./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1786127383 <...> Warning: Permanently added '10.128.1.86' (ED25519) to the list of known hosts. execve("./syz-executor1786127383", ["./syz-executor1786127383"], 0x7ffebbe41d10 /* 10 vars */) = 0 brk(NULL) = 0x55555658c000 brk(0x55555658cd40) = 0x55555658cd40 arch_prctl(ARCH_SET_FS, 0x55555658c3c0) = 0 set_tid_address(0x55555658c690) = 5041 set_robust_list(0x55555658c6a0, 24) = 0 rseq(0x55555658cce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1786127383", 4096) = 28 getrandom("\x3e\xff\x01\x58\x00\x17\x6c\x73", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555658cd40 brk(0x5555565add40) = 0x5555565add40 brk(0x5555565ae000) = 0x5555565ae000 mprotect(0x7f91260b6000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555658c690) = 5042 ./strace-static-x86_64: Process 5042 attached [pid 5042] set_robust_list(0x55555658c6a0, 24) = 0 [pid 5042] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5042] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 5042] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 5042] dup2(4, 202) = 202 [pid 5042] close(4) = 0 [pid 5042] write(202, "\xff\x00", 2) = 2 [pid 5042] read(202, "\x01\x03\x0c\x00", 4) = 4 [pid 5042] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 5042] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 5042] rt_sigaction(SIGRT_1, {sa_handler=0x7f912603ca90, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f912602e140}, NULL, 8) = 0 [pid 5042] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5042] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f91257d1000 [pid 5042] mprotect(0x7f91257d2000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 5042] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5042] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9125fd1990, parent_tid=0x7f9125fd1990, exit_signal=0, stack=0x7f91257d1000, stack_size=0x800300, tls=0x7f9125fd16c0}./strace-static-x86_64: Process 5045 attached => {parent_tid=[2]}, 88) = 2 [pid 5045] rseq(0x7f9125fd1fe0, 0x20, 0, 0x53053053) = 0 [pid 5045] set_robust_list(0x7f9125fd19a0, 24) = 0 [pid 5045] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5042] rt_sigprocmask(SIG_SETMASK, [], [pid 5045] read(202, [pid 5042] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5045] <... read resumed>"\x01\x03\x10\x00", 1024) = 4 [pid 5042] ioctl(3, HCIDEVUP [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 5045] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 5045] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5045] read(202, [pid 5042] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 5042] ioctl(3, HCISETSCAN [pid 5045] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 5045] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 5045] rt_sigprocmask(SIG_BLOCK, ~[RT_1], [pid 5042] <... ioctl resumed>, 0x7fff8cb9e208) = 0 [pid 5045] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5045] madvise(0x7f91257d1000, 8372224, MADV_DONTNEED [pid 5042] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 [pid 5045] <... madvise resumed>) = 0 [pid 5042] <... writev resumed>) = 13 [pid 5042] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3 [pid 5045] exit(0 [pid 5042] <... writev resumed>) = 14 [pid 5042] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3 [pid 5045] <... exit resumed>) = ? [pid 5045] +++ exited with 0 +++ [pid 5042] <... writev resumed>) = 14 [pid 5042] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 5042] close(3) = 0 [pid 5042] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5042] setsid() = 1 [pid 5042] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5042] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5042] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5042] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5042] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5042] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5042] unshare(CLONE_NEWNS) = 