8c0/0x8c0 [ 127.522037][ T5375] gfs2_dirent_search+0x30e/0x8c0 [ 127.527053][ T5375] ? gfs2_dirent_search+0x8c0/0x8c0 [ 127.532237][ T5375] ? generic_permission+0x1df/0x550 [ 127.537510][ T5375] ? gfs2_dir_search+0x2f0/0x2f0 [ 127.542438][ T5375] ? gfs2_permission+0x34a/0x3c0 [ 127.547374][ T5375] gfs2_dir_search+0xb2/0x2f0 [ 127.552039][ T5375] ? do_filldir_main+0x520/0x520 [ 127.556961][ T5375] ? inode_go_held+0xea/0x200 [ 127.562159][ T5375] ? gfs2_glock_wait+0x21a/0x2b0 [ 127.567082][ T5375] gfs2_lookupi+0x460/0x5d0 [ 127.571666][ T5375] ? gfs2_lookup_simple+0x180/0x180 [ 127.576852][ T5375] ? __gfs2_lookup+0xa4/0x270 [ 127.581524][ T5375] __gfs2_lookup+0xa4/0x270 [ 127.586016][ T5375] ? gfs2_atomic_open+0x230/0x230 [ 127.591027][ T5375] ? __d_lookup+0x675/0x730 [ 127.595602][ T5375] ? d_hash_and_lookup+0x1b0/0x1b0 [ 127.600714][ T5375] gfs2_atomic_open+0x9e/0x230 [ 127.605475][ T5375] path_openat+0x1044/0x3180 [ 127.610055][ T5375] ? gfs2_rename2+0x25a0/0x25a0 [ 127.614900][ T5375] ? do_filp_open+0x490/0x490 [ 127.619573][ T5375] do_filp_open+0x234/0x490 [ 127.624065][ T5375] ? vfs_tmpfile+0x4b0/0x4b0 [ 127.628650][ T5375] ? _raw_spin_unlock+0x28/0x40 [ 127.633487][ T5375] ? alloc_fd+0x59c/0x640 [ 127.637807][ T5375] do_sys_openat2+0x13e/0x1d0 [ 127.642475][ T5375] ? do_sys_open+0x230/0x230 [ 127.647318][ T5375] ? lockdep_hardirqs_on+0x98/0x140 [ 127.652521][ T5375] ? _raw_spin_unlock_irq+0x2e/0x50 [ 127.657729][ T5375] ? ptrace_notify+0x278/0x380 [ 127.662488][ T5375] __x64_sys_open+0x225/0x270 [ 127.667161][ T5375] ? do_sys_openat2+0x1d0/0x1d0 [ 127.672003][ T5375] ? syscall_enter_from_user_mode+0x32/0x230 [ 127.678022][ T5375] ? syscall_enter_from_user_mode+0x8c/0x230 [ 127.684007][ T5375] do_syscall_64+0x41/0xc0 [ 127.688418][ T5375] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 127.694300][ T5375] RIP: 0033:0x7f012f71fa59 [ 127.698706][ T5375] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 127.718297][ T5375] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 127.726790][ T5375] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 127.734741][ T5375] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5377] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5375] <... open resumed>) = -1 EIO (Input/output error) [pid 5375] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] exit_group(0) = ? [pid 5377] <... futex resumed>) = ? [pid 5377] +++ exited with 0 +++ [pid 5375] +++ exited with 0 +++ [pid 5374] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5374, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./84", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./84/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./84/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./84/binderfs") = 0 [ 127.742696][ T5375] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 127.750649][ T5375] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 127.758601][ T5375] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 127.766654][ T5375] umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./84/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./84/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./84") = 0 mkdir("./85", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5378 ./strace-static-x86_64: Process 5378 attached [pid 5378] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5378] chdir("./85") = 0 [pid 5378] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5378] setpgid(0, 0) = 0 [pid 5378] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5378] write(3, "1000", 4) = 4 [pid 5378] close(3) = 0 [pid 5378] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5378] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5378] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5378] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5378] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5378] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5378] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5378] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5379]}, 88) = 5379 [pid 5378] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5378] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5378] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5379 attached [pid 5379] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5379] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5379] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5379] memfd_create("syzkaller", 0) = 3 [pid 5379] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5379] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5379] munmap(0x7f01272bc000, 16777216) = 0 [pid 5379] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5379] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5379] close(3) = 0 [pid 5379] mkdir("./file0", 0777) = 0 [ 128.070722][ T5379] loop0: detected capacity change from 0 to 32768 [ 128.083061][ T5379] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 128.091572][ T5379] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 128.101740][ T5379] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 128.110305][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 128.117087][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5379] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5379] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5379] chdir("./file0") = 0 [pid 5379] ioctl(4, LOOP_CLR_FD) = 0 [pid 5379] close(4) = 0 [pid 5379] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5378] <... futex resumed>) = 0 [pid 5379] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5378] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5379] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5378] <... futex resumed>) = 0 [pid 5379] open("./file0", O_RDWR [ 128.157557][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 128.166083][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 128.171510][ T5379] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 128.195778][ T5379] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5378] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5378] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5378] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5378] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5378] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5378] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5378] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5381]}, 88) = 5381 [pid 5378] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5378] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5378] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5381 attached [pid 