./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1235923140 <...> Warning: Permanently added '10.128.0.234' (ED25519) to the list of known hosts. execve("./syz-executor1235923140", ["./syz-executor1235923140"], 0x7fff0ccc9b90 /* 10 vars */) = 0 brk(NULL) = 0x555555d28000 brk(0x555555d28d00) = 0x555555d28d00 arch_prctl(ARCH_SET_FS, 0x555555d28380) = 0 set_tid_address(0x555555d28650) = 295 set_robust_list(0x555555d28660, 24) = 0 rseq(0x555555d28ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1235923140", 4096) = 28 getrandom("\x63\x8f\x8b\x20\x39\x6a\x95\x8b", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555d28d00 brk(0x555555d49d00) = 0x555555d49d00 brk(0x555555d4a000) = 0x555555d4a000 mprotect(0x7f9b3a7bd000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.laXM0P", 0700) = 0 chmod("./syzkaller.laXM0P", 0777) = 0 chdir("./syzkaller.laXM0P") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 297 attached [pid 297] set_robust_list(0x555555d28660, 24 [pid 295] <... clone resumed>, child_tidptr=0x555555d28650) = 297 [pid 297] <... set_robust_list resumed>) = 0 [pid 297] chdir("./0") = 0 [pid 297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 297] setpgid(0, 0) = 0 [pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 297] write(3, "1000", 4) = 4 [pid 297] close(3) = 0 [pid 297] symlink("/dev/binderfs", "./binderfs") = 0 [pid 297] memfd_create("syzkaller", 0) = 3 [pid 297] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 297] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 297] munmap(0x7f9b3230a000, 262144) = 0 [pid 297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 297] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 297] close(3) = 0 [ 23.941853][ T28] audit: type=1400 audit(1694361001.072:66): avc: denied { execmem } for pid=295 comm="syz-executor123" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.961467][ T28] audit: type=1400 audit(1694361001.072:67): avc: denied { read write } for pid=295 comm="syz-executor123" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 23.975187][ T297] loop0: detected capacity change from 0 to 512 [pid 297] mkdir("./file1", 0777) = 0 [ 23.986981][ T28] audit: type=1400 audit(1694361001.072:68): avc: denied { open } for pid=295 comm="syz-executor123" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.016150][ T28] audit: type=1400 audit(1694361001.072:69): avc: denied { ioctl } for pid=295 comm="syz-executor123" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.025170][ T297] EXT4-fs (loop0): 1 orphan inode deleted [ 24.043920][ T28] audit: type=1400 audit(1694361001.122:70): avc: denied { mounton } for pid=297 comm="syz-executor123" path="/root/syzkaller.laXM0P/0/file1" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 24.047985][ T297] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.081008][ T297] ext4 filesystem being mounted at /root/syzkaller.laXM0P/0/file1 supports timestamps until 2038 (0x7fffffff) [pid 297] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 297] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 297] chdir("./file1") = 0 [pid 297] ioctl(4, LOOP_CLR_FD) = 0 [pid 297] close(4) = 0 [pid 297] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 297] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 297] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 297] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 297] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 297] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 297] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 297] write(6, 0x20000700, 34136651) = 166144 [pid 297] exit_group(0) = ? [pid 297] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 24.081070][ T28] audit: type=1400 audit(1694361001.212:71): avc: denied { mount } for pid=297 comm="syz-executor123" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 24.114258][ T28] audit: type=1400 audit(1694361001.232:72): avc: denied { write } for pid=297 comm="syz-executor123" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.117065][ T8] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:0: lblock 0 mapped to illegal pblock 41 (length 16) [ 24.136928][ T28] audit: type=1400 audit(1694361001.232:73): avc: denied { add_name } for pid=297 comm="syz-executor123" name="memory.current" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.150992][ T8] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 24.172691][ T28] audit: type=1400 audit(1694361001.232:74): avc: denied { create } for pid=297 comm="syz-executor123" name="memory.current" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 24.205807][ T8] EXT4-fs (loop0): This should not happen!! Data will be lost [ 24.205807][ T8] [ 24.206316][ T28] audit: type=1400 audit(1694361001.232:75): avc: denied { read append open } for pid=297 comm="syz-executor123" path="/root/syzkaller.laXM0P/0/file1/memory.current" dev="loop0" ino=16 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 303 ./strace-static-x86_64: Process 303 attached [pid 303] set_robust_list(0x555555d28660, 24) = 0 [pid 303] chdir("./1") = 0 [pid 303] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 303] setpgid(0, 0) = 0 [pid 303] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 303] write(3, "1000", 4) = 4 [pid 303] close(3) = 0 [pid 303] symlink("/dev/binderfs", "./binderfs") = 0 [pid 303] memfd_create("syzkaller", 0) = 3 [pid 303] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 303] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 303] munmap(0x7f9b3230a000, 262144) = 0 [pid 303] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 303] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 303] close(3) = 0 [pid 303] mkdir("./file1", 0777) = 0 [ 24.217811][ T295] EXT4-fs (loop0): unmounting filesystem. [ 24.252617][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 24.261708][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [ 24.285989][ T303] loop0: detected capacity change from 0 to 512 [pid 303] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 303] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 303] chdir("./file1") = 0 [pid 