0 [pid 5042] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5042] unshare(CLONE_NEWIPC) = 0 [pid 5042] unshare(CLONE_NEWCGROUP) = 0 [pid 5042] unshare(CLONE_NEWUTS) = 0 [pid 5042] unshare(CLONE_SYSVSEM) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "16777216", 8) = 8 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "536870912", 9) = 9 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "1024", 4) = 4 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "8192", 4) = 4 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "1024", 4) = 4 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "1024", 4) = 4 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5042] close(3) = 0 [pid 5042] getpid() = 1 [pid 5042] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< 9 [ 70.756361][ T51] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 70.765949][ T51] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 70.774593][ T51] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 70.782625][ T51] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [pid 5042] unshare(CLONE_NEWNET) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "0 65535", 7) = 7 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK) = 3 [pid 5042] dup2(3, 200) = 200 [pid 5042] close(3) = 0 [pid 5042] ioctl(200, TUNSETIFF, 0x7fff8cb9e240) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/accept_dad", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "0", 1) = 1 [pid 5042] close(3) = 0 [pid 5042] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/router_solicitations", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "0", 1) = 1 [pid 5042] close(3) = 0 [pid 5042] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 [pid 5042] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 5042] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 5042] close(4) = 0 [pid 5042] sendto(3, [{nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x18\x00\x00\x0b\x00\x00\x00\x08\x00\x02\x00\xac\x14\x14\xaa\x08\x00\x01\x00\xac\x14\x14\xaa"], 40, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 40 [pid 5042] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5042] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 5042] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 5042] close(4) = 0 [pid 5042] sendto(3, [{nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x78\x00\x00\x0b\x00\x00\x00\x14\x00\x02\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa"], 64, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 64 [pid 5042] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5042] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 5042] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 5042] close(4) = 0 [pid 5042] sendto(3, [{nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x08\x00\x01\x00\xac\x14\x14\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 48, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 48 [pid 5042] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5042] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 5042] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 5042] close(4) = 0 [pid 5042] sendto(3, [{nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 60, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 60 [pid 5042] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5042] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 5042] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 5042] close(4) = 0 [pid 5042] sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0a\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 [pid 5042] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5042] close(3) = 0 [pid 5042] mkdir("/dev/binderfs", 