5381] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5381] set_robust_list(0x7f01282bb9a0, 24) = 0 [ 128.204831][ T5379] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 128.204831][ T5379] inode = 12 2341 [ 128.204831][ T5379] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 128.223704][ T5379] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 128.233102][ T5379] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5379 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 128.243755][ T5379] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5381] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5381] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5381] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5378] <... futex resumed>) = 0 [pid 5378] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5378] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5381] <... futex resumed>) = 1 [pid 5381] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5381] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5378] <... futex resumed>) = 0 [pid 5381] <... futex resumed>) = 1 [ 128.252571][ T5379] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 128.259902][ T5379] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 128.268859][ T5379] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 128.276131][ T5379] gfs2: fsid=syz:syz.0: File system withdrawn [ 128.282642][ T5379] CPU: 1 PID: 5379 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 128.293051][ T5379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 128.303094][ T5379] Call Trace: [ 128.306359][ T5379] [ 128.309292][ T5379] dump_stack_lvl+0x1e7/0x2d0 [ 128.313960][ T5379] ? nf_tcp_handle_invalid+0x650/0x650 [ 128.319404][ T5379] ? panic+0x770/0x770 [ 128.323464][ T5379] gfs2_withdraw+0xc94/0x11e0 [ 128.328136][ T5379] gfs2_dirent_scan+0x512/0x640 [ 128.332993][ T5379] ? gfs2_permission+0x268/0x3c0 [ 128.337928][ T5379] ? gfs2_dirent_search+0x8c0/0x8c0 [ 128.343125][ T5379] gfs2_dirent_search+0x30e/0x8c0 [ 128.348155][ T5379] ? gfs2_dirent_search+0x8c0/0x8c0 [ 128.353359][ T5379] ? generic_permission+0x1df/0x550 [ 128.358572][ T5379] ? gfs2_dir_search+0x2f0/0x2f0 [ 128.363524][ T5379] ? gfs2_permission+0x34a/0x3c0 [ 128.368737][ T5379] gfs2_dir_search+0xb2/0x2f0 [ 128.373421][ T5379] ? do_filldir_main+0x520/0x520 [ 128.378360][ T5379] ? inode_go_held+0xea/0x200 [ 128.383041][ T5379] ? gfs2_glock_wait+0x21a/0x2b0 [ 128.387979][ T5379] gfs2_lookupi+0x460/0x5d0 [ 128.392483][ T5379] ? gfs2_lookup_simple+0x180/0x180 [ 128.397693][ T5379] ? __gfs2_lookup+0xa4/0x270 [ 128.402471][ T5379] __gfs2_lookup+0xa4/0x270 [ 128.406996][ T5379] ? gfs2_atomic_open+0x230/0x230 [ 128.412032][ T5379] ? __d_lookup+0x675/0x730 [ 128.416537][ T5379] ? d_hash_and_lookup+0x1b0/0x1b0 [ 128.421648][ T5379] gfs2_atomic_open+0x9e/0x230 [ 128.426422][ T5379] path_openat+0x1044/0x3180 [ 128.431018][ T5379] ? gfs2_rename2+0x25a0/0x25a0 [ 128.435874][ T5379] ? do_filp_open+0x490/0x490 [ 128.440571][ T5379] do_filp_open+0x234/0x490 [ 128.445101][ T5379] ? vfs_tmpfile+0x4b0/0x4b0 [ 128.449717][ T5379] ? _raw_spin_unlock+0x28/0x40 [ 128.454830][ T5379] ? alloc_fd+0x59c/0x640 [ 128.459168][ T5379] do_sys_openat2+0x13e/0x1d0 [ 128.463863][ T5379] ? do_sys_open+0x230/0x230 [ 128.468467][ T5379] ? lockdep_hardirqs_on+0x98/0x140 [ 128.473680][ T5379] ? _raw_spin_unlock_irq+0x2e/0x50 [ 128.478885][ T5379] ? ptrace_notify+0x278/0x380 [ 128.483688][ T5379] __x64_sys_open+0x225/0x270 [ 128.488392][ T5379] ? do_sys_openat2+0x1d0/0x1d0 [ 128.493265][ T5379] ? syscall_enter_from_user_mode+0x32/0x230 [ 128.499254][ T5379] ? syscall_enter_from_user_mode+0x8c/0x230 [ 128.505253][ T5379] do_syscall_64+0x41/0xc0 [ 128.509665][ T5379] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 128.515557][ T5379] RIP: 0033:0x7f012f71fa59 [ 128.519965][ T5379] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 128.539564][ T5379] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 128.547978][ T5379] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [pid 5381] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5379] <... open resumed>) = -1 EIO (Input/output error) [pid 5379] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5379] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5378] exit_group(0) = ? [pid 5381] <... futex resumed>) = ? [pid 5379] <... futex resumed>) = ? [pid 5379] +++ exited with 0 +++ [pid 5381] +++ exited with 0 +++ [pid 5378] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5378, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=29 /* 0.29 s */} --- umount2("./85", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./85/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./85/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./85/binderfs") = 0 [ 128.555947][ T5379] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 128.564177][ T5379] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 128.572148][ T5379] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96ac [ 128.580122][ T5379] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 128.588100][ T5379] umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./85/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./85/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./85") = 0 mkdir("./86", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5382 ./strace-static-x86_64: Process 5382 attached [pid 5382] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5382] chdir("./86") = 0 [pid 5382] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5382] setpgid(0, 0) = 0 [pid 5382] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5382] write(3, "1000", 4) = 4 [pid 5382] close(3) = 0 [pid 5382] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5382] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5382] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5382] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5382] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5382] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5382] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5383]}, 88) = 5383 [pid 5382] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5382] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5383 attached [pid 5383] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5383] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5383] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5383] memfd_create("syzkaller", 0) = 3 [pid 5383] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5383] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5383] munmap(0x7f01272bc000, 16777216) = 0 [pid 5383] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5383] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5383] close(3) = 