303] ioctl(4, LOOP_CLR_FD) = 0 [pid 303] close(4) = 0 [pid 303] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 303] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 303] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 303] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 303] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 303] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 303] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 303] write(6, 0x20000700, 34136651) = 166144 [pid 303] exit_group(0) = ? [pid 303] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=303, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 [ 24.304821][ T303] EXT4-fs (loop0): 1 orphan inode deleted [ 24.310449][ T303] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.319491][ T303] ext4 filesystem being mounted at /root/syzkaller.laXM0P/1/file1 supports timestamps until 2038 (0x7fffffff) [ 24.351341][ T43] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:2: lblock 0 mapped to illegal pblock 41 (length 16) [ 24.366121][ T43] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 24.378895][ T43] EXT4-fs (loop0): This should not happen!! Data will be lost [ 24.378895][ T43] [ 24.389605][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 306 ./strace-static-x86_64: Process 306 attached [pid 306] set_robust_list(0x555555d28660, 24) = 0 [pid 306] chdir("./2") = 0 [pid 306] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 306] setpgid(0, 0) = 0 [pid 306] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 306] write(3, "1000", 4) = 4 [pid 306] close(3) = 0 [pid 306] symlink("/dev/binderfs", "./binderfs") = 0 [pid 306] memfd_create("syzkaller", 0) = 3 [pid 306] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 306] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 306] munmap(0x7f9b3230a000, 262144) = 0 [pid 306] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.412773][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 24.421812][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [pid 306] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 306] close(3) = 0 [pid 306] mkdir("./file1", 0777) = 0 [pid 306] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 306] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 306] chdir("./file1") = 0 [pid 306] ioctl(4, LOOP_CLR_FD) = 0 [pid 306] close(4) = 0 [pid 306] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 306] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 306] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 306] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 306] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 306] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 306] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 306] write(6, 0x20000700, 34136651) = 166144 [pid 306] exit_group(0) = ? [pid 306] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=306, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 [ 24.458155][ T306] loop0: detected capacity change from 0 to 512 [ 24.474860][ T306] EXT4-fs (loop0): 1 orphan inode deleted [ 24.480469][ T306] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.489740][ T306] ext4 filesystem being mounted at /root/syzkaller.laXM0P/2/file1 supports timestamps until 2038 (0x7fffffff) [ 24.527138][ T43] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:2: lblock 0 mapped to illegal pblock 41 (length 16) [ 24.541844][ T43] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 24.554869][ T43] EXT4-fs (loop0): This should not happen!! Data will be lost [ 24.554869][ T43] [ 24.565676][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 309 ./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x555555d28660, 24) = 0 [pid 309] chdir("./3") = 0 [pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 309] setpgid(0, 0) = 0 [pid 309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 309] write(3, "1000", 4) = 4 [pid 309] close(3) = 0 [pid 309] symlink("/dev/binderfs", "./binderfs") = 0 [pid 309] memfd_create("syzkaller", 0) = 3 [pid 309] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 309] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 309] munmap(0x7f9b3230a000, 262144) = 0 [pid 309] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 309] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 309] close(3) = 0 [pid 309] mkdir("./file1", 0777) = 0 [ 24.572771][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 24.582944][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [ 24.610979][ T309] loop0: detected capacity change from 0 to 512 [pid 309] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 309] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 309] chdir("./file1") = 0 [pid 309] ioctl(4, LOOP_CLR_FD) = 0 [pid 309] close(4) = 0 [pid 309] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 309] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 309] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 309] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 309] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 309] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 309] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 309] write(6, 0x20000700, 34136651) = 166144 [pid 309] exit_group(0) = ? [pid 309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 [ 24.634695][ T309] EXT4-fs (loop0): 1 orphan inode deleted [ 24.640414][ T309] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.649260][ T309] ext4 filesystem being mounted at /root/syzkaller.laXM0P/3/file1 supports timestamps until 2038 (0x7fffffff) [ 24.683526][ T43] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:2: lblock 0 mapped to illegal pblock 41 (length 16) [ 24.698386][ T43] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 24.710609][ T43] EXT4-fs (loop0): This should not happen!! Data will be lost [ 24.710609][ T43] [ 24.721183][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 312 ./strace-static-x86_64: Process 312 attached [pid 312] set_robust_list(0x555555d28660, 24) = 0 [pid 312] chdir("./4") = 0 [pid 312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 312] setpgid(0, 