0777) = 0 [pid 5042] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0 [pid 5042] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5042] memfd_create("syzkaller", 0) = 3 [pid 5042] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f911d3d1000 [pid 5042] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x03\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\xbb\x02\x87\x1c\xc7\xbb\xb3\x5e\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5042] munmap(0x7f911d3d1000, 2097152) = 0 [pid 5042] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5042] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5042] close(3) = 0 [pid 5042] mkdir("./file0", 0777) = 0 [ 70.899639][ T5042] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5042 'syz-executor178' [ 70.937136][ T5042] loop0: detected capacity change from 0 to 4096 [pid 5042] mount("/dev/loop0", "./file0", "ntfs3", MS_NOEXEC|MS_SYNCHRONOUS|MS_REC|MS_STRICTATIME, "") = 0 [pid 5042] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5042] chdir("./file0") = 0 [pid 5042] ioctl(4, LOOP_CLR_FD) = 0 [pid 5042] close(4) = 0 [pid 5042] openat(AT_FDCWD, "blkio.bfq.io_queued_recursive", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 5042] open(".", O_RDONLY) = 5 [pid 5042] fcntl(5, F_NOTIFY, DN_ACCESS|DN_DELETE|DN_ATTRIB) = 0 [pid 5042] openat(AT_FDCWD, ".", O_RDONLY) = 6 [pid 5042] fdatasync(6) = -1 EINVAL (Invalid argument) [pid 5042] fchmod(6, 000) = 0 [pid 5042] close(3) = 0 [pid 5042] close(4) = 0 [pid 5042] close(5) = 0 [pid 5042] close(6) = 0 [pid 5042] close(7) = -1 EBADF (Bad file descriptor) [pid 5042] close(8) = -1 EBADF (Bad file descriptor) [pid 5042] close(9) = -1 EBADF (Bad file descriptor) [pid 5042] close(10) = -1 EBADF (Bad file descriptor) [pid 5042] close(11) = -1 EBADF (Bad file descriptor) [pid 5042] close(12) = -1 EBADF (Bad file descriptor) [pid 5042] close(13) = -1 EBADF (Bad file descriptor) [pid 5042] close(14) = -1 EBADF (Bad file descriptor) [pid 5042] close(15) = -1 EBADF (Bad file descriptor) [pid 5042] close(16) = -1 EBADF (Bad file descriptor) [pid 5042] close(17) = -1 EBADF (Bad file descriptor) [pid 5042] close(18) = -1 EBADF (Bad file descriptor) [pid 5042] close(19) = -1 EBADF (Bad file descriptor) [pid 5042] close(20) = -1 EBADF (Bad file descriptor) [pid 5042] close(21) = -1 EBADF (Bad file descriptor) [pid 5042] close(22) = -1 EBADF (Bad file descriptor) [pid 5042] close(23) = -1 EBADF (Bad file descriptor) [pid 5042] close(24) = -1 EBADF (Bad file descriptor) [pid 5042] close(25) = -1 EBADF (Bad file descriptor) [pid 5042] close(26) = -1 EBADF (Bad file descriptor) [pid 5042] close(27) = -1 EBADF (Bad file descriptor) [pid 5042] close(28) = -1 EBADF (Bad file descriptor) [pid 5042] close(29) = -1 EBADF (Bad file descriptor) [pid 5042] exit_group(1) = ? [ 70.946113][ T5042] ntfs3: loop0: Different NTFS sector size (2048) and media sector size (512). [ 70.959609][ T5042] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 70.982024][ T5042] ntfs3: loop0: ino=5, "/" ntfs3_write_inode failed, -22. [ 70.989849][ T5042] ntfs3: loop0: ino=5, "/" attr_set_size [ 71.047975][ T2910] ------------[ cut here ]------------ [ 71.053463][ T2910] kernel BUG at fs/notify/dnotify/dnotify.c:136! [ 71.060897][ T2910] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 71.066993][ T2910] CPU: 1 PID: 2910 Comm: kworker/u4:12 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 [ 71.076717][ T2910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 71.086756][ T2910] Workqueue: events_unbound fsnotify_mark_destroy_workfn [ 71.093776][ T2910] RIP: 0010:dnotify_free_mark+0x4f/0x60 [ 71.099313][ T2910] Code: 80 3c 02 00 75 26 48 83 bb 80 00 00 00 00 75 15 e8 a6 07 88 ff 48 89 de 48 8b 3d 04 b4 ad 0c 5b e9 76 eb dc ff e8 91 07 88 ff <0f> 0b e8 8a 44 dd ff eb d3 0f 1f 84 00 00 00 00 00 41 