0 [pid 5383] mkdir("./file0", 0777) = 0 [ 128.894506][ T5383] loop0: detected capacity change from 0 to 32768 [ 128.905547][ T5383] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 128.913822][ T5383] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 128.922952][ T5383] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 128.931805][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 128.938579][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5383] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5383] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5383] chdir("./file0") = 0 [pid 5383] ioctl(4, LOOP_CLR_FD) = 0 [pid 5383] close(4) = 0 [pid 5383] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5382] <... futex resumed>) = 0 [pid 5382] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5383] <... futex resumed>) = 1 [ 128.973416][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 128.982301][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 128.987572][ T5383] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 129.001850][ T5383] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 129.010568][ T5383] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 129.010568][ T5383] inode = 12 2341 [pid 5383] open("./file0", O_RDWR [pid 5382] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5382] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 129.010568][ T5383] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 129.029467][ T5383] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 129.038593][ T5383] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5383 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 129.048768][ T5383] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 129.057409][ T5383] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 129.064739][ T5383] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5382] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5382] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5382] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5382] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5385]}, 88) = 5385 [pid 5382] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5382] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5385 attached [pid 5385] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5385] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5385] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5385] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5385] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5382] <... futex resumed>) = 0 [pid 5382] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5385] <... futex resumed>) = 1 [pid 5385] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5385] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5382] <... futex resumed>) = 0 [pid 5385] <... futex resumed>) = 1 [ 129.073592][ T5383] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 129.080247][ T5383] gfs2: fsid=syz:syz.0: File system withdrawn [ 129.086349][ T5383] CPU: 0 PID: 5383 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 129.096795][ T5383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 129.106866][ T5383] Call Trace: [ 129.110162][ T5383] [ 129.113118][ T5383] dump_stack_lvl+0x1e7/0x2d0 [ 129.117812][ T5383] ? nf_tcp_handle_invalid+0x650/0x650 [ 129.123290][ T5383] ? panic+0x770/0x770 [ 129.127358][ T5383] gfs2_withdraw+0xc94/0x11e0 [ 129.132052][ T5383] gfs2_dirent_scan+0x512/0x640 [ 129.136917][ T5383] ? gfs2_permission+0x268/0x3c0 [ 129.141860][ T5383] ? gfs2_dirent_search+0x8c0/0x8c0 [ 129.147073][ T5383] gfs2_dirent_search+0x30e/0x8c0 [ 129.152095][ T5383] ? gfs2_dirent_search+0x8c0/0x8c0 [ 129.157297][ T5383] ? generic_permission+0x1df/0x550 [ 129.162515][ T5383] ? gfs2_dir_search+0x2f0/0x2f0 [ 129.167542][ T5383] ? gfs2_permission+0x34a/0x3c0 [ 129.172494][ T5383] gfs2_dir_search+0xb2/0x2f0 [ 129.177195][ T5383] ? do_filldir_main+0x520/0x520 [ 129.182150][ T5383] ? inode_go_held+0xea/0x200 [ 129.186866][ T5383] ? gfs2_glock_wait+0x21a/0x2b0 [ 129.191827][ T5383] gfs2_lookupi+0x460/0x5d0 [ 129.196340][ T5383] ? gfs2_lookup_simple+0x180/0x180 [ 129.201551][ T5383] ? __gfs2_lookup+0xa4/0x270 [ 129.206263][ T5383] __gfs2_lookup+0xa4/0x270 [ 129.210785][ T5383] ? gfs2_atomic_open+0x230/0x230 [ 129.215821][ T5383] ? __d_lookup+0x675/0x730 [ 129.221377][ T5383] ? d_hash_and_lookup+0x1b0/0x1b0 [ 129.226489][ T5383] gfs2_atomic_open+0x9e/0x230 [ 129.231252][ T5383] path_openat+0x1044/0x3180 [ 129.235840][ T5383] ? gfs2_rename2+0x25a0/0x25a0 [ 129.240786][ T5383] ? do_filp_open+0x490/0x490 [ 129.245470][ T5383] do_filp_open+0x234/0x490 [ 129.250071][ T5383] ? vfs_tmpfile+0x4b0/0x4b0 [ 129.254698][ T5383] ? _raw_spin_unlock+0x28/0x40 [ 129.259558][ T5383] ? alloc_fd+0x59c/0x640 [ 129.263916][ T5383] do_sys_openat2+0x13e/0x1d0 [ 129.268704][ T5383] ? do_sys_open+0x230/0x230 [ 129.273314][ T5383] ? lockdep_hardirqs_on+0x98/0x140 [ 129.278526][ T5383] ? _raw_spin_unlock_irq+0x2e/0x50 [ 129.283734][ T5383] ? ptrace_notify+0x278/0x380 [ 129.288495][ T5383] __x64_sys_open+0x225/0x270 [ 129.293194][ T5383] ? do_sys_openat2+0x1d0/0x1d0 [ 129.298092][ T5383] ? syscall_enter_from_user_mode+0x32/0x230 [ 129.304093][ T5383] ? syscall_enter_from_user_mode+0x8c/0x230 [ 129.310090][ T5383] do_syscall_64+0x41/0xc0 [ 129.314522][ T5383] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 129.320440][ T5383] RIP: 0033:0x7f012f71fa59 [ 129.324866][ T5383] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 129.344486][ T5383] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 129.352912][ T5383] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 129.360881][ T5383] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5385] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5383] <... open resumed>) = -1 EIO (Input/output error) [pid 5383] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5383] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5382] exit_group(0 [pid 5385] <... futex resumed>) = ? [pid 5383] <... futex resumed>) = ? [pid 5382] <... exit_group resumed>) = ? [pid 5383] +++ exited with 0 +++ [pid 5385] +++ exited with 0 +++ [pid 5382] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5382, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=27 /* 0.27 s */} --- umount2("./86", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./86/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./86/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./86/binderfs") = 0 [ 129.368845][ T5383] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 129.376810][ T5383] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 129.384792][ T5383] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 129.392776][ T5383] umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./86/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./86/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./86") = 0 mkdir("./87", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5386 ./strace-static-x86_64: Process 5386 attached [pid 5386] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5386] chdir("./87") = 0 [pid 5386] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5386] setpgid(0, 0) = 0 [pid 5386] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5386] write(3, "1000", 4) = 4 [pid 5386] close(3) = 0 [pid 5386] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5386] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5386] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5386] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5386] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5386] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5386] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5386] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5387]}, 88) = 5387 [pid 5386] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5386] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5386] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5387 attached [pid 5387] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5387] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5387] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5387] memfd_create("syzkaller", 0) = 3 [pid 5387] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5387] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5387] munmap(0x7f01272bc000, 16777216) = 0 [pid 5387] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5387] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5387] close(3) = 0 [pid 5387] mkdir("./file0", 0777) = 0 [ 129.702256][ T5387] loop0: detected capacity change from 0 to 32768 [ 129.713759][ T5387] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 129.722259][ T5387] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 129.731993][ T5387] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 129.740847][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 129.747647][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5387] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5387] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5387] chdir("./file0") = 0 [pid 5387] ioctl(4, LOOP_CLR_FD) = 0 [pid 5387] close(4) = 0 [pid 5387] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5386] <... futex resumed>) = 0 [pid 5387] open("./file0", O_RDWR [pid 5386] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 129.784768][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 129.793720][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 129.799017][ T5387] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 129.812574][ T5387] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 129.821659][ T5387] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 129.821659][ T5387] inode = 12 2341 [pid 5386] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5386] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5386] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5386] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5386] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5386] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5386] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5389]}, 88) = 5389 [pid 5386] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5386] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5386] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5389 attached [pid 5389] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5389] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5389] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5389] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5389] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5386] <... futex resumed>) = 0 [pid 5386] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5386] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5389] <... futex resumed>) = 1 [pid 5389] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5389] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5386] <... futex resumed>) = 0 [pid 5389] <... futex resumed>) = 1 [ 129.821659][ T5387] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 129.840878][ T5387] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 129.850599][ T5387] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5387 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 129.861534][ T5387] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 129.870108][ T5387] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 129.878103][ T5387] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 129.887440][ T5387] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 129.894767][ T5387] gfs2: fsid=syz:syz.0: File system withdrawn [ 129.901431][ T5387] CPU: 0 PID: 5387 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 129.911955][ T5387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 129.922006][ T5387] Call Trace: [ 129.925273][ T5387] [ 129.928197][ T5387] dump_stack_lvl+0x1e7/0x2d0 [ 129.932892][ T5387] ? nf_tcp_handle_invalid+0x650/0x650 [ 129.938358][ T5387] ? panic+0x770/0x770 [ 129.942439][ T5387] gfs2_withdraw+0xc94/0x11e0 [ 129.947124][ T5387] gfs2_dirent_scan+0x512/0x640 [ 129.951966][ T5387] ? gfs2_permission+0x268/0x3c0 [ 129.956911][ T5387] ? gfs2_dirent_search+0x8c0/0x8c0 [ 129.962107][ T5387] gfs2_dirent_search+0x30e/0x8c0 [ 129.967135][ T5387] ? gfs2_dirent_search+0x8c0/0x8c0 [ 129.972343][ T5387] ? generic_permission+0x1df/0x550 [ 129.977624][ T5387] ? gfs2_dir_search+0x2f0/0x2f0 [ 129.982562][ T5387] ? gfs2_permission+0x34a/0x3c0 [ 129.987512][ T5387] gfs2_dir_search+0xb2/0x2f0 [ 129.992189][ T5387] ? do_filldir_main+0x520/0x520 [ 129.997126][ T5387] ? inode_go_held+0xea/0x200 [ 130.001805][ T5387] ? gfs2_glock_wait+0x21a/0x2b0 [ 130.006750][ T5387] gfs2_lookupi+0x460/0x5d0 [ 130.011257][ T5387] ? gfs2_lookup_simple+0x180/0x180 [ 130.016450][ T5387] ? __gfs2_lookup+0xa4/0x270 [ 130.021136][ T5387] __gfs2_lookup+0xa4/0x270 [ 130.025637][ T5387] ? gfs2_atomic_open+0x230/0x230 [ 130.030661][ T5387] ? __d_lookup+0x675/0x730 [ 130.035158][ T5387] ? d_hash_and_lookup+0x1b0/0x1b0 [ 130.040270][ T5387] gfs2_atomic_open+0x9e/0x230 [ 130.045129][ T5387] path_openat+0x1044/0x3180 [ 130.049807][ T5387] ? gfs2_rename2+0x25a0/0x25a0 [ 130.054761][ T5387] ? do_filp_open+0x490/0x490 [ 130.059619][ T5387] do_filp_open+0x234/0x490 [ 130.064117][ T5387] ? vfs_tmpfile+0x4b0/0x4b0 [ 130.068714][ T5387] ? _raw_spin_unlock+0x28/0x40 [ 130.073562][ T5387] ? alloc_fd+0x59c/0x640 [ 130.078336][ T5387] do_sys_openat2+0x13e/0x1d0 [ 130.083018][ T5387] ? do_sys_open+0x230/0x230 [ 130.087611][ T5387] ? lockdep_hardirqs_on+0x98/0x140 [ 130.092808][ T5387] ? _raw_spin_unlock_irq+0x2e/0x50 [ 130.097999][ T5387] ? ptrace_notify+0x278/0x380 [ 130.102856][ T5387] __x64_sys_open+0x225/0x270 [ 130.107532][ T5387] ? do_sys_openat2+0x1d0/0x1d0 [ 130.112393][ T5387] ? syscall_enter_from_user_mode+0x32/0x230 [ 130.119154][ T5387] ? syscall_enter_from_user_mode+0x8c/0x230 [ 130.125221][ T5387] do_syscall_64+0x41/0xc0 [ 130.129637][ T5387] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 130.135530][ T5387] RIP: 0033:0x7f012f71fa59 [ 130.139951][ T5387] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 130.159555][ T5387] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 130.167971][ T5387] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 130.175937][ T5387] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5389] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5387] <... open resumed>) = -1 EIO (Input/output error) [pid 5387] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5387] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5386] exit_group(0) = ? [pid 5389] <... futex resumed>) = ? [pid 5387] <... futex resumed>) = ? [pid 5387] +++ exited with 0 +++ [pid 5389] +++ exited with 0 +++ [pid 5386] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5386, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=28 /* 0.28 s */} --- umount2("./87", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./87/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./87/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./87/binderfs") = 0 [ 130.183905][ T5387] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 130.191871][ T5387] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 130.199836][ T5387] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 130.207819][ T5387] umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./87/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./87/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./87") = 0 mkdir("./88", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5390 ./strace-static-x86_64: Process 5390 attached [pid 5390] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5390] chdir("./88") = 0 [pid 5390] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5390] setpgid(0, 0) = 0 [pid 5390] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5390] write(3, "1000", 4) = 4 [pid 5390] close(3) = 0 [pid 5390] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5390] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5390] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5390] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5390] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5390] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5390] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5390] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5391]}, 88) = 5391 [pid 5390] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5390] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5390] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5391 attached [pid 5391] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5391] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5391] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5391] memfd_create("syzkaller", 0) = 3 [pid 5391] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5391] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5391] munmap(0x7f01272bc000, 16777216) = 0 [pid 5391] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5391] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5391] close(3) = 0 [pid 5391] mkdir("./file0", 0777) = 0 [ 130.513016][ T5391] loop0: detected capacity change from 0 to 32768 [ 130.524207][ T5391] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 130.533073][ T5391] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 130.543993][ T5391] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 130.552551][ T775] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 130.559588][ T775] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5391] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5391] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5391] chdir("./file0") = 0 [pid 5391] ioctl(4, LOOP_CLR_FD) = 0 [pid 5391] close(4) = 0 [pid 5391] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5390] <... futex resumed>) = 0 [pid 5391] open("./file0", O_RDWR [pid 5390] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 130.596649][ T775] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 130.605554][ T775] gfs2: fsid=syz:syz.0: jid=0: Done [ 130.611087][ T5391] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 130.625516][ T5391] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 130.634715][ T5391] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 130.634715][ T5391] inode = 12 2341 [pid 5390] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5390] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5390] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5390] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5390] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5390] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5393]}, 88) = 5393 [pid 5390] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5390] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5390] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5393 attached [pid 5393] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5393] set_robust_list(0x7f01282bb9a0, 24) = 0 [ 130.634715][ T5391] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 130.653689][ T5391] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 130.663329][ T5391] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5391 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 130.673549][ T5391] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 130.682203][ T5391] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5393] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5393] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC) = -1 EIO (Input/output error) [pid 5393] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5390] <... futex resumed>) = 0 [pid 5390] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5390] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5393] <... futex resumed>) = 1 [pid 5393] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5393] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5390] <... futex resumed>) = 0 [pid 5393] <... futex resumed>) = 1 [ 130.689869][ T5391] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 130.698675][ T5391] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 130.705728][ T5391] gfs2: fsid=syz:syz.0: File system withdrawn [ 130.712098][ T5391] CPU: 0 PID: 5391 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 130.722530][ T5391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 130.732585][ T5391] Call Trace: [ 130.735874][ T5391] [ 130.738819][ T5391] dump_stack_lvl+0x1e7/0x2d0 [ 130.743505][ T5391] ? nf_tcp_handle_invalid+0x650/0x650 [ 130.748992][ T5391] ? panic+0x770/0x770 [ 130.753073][ T5391] gfs2_withdraw+0xc94/0x11e0 [ 130.757760][ T5391] gfs2_dirent_scan+0x512/0x640 [ 130.762626][ T5391] ? gfs2_permission+0x268/0x3c0 [ 130.767569][ T5391] ? gfs2_dirent_search+0x8c0/0x8c0 [ 130.772795][ T5391] gfs2_dirent_search+0x30e/0x8c0 [ 130.777907][ T5391] ? gfs2_dirent_search+0x8c0/0x8c0 [ 130.783111][ T5391] ? generic_permission+0x1df/0x550 [ 130.788421][ T5391] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5393] futex(0x7f012f7b96b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5390] exit_group(0 [pid 5393] <... futex resumed>) = ? [pid 5390] <... exit_group resumed>) = ? [pid 5393] +++ exited with 0 +++ [ 130.793381][ T5391] ? gfs2_permission+0x34a/0x3c0 [ 130.798333][ T5391] gfs2_dir_search+0xb2/0x2f0 [ 130.803040][ T5391] ? do_filldir_main+0x520/0x520 [ 130.808004][ T5391] ? inode_go_held+0xea/0x200 [ 130.812703][ T5391] ? gfs2_glock_wait+0x21a/0x2b0 [ 130.817650][ T5391] gfs2_lookupi+0x460/0x5d0 [ 130.822186][ T5391] ? gfs2_lookup_simple+0x180/0x180 [ 130.827404][ T5391] ? __gfs2_lookup+0xa4/0x270 [ 130.832141][ T5391] __gfs2_lookup+0xa4/0x270 [ 130.836842][ T5391] ? gfs2_atomic_open+0x230/0x230 [ 130.841887][ T5391] ? __d_lookup+0x675/0x730 [ 130.846407][ T5391] ? d_hash_and_lookup+0x1b0/0x1b0 [ 130.851529][ T5391] gfs2_atomic_open+0x9e/0x230 [ 130.856396][ T5391] path_openat+0x1044/0x3180 [ 130.861000][ T5391] ? gfs2_rename2+0x25a0/0x25a0 [ 130.865872][ T5391] ? do_filp_open+0x490/0x490 [ 130.870568][ T5391] do_filp_open+0x234/0x490 [ 130.875132][ T5391] ? vfs_tmpfile+0x4b0/0x4b0 [ 130.879729][ T5391] ? _raw_spin_unlock+0x28/0x40 [ 130.884581][ T5391] ? alloc_fd+0x59c/0x640 [ 130.888912][ T5391] do_sys_openat2+0x13e/0x1d0 [ 130.893591][ T5391] ? do_sys_open+0x230/0x230 [ 130.898177][ T5391] ? lockdep_hardirqs_on+0x98/0x140 [ 130.903388][ T5391] ? _raw_spin_unlock_irq+0x2e/0x50 [ 130.908699][ T5391] ? ptrace_notify+0x278/0x380 [ 130.913469][ T5391] __x64_sys_open+0x225/0x270 [ 130.918153][ T5391] ? do_sys_openat2+0x1d0/0x1d0 [ 130.923008][ T5391] ? syscall_enter_from_user_mode+0x32/0x230 [ 130.929001][ T5391] ? syscall_enter_from_user_mode+0x8c/0x230 [ 130.934992][ T5391] do_syscall_64+0x41/0xc0 [ 130.939412][ T5391] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 130.945321][ T5391] RIP: 0033:0x7f012f71fa59 [ 130.949732][ T5391] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 130.969335][ T5391] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 130.977757][ T5391] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 130.985745][ T5391] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [pid 5391] <... open resumed>) = ? [pid 5391] +++ exited with 0 +++ [pid 5390] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5390, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./88", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555556d1c730 /* 4 entries */, 32768) = 112 umount2("./88/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./88/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./88/binderfs") = 0 [ 130.993712][ T5391] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 131.001682][ T5391] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [ 131.009647][ T5391] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 131.017648][ T5391] umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./88/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556d24770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556d24770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./88/file0") = 0 getdents64(3, 0x555556d1c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./88") = 0 mkdir("./89", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556d1b690) = 5394 ./strace-static-x86_64: Process 5394 attached [pid 5394] set_robust_list(0x555556d1b6a0, 24) = 0 [pid 5394] chdir("./89") = 0 [pid 5394] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5394] setpgid(0, 0) = 0 [pid 5394] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5394] write(3, "1000", 4) = 4 [pid 5394] close(3) = 0 [pid 5394] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5394] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] rt_sigaction(SIGRT_1, {sa_handler=0x7f012f745e70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f012f737020}, NULL, 8) = 0 [pid 5394] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5394] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012f6bc000 [pid 5394] mprotect(0x7f012f6bd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5394] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5394] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012f6dc990, parent_tid=0x7f012f6dc990, exit_signal=0, stack=0x7f012f6bc000, stack_size=0x20300, tls=0x7f012f6dc6c0} => {parent_tid=[5395]}, 88) = 5395 [pid 5394] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5394] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5395 attached [pid 5395] rseq(0x7f012f6dcfe0, 0x20, 0, 0x53053053) = 0 [pid 5395] set_robust_list(0x7f012f6dc9a0, 24) = 0 [pid 5395] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5395] memfd_create("syzkaller", 0) = 3 [pid 5395] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f01272bc000 [pid 5395] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5395] munmap(0x7f01272bc000, 16777216) = 0 [pid 5395] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5395] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5395] close(3) = 0 [pid 5395] mkdir("./file0", 0777) = 0 [ 131.319315][ T5395] loop0: detected capacity change from 0 to 32768 [ 131.330621][ T5395] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 131.338821][ T5395] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 131.348042][ T5395] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 131.357012][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 131.364143][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5395] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5395] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5395] chdir("./file0") = 0 [pid 5395] ioctl(4, LOOP_CLR_FD) = 0 [pid 5395] close(4) = 0 [pid 5395] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5394] <... futex resumed>) = 0 [pid 