0) = 0 [pid 312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 312] write(3, "1000", 4) = 4 [pid 312] close(3) = 0 [pid 312] symlink("/dev/binderfs", "./binderfs") = 0 [pid 312] memfd_create("syzkaller", 0) = 3 [pid 312] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 312] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 312] munmap(0x7f9b3230a000, 262144) = 0 [pid 312] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.732728][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 24.741999][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [pid 312] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 312] close(3) = 0 [pid 312] mkdir("./file1", 0777) = 0 [pid 312] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [ 24.780681][ T312] loop0: detected capacity change from 0 to 512 [ 24.804573][ T312] EXT4-fs (loop0): 1 orphan inode deleted [ 24.810397][ T312] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [pid 312] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 312] chdir("./file1") = 0 [pid 312] ioctl(4, LOOP_CLR_FD) = 0 [pid 312] close(4) = 0 [pid 312] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 312] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 312] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 312] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 312] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 312] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 312] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 312] write(6, 0x20000700, 34136651) = 166144 [pid 312] exit_group(0) = ? [pid 312] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=312, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 [ 24.819473][ T312] ext4 filesystem being mounted at /root/syzkaller.laXM0P/4/file1 supports timestamps until 2038 (0x7fffffff) [ 24.855583][ T43] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:2: lblock 0 mapped to illegal pblock 41 (length 16) [ 24.870101][ T43] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 24.882929][ T43] EXT4-fs (loop0): This should not happen!! Data will be lost [ 24.882929][ T43] [ 24.893994][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 315 ./strace-static-x86_64: Process 315 attached [pid 315] set_robust_list(0x555555d28660, 24) = 0 [pid 315] chdir("./5") = 0 [pid 315] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 315] setpgid(0, 0) = 0 [pid 315] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 315] write(3, "1000", 4) = 4 [pid 315] close(3) = 0 [pid 315] symlink("/dev/binderfs", "./binderfs") = 0 [pid 315] memfd_create("syzkaller", 0) = 3 [pid 315] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 315] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 315] munmap(0x7f9b3230a000, 262144) = 0 [pid 315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 315] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 315] close(3) = 0 [pid 315] mkdir("./file1", 0777) = 0 [ 24.902761][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 24.911917][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [ 24.935640][ T315] loop0: detected capacity change from 0 to 512 [pid 315] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 315] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 315] chdir("./file1") = 0 [pid 315] ioctl(4, LOOP_CLR_FD) = 0 [pid 315] close(4) = 0 [pid 315] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 315] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 315] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 315] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 315] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 315] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 315] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 315] write(6, 0x20000700, 34136651) = 166144 [pid 315] exit_group(0) = ? [pid 315] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=315, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 [ 24.954364][ T315] EXT4-fs (loop0): 1 orphan inode deleted [ 24.960025][ T315] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.969278][ T315] ext4 filesystem being mounted at /root/syzkaller.laXM0P/5/file1 supports timestamps until 2038 (0x7fffffff) [ 25.006311][ T43] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:2: lblock 0 mapped to illegal pblock 41 (length 16) [ 25.020822][ T43] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 25.033289][ T43] EXT4-fs (loop0): This should not happen!! Data will be lost [ 25.033289][ T43] [ 25.044350][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 318 ./strace-static-x86_64: Process 318 attached [pid 318] set_robust_list(0x555555d28660, 24) = 0 [pid 318] chdir("./6") = 0 [pid 318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 318] setpgid(0, 0) = 0 [pid 318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 318] write(3, "1000", 4) = 4 [pid 318] close(3) = 0 [pid 318] symlink("/dev/binderfs", "./binderfs") = 0 [pid 318] memfd_create("syzkaller", 0) = 3 [pid 318] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 318] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 318] munmap(0x7f9b3230a000, 262144) = 0 [pid 318] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 318] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 318] close(3) = 0 [pid 318] mkdir("./file1", 0777) = 0 [ 25.052779][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 25.061848][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [ 25.089843][ T318] loop0: detected capacity change from 0 to 512 [pid 318] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 318] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 318] chdir("./file1") = 0 [pid 318] ioctl(4, LOOP_CLR_FD) = 0 [pid 318] close(4) = 0 [pid 318] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 318] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 318] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 318] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 318] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 318] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 318] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 