55 49 89 fd [ 71.118905][ T2910] RSP: 0018:ffffc9000bf17c30 EFLAGS: 00010293 [ 71.124952][ T2910] RAX: 0000000000000000 RBX: ffff88807c5ea000 RCX: 0000000000000000 [ 71.132912][ T2910] RDX: ffff8880276e5940 RSI: ffffffff81ffbfef RDI: ffff88807c5ea080 [ 71.140867][ T2910] RBP: dffffc0000000000 R08: 1ffff920017e2f91 R09: 0000000000000000 [ 71.148826][ T2910] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881412be800 [ 71.156780][ T2910] R13: ffffc9000bf17c70 R14: ffff88807c5ea010 R15: ffff88807c5ea018 [ 71.164736][ T2910] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 71.173656][ T2910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.180228][ T2910] CR2: 000055928150bf08 CR3: 0000000025a60000 CR4: 00000000003506e0 [ 71.188188][ T2910] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.196143][ T2910] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.204109][ T2910] Call Trace: [ 71.207379][ T2910] [ 71.210296][ T2910] ? show_regs+0x8f/0xa0 [ 71.214528][ T2910] ? die+0x36/0xa0 [ 71.218242][ T2910] ? do_trap+0x22b/0x420 [ 71.222476][ T2910] ? dnotify_free_mark+0x4f/0x60 [ 71.227408][ T2910] ? dnotify_free_mark+0x4f/0x60 [ 71.232333][ T2910] ? do_error_trap+0xf4/0x230 [ 71.237002][ T2910] ? dnotify_free_mark+0x4f/0x60 [ 71.241932][ T2910] ? handle_invalid_op+0x34/0x40 [ 71.246862][ T2910] ? dnotify_free_mark+0x4f/0x60 [ 71.251787][ T2910] ? exc_invalid_op+0x2d/0x40 [ 71.256489][ T2910] ? asm_exc_invalid_op+0x1a/0x20 [ 71.261517][ T2910] ? dnotify_free_mark+0x4f/0x60 [ 71.266448][ T2910] ? dnotify_free_mark+0x4f/0x60 [ 71.271379][ T2910] fsnotify_mark_destroy_workfn+0x249/0x3e0 [ 71.277274][ T2910] ? __schedule+0xee9/0x59f0 [ 71.281858][ T2910] ? fsnotify_put_mark_wake.part.0+0xe0/0xe0 [ 71.287836][ T2910] ? spin_bug+0x1d0/0x1d0 [ 71.292159][ T2910] ? rcu_is_watching+0x12/0xb0 [ 71.296911][ T2910] process_one_work+0x887/0x15d0 [ 71.301842][ T2910] ? lock_sync+0x190/0x190 [ 71.306258][ T2910] ? init_worker_pool+0x770/0x770 [ 71.311273][ T2910] ? assign_work+0x1a0/0x240 [ 71.315857][ T2910] worker_thread+0x8bb/0x1290 [ 71.320699][ T2910] ? __kthread_parkme+0x152/0x220 [ 71.325710][ T2910] ? process_one_work+0x15d0/0x15d0 [ 71.330897][ T2910] kthread+0x33a/0x430 [ 71.334955][ T2910] ? kthread_complete_and_exit+0x40/0x40 [ 71.340573][ T2910] ret_from_fork+0x45/0x80 [ 71.344974][ T2910] ? kthread_complete_and_exit+0x40/0x40 [ 71.350599][ T2910] ret_from_fork_asm+0x11/0x20 [ 71.355357][ T2910] [ 71.358360][ T2910] Modules linked in: [ 71.363720][ T2910] ---[ end trace 0000000000000000 ]--- [ 71.369648][ T2910] RIP: 0010:dnotify_free_mark+0x4f/0x60 [ 71.375226][ T2910] Code: 80 3c 02 00 75 26 48 83 bb 80 00 00 00 00 75 15 e8 a6 07 88 ff 48 89 de 48 8b 3d 04 b4 ad 0c 5b e9 76 eb dc ff e8 91 07 88 ff <0f> 0b e8 8a 44 dd ff eb d3 0f 1f 84 00 00 00 00 00 41 55 49 89 fd [ 71.395232][ T2910] RSP: 0018:ffffc9000bf17c30 EFLAGS: 00010293 [ 71.402114][ T2910] RAX: 0000000000000000 RBX: ffff88807c5ea000 RCX: 0000000000000000 [ 71.410110][ T2910] RDX: ffff8880276e5940 RSI: ffffffff81ffbfef RDI: ffff88807c5ea080 [ 71.418099][ T2910] RBP: dffffc0000000000 R08: 1ffff920017e2f91 R09: 0000000000000000 [ 71.426085][ T2910] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881412be800 [ 71.434059][ T2910] R13: ffffc9000bf17c70 R14: ffff88807c5ea010 R15: ffff88807c5ea018 [ 71.442043][ T2910] FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 71.450994][ T2910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.457595][ T2910] CR2: 000055928150ff88 CR3: 000000000c776000 CR4: 00000000003506f0 [ 71.465708][ T2910] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.473678][ T2910] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.481676][ T2910] Kernel panic - not syncing: Fatal exception [ 71.487975][ T2910] Kernel Offset: disabled [ 71.492297][ T2910] Rebooting in 86400 seconds..