5394] futex(0x7f012f7b96a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] futex(0x7f012f7b96ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5395] <... futex resumed>) = 1 [ 131.398253][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 131.406659][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 131.412966][ T5395] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 131.430294][ T5395] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 131.438835][ T5395] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5395] open("./file0", O_RDWR [pid 5394] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5394] futex(0x7f012f7b96bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012829b000 [pid 5394] mprotect(0x7f012829c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5394] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5394] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f01282bb990, parent_tid=0x7f01282bb990, exit_signal=0, stack=0x7f012829b000, stack_size=0x20300, tls=0x7f01282bb6c0} => {parent_tid=[5397]}, 88) = 5397 [pid 5394] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5394] futex(0x7f012f7b96b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] futex(0x7f012f7b96bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5397 attached [pid 5397] rseq(0x7f01282bbfe0, 0x20, 0, 0x53053053) = 0 [pid 5397] set_robust_list(0x7f01282bb9a0, 24) = 0 [pid 5397] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 131.438835][ T5395] inode = 12 2341 [ 131.438835][ T5395] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 131.458261][ T5395] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 131.467955][ T5395] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5395 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 131.478700][ T5395] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 131.485888][ T5397] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5397] openat(AT_FDCWD, "./file2", O_RDONLY|O_NOCTTY|O_TRUNC [pid 5394] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5394] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f012827a000 [pid 5394] mprotect(0x7f012827b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5394] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5394] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f012829a990, parent_tid=0x7f012829a990, exit_signal=0, stack=0x7f012827a000, stack_size=0x20300, tls=0x7f012829a6c0} => {parent_tid=[5398]}, 88) = 5398 [pid 5394] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5394] futex(0x7f012f7b96c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 131.488446][ T5395] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 131.502873][ T5395] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 131.511827][ T5397] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 131.511866][ T5397] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5395 [syz-executor198] __gfs2_lookup+0xa4/0x270 [ 131.521106][ T5395] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 131.537778][ T5395] gfs2: fsid=syz:syz.0: File system withdrawn [ 131.544633][ T5395] CPU: 1 PID: 5395 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 131.555091][ T5395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 131.565498][ T5395] Call Trace: [ 131.568779][ T5395] [ 131.571709][ T5395] dump_stack_lvl+0x1e7/0x2d0 [ 131.576388][ T5395] ? nf_tcp_handle_invalid+0x650/0x650 [ 131.581847][ T5395] ? panic+0x770/0x770 [ 131.585923][ T5395] gfs2_withdraw+0xc94/0x11e0 [ 131.590613][ T5395] gfs2_dirent_scan+0x512/0x640 [ 131.595467][ T5395] ? gfs2_permission+0x268/0x3c0 [ 131.600415][ T5395] ? gfs2_dirent_search+0x8c0/0x8c0 [ 131.605705][ T5395] gfs2_dirent_search+0x30e/0x8c0 [ 131.610735][ T5395] ? gfs2_dirent_search+0x8c0/0x8c0 [ 131.615934][ T5395] ? generic_permission+0x1df/0x550 [ 131.621129][ T5395] ? gfs2_dir_search+0x2f0/0x2f0 [ 131.626074][ T5395] ? gfs2_permission+0x34a/0x3c0 [ 131.631017][ T5395] gfs2_dir_search+0xb2/0x2f0 [ 131.636068][ T5395] ? do_filldir_main+0x520/0x520 [ 131.641041][ T5395] ? inode_go_held+0xea/0x200 [ 131.645808][ T5395] ? gfs2_glock_wait+0x21a/0x2b0 [ 131.650761][ T5395] gfs2_lookupi+0x460/0x5d0 [ 131.655394][ T5395] ? gfs2_lookup_simple+0x180/0x180 [ 131.660702][ T5395] ? __gfs2_lookup+0xa4/0x270 [ 131.665481][ T5395] __gfs2_lookup+0xa4/0x270 [ 131.669988][ T5395] ? gfs2_atomic_open+0x230/0x230 [ 131.675030][ T5395] ? __d_lookup+0x675/0x730 [ 131.679532][ T5395] ? d_hash_and_lookup+0x1b0/0x1b0 [ 131.684645][ T5395] gfs2_atomic_open+0x9e/0x230 [ 131.689410][ T5395] path_openat+0x1044/0x3180 [ 131.694008][ T5395] ? gfs2_rename2+0x25a0/0x25a0 [ 131.698868][ T5395] ? do_filp_open+0x490/0x490 [ 131.703558][ T5395] do_filp_open+0x234/0x490 [ 131.708592][ T5395] ? vfs_tmpfile+0x4b0/0x4b0 [ 131.713288][ T5395] ? _raw_spin_unlock+0x28/0x40 [ 131.718140][ T5395] ? alloc_fd+0x59c/0x640 [ 131.722476][ T5395] do_sys_openat2+0x13e/0x1d0 [ 131.727240][ T5395] ? do_sys_open+0x230/0x230 [ 131.731829][ T5395] ? lockdep_hardirqs_on+0x98/0x140 [ 131.737115][ T5395] ? _raw_spin_unlock_irq+0x2e/0x50 [ 131.742312][ T5395] ? ptrace_notify+0x278/0x380 [ 131.747071][ T5395] __x64_sys_open+0x225/0x270 [ 131.751762][ T5395] ? do_sys_openat2+0x1d0/0x1d0 [ 131.756613][ T5395] ? syscall_enter_from_user_mode+0x32/0x230 [ 131.762596][ T5395] ? syscall_enter_from_user_mode+0x8c/0x230 [ 131.768575][ T5395] do_syscall_64+0x41/0xc0 [ 131.772986][ T5395] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 131.779141][ T5395] RIP: 0033:0x7f012f71fa59 [ 131.783553][ T5395] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 131.803157][ T5395] RSP: 002b:00007f012f6dc218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 131.811741][ T5395] RAX: ffffffffffffffda RBX: 00007f012f7b96a8 RCX: 00007f012f71fa59 [ 131.820056][ T5395] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000020000280 [ 131.828023][ T5395] RBP: 00007f012f7b96a0 R08: 0000000000000000 R09: 0000000000000000 [ 131.836104][ T5395] R10: 0000000000012557 R11: 0000000000000246 R12: 00007f012f7b96ac [pid 5394] futex(0x7f012f7b96cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5398 attached ) = -1 ETIMEDOUT (Connection timed out) [pid 5398] rseq(0x7f012829afe0, 0x20, 0, 0x53053053 [pid 5395] <... open resumed>) = -1 EIO (Input/output error) [pid 5398] <... rseq resumed>) = 0 [pid 5398] set_robust_list(0x7f012829a9a0, 24) = 0 [pid 5398] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5398] write(-1, NULL, 0) = -1 EBADF (Bad file descriptor) [pid 5398] futex(0x7f012f7b96cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5398] futex(0x7f012f7b96c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5395] futex(0x7f012f7b96ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 131.844172][ T5395] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 131.852154][ T5395] [ 131.858559][ T5397] general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN [ 131.870330][ T5397] KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067] [ 131.878745][ T5397] CPU: 0 PID: 5397 Comm: syz-executor198 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 [ 131.889169][ T5397] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 131.899248][ T5397] RIP: 0010:gfs2_dump_glock+0xdcd/0x1ad0 [ 131.905244][ T5397] Code: 05 22 3c cc 0a 01 48 c7 c7 40 fe 4c 8b be ef 02 00 00 48 c7 c2 80 fe 4c 8b e8 6f 89 b4 fd 4d 8d 74 24 20 4d 89 f5 49 c1 ed 03 <43> 0f b6 44 3d 00 84 c0 0f 85 f1 06 00 00 41 0f b7 1e 89 de 81 e6 [ 131.924846][ T5397] RSP: 0018:ffffc9000421f160 EFLAGS: 00010207 [ 131.930906][ T5397] RAX: ffffffff83b742b9 RBX: 0000000000000001 RCX: ffff88802c0e0000 [ 131.938971][ T5397] RDX: 0000000000000000 RSI: ffffffff8b58adc0 RDI: ffffffff8b58ad80 [pid 5395] futex(0x7f012f7b96a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5394] exit_group(0 [pid 5398] <... futex resumed>) = ? [pid 5395] <... futex resumed>) = ? [pid 5394] <... exit_group resumed>) = ? [pid 5398] +++ exited with 0 +++ [pid 5395] +++ exited with 0 +++ [ 131.947034][ T5397] RBP: ffffc9000421f450 R08: ffffffff83b742a7 R09: 1ffffffff20f6860 [ 131.954994][ T5397] R10: dffffc0000000000 R11: fffffbfff20f6861 R12: 0000000000000046 [ 131.962963][ T5397] R13: 000000000000000c R14: 0000000000000066 R15: dffffc0000000000 [ 131.970932][ T5397] FS: 00007f01282bb6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 131.980058][ T5397] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 131.986735][ T5397] CR2: 00007f012829ad58 CR3: 000000007ce43000 CR4: 00000000003506f0 [ 131.994717][ T5397] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 132.002677][ T5397] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 132.010647][ T5397] Call Trace: [ 132.013921][ T5397] [ 132.016854][ T5397] ? __die_body+0x5e/0xa0 [ 132.021177][ T5397] ? die_addr+0x99/0xc0 [ 132.025326][ T5397] ? exc_general_protection+0x3c2/0x5b0 [ 132.030867][ T5397] ? asm_exc_general_protection+0x26/0x30 [ 132.036579][ T5397] ? gfs2_dump_glock+0xd57/0x1ad0 [ 132.041592][ T5397] ? gfs2_dump_glock+0xd69/0x1ad0 [ 132.046603][ T5397] ? gfs2_dump_glock+0xdcd/0x1ad0 [ 132.051620][ T5397] ? gfs2_glock_free+0xe60/0xe60 [ 132.056545][ T5397] ? llist_add_batch+0x143/0x270 [ 132.061474][ T5397] ? preempt_schedule+0xdd/0xf0 [ 132.066406][ T5397] ? gfs2_dirent_scan+0xb2/0x640 [ 132.071334][ T5397] ? panic+0x770/0x770 [ 132.075402][ T5397] gfs2_consist_inode_i+0xf5/0x110 [ 132.080517][ T5397] gfs2_dirent_scan+0x512/0x640 [ 132.085359][ T5397] ? gfs2_permission+0x268/0x3c0 [ 132.090732][ T5397] ? gfs2_dirent_search+0x8c0/0x8c0 [ 132.095931][ T5397] gfs2_dirent_search+0x30e/0x8c0 [ 132.101383][ T5397] ? gfs2_dirent_search+0x8c0/0x8c0 [ 132.106567][ T5397] ? generic_permission+0x1df/0x550 [ 132.116970][ T5397] ? gfs2_dir_search+0x2f0/0x2f0 [ 132.121992][ T5397] ? gfs2_permission+0x34a/0x3c0 [ 132.127049][ T5397] gfs2_dir_search+0xb2/0x2f0 [ 132.131731][ T5397] ? do_filldir_main+0x520/0x520 [ 132.137019][ T5397] ? inode_go_held+0xea/0x200 [ 132.141693][ T5397] ? gfs2_glock_wait+0x21a/0x2b0 [ 132.146713][ T5397] gfs2_lookupi+0x460/0x5d0 [ 132.151210][ T5397] ? gfs2_lookup_simple+0x180/0x180 [ 132.156398][ T5397] ? __gfs2_lookup+0xa4/0x270 [ 132.161063][ T5397] __gfs2_lookup+0xa4/0x270 [ 132.165562][ T5397] ? gfs2_atomic_open+0x230/0x230 [ 132.170611][ T5397] ? __d_lookup+0x675/0x730 [ 132.175199][ T5397] ? d_hash_and_lookup+0x1b0/0x1b0 [ 132.180303][ T5397] gfs2_atomic_open+0x9e/0x230 [ 132.185507][ T5397] path_openat+0x1044/0x3180 [ 132.190095][ T5397] ? gfs2_rename2+0x25a0/0x25a0 [ 132.194941][ T5397] ? do_filp_open+0x490/0x490 [ 132.199615][ T5397] do_filp_open+0x234/0x490 [ 132.204207][ T5397] ? vfs_tmpfile+0x4b0/0x4b0 [ 132.208808][ T5397] ? _raw_spin_unlock+0x28/0x40 [ 132.213656][ T5397] ? alloc_fd+0x59c/0x640 [ 132.217984][ T5397] do_sys_openat2+0x13e/0x1d0 [ 132.222660][ T5397] ? do_sys_open+0x230/0x230 [ 132.227341][ T5397] ? lockdep_hardirqs_on+0x98/0x140 [ 132.232626][ T5397] ? _raw_spin_unlock_irq+0x2e/0x50 [ 132.237827][ T5397] ? ptrace_notify+0x278/0x380 [ 132.242579][ T5397] __x64_sys_openat+0x247/0x290 [ 132.247427][ T5397] ? __ia32_sys_open+0x270/0x270 [ 132.252367][ T5397] ? syscall_enter_from_user_mode+0x32/0x230 [ 132.258350][ T5397] ? syscall_enter_from_user_mode+0x8c/0x230 [ 132.264602][ T5397] do_syscall_64+0x41/0xc0 [ 132.269008][ T5397] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 132.274897][ T5397] RIP: 0033:0x7f012f71fa59 [ 132.279309][ T5397] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 132.298932][ T5397] RSP: 002b:00007f01282bb218 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 132.307353][ T5397] RAX: ffffffffffffffda RBX: 00007f012f7b96b8 RCX: 00007f012f71fa59 [ 132.315326][ T5397] RDX: 0000000000000300 RSI: 0000000020000540 RDI: 00000000ffffff9c [ 132.323293][ T5397] RBP: 00007f012f7b96b0 R08: 00007ffd5690c897 R09: 0000000000000000 [ 132.331276][ T5397] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f012f7b96bc [ 132.339273][ T5397] R13: 0030656c69662f2e R14: 00007f012f7740c0 R15: 0032656c69662f2e [ 132.347250][ T5397] [ 132.350257][ T5397] Modules linked in: [ 132.354503][ T5397] ---[ end trace 0000000000000000 ]--- [ 132.360012][ T5397] RIP: 0010:gfs2_dump_glock+0xdcd/0x1ad0 [ 132.366188][ T5397] Code: 05 22 3c cc 0a 01 48 c7 c7 40 fe 4c 8b be ef 02 00 00 48 c7 c2 80 fe 4c 8b e8 6f 89 b4 fd 4d 8d 74 24 20 4d 89 f5 49 c1 ed 03 <43> 0f b6 44 3d 00 84 c0 0f 85 f1 06 00 00 41 0f b7 1e 89 de 81 e6 [ 132.387355][ T5397] RSP: 0018:ffffc9000421f160 EFLAGS: 00010207 [ 132.393476][ T5397] RAX: ffffffff83b742b9 RBX: 0000000000000001 RCX: ffff88802c0e0000 [ 132.402019][ T5397] RDX: 0000000000000000 RSI: ffffffff8b58adc0 RDI: ffffffff8b58ad80 [ 132.410144][ T5397] RBP: ffffc9000421f450 R08: ffffffff83b742a7 R09: 1ffffffff20f6860 [ 132.418205][ T5397] R10: dffffc0000000000 R11: fffffbfff20f6861 R12: 0000000000000046 [ 132.426219][ T5397] R13: 000000000000000c R14: 0000000000000066 R15: dffffc0000000000 [ 132.434391][ T5397] FS: 00007f01282bb6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 132.444316][ T5397] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 132.451224][ T5397] CR2: 00007f012829ad58 CR3: 000000007ce43000 CR4: 00000000003506f0 [ 132.459408][ T5397] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 132.467409][ T5397] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 132.475438][ T5397] Kernel panic - not syncing: Fatal exception [ 132.481728][ T5397] Kernel Offset: disabled [ 132.486047][ T5397] Rebooting in 86400 seconds..