318] write(6, 0x20000700, 34136651) = 166144 [pid 318] exit_group(0) = ? [pid 318] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=318, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 [ 25.104393][ T318] EXT4-fs (loop0): 1 orphan inode deleted [ 25.110087][ T318] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.119543][ T318] ext4 filesystem being mounted at /root/syzkaller.laXM0P/6/file1 supports timestamps until 2038 (0x7fffffff) [ 25.156936][ T43] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:2: lblock 0 mapped to illegal pblock 41 (length 16) [ 25.171541][ T43] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 25.183714][ T43] EXT4-fs (loop0): This should not happen!! Data will be lost [ 25.183714][ T43] [ 25.194346][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 322 ./strace-static-x86_64: Process 322 attached [pid 322] set_robust_list(0x555555d28660, 24) = 0 [pid 322] chdir("./7") = 0 [pid 322] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 322] setpgid(0, 0) = 0 [pid 322] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 322] write(3, "1000", 4) = 4 [pid 322] close(3) = 0 [pid 322] symlink("/dev/binderfs", "./binderfs") = 0 [pid 322] memfd_create("syzkaller", 0) = 3 [pid 322] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 322] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 322] munmap(0x7f9b3230a000, 262144) = 0 [pid 322] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 322] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 322] close(3) = 0 [pid 322] mkdir("./file1", 0777) = 0 [ 25.202671][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 25.211654][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [ 25.241774][ T322] loop0: detected capacity change from 0 to 512 [pid 322] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 322] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 322] chdir("./file1") = 0 [pid 322] ioctl(4, LOOP_CLR_FD) = 0 [pid 322] close(4) = 0 [pid 322] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 322] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 322] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 322] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 322] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 322] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 322] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 322] write(6, 0x20000700, 34136651) = 166144 [pid 322] exit_group(0) = ? [pid 322] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=322, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 [ 25.254661][ T322] EXT4-fs (loop0): 1 orphan inode deleted [ 25.260220][ T322] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.269729][ T322] ext4 filesystem being mounted at /root/syzkaller.laXM0P/7/file1 supports timestamps until 2038 (0x7fffffff) [ 25.316255][ T298] EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: block 41: comm kworker/u4:3: lblock 0 mapped to illegal pblock 41 (length 16) [ 25.330826][ T298] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117 [ 25.343100][ T298] EXT4-fs (loop0): This should not happen!! Data will be lost [ 25.343100][ T298] [ 25.353728][ T295] EXT4-fs (loop0): unmounting filesystem. umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555d31730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555d31730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file1") = 0 getdents64(3, 0x555555d296f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d28650) = 325 ./strace-static-x86_64: Process 325 attached [pid 325] set_robust_list(0x555555d28660, 24) = 0 [pid 325] chdir("./8") = 0 [pid 325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 325] setpgid(0, 0) = 0 [pid 325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 325] write(3, "1000", 4) = 4 [pid 325] close(3) = 0 [pid 325] symlink("/dev/binderfs", "./binderfs") = 0 [pid 325] memfd_create("syzkaller", 0) = 3 [pid 325] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b3230a000 [pid 325] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 325] munmap(0x7f9b3230a000, 262144) = 0 [pid 325] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 325] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 325] close(3) = 0 [pid 325] mkdir("./file1", 0777) = 0 [ 25.362768][ T295] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Out of memory [ 25.371668][ T295] EXT4-fs error (device loop0): ext4_quota_off:7027: inode #3: comm syz-executor123: mark_inode_dirty error [ 25.396561][ T325] loop0: detected capacity change from 0 to 512 [pid 325] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 325] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 325] chdir("./file1") = 0 [pid 325] ioctl(4, LOOP_CLR_FD) = 0 [pid 325] close(4) = 0 [pid 325] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 325] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 167936 [pid 325] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 325] preadv(4, 0x200015c0, 1, 0) = 167808 [pid 325] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 325] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 325] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 325] write(6, 0x20000700, 34136651) = 166144 [pid 325] exit_group(0) = ? [pid 325] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=325, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555d296f0 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 [ 25.414618][ T325] EXT4-fs (loop0): 1 orphan inode deleted [ 25.420215][ T325] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.429542][ T325] ext4 filesystem being mounted at /root/syzkaller.laXM0P/8/file1 supports timestamps until 2038 (0x7fffffff) [ 25.469137][ T8] ================================================================== [ 25.477130][ T8] BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 [ 25.484325][ T8] Read of size 4 at addr ffff8881218f0788 by task kworker/u4:0/8 [ 25.491904][ T8] [ 25.494052][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 25.503514][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 25.513402][ T8] Workqueue: writeback wb_workfn (flush-7:0) [ 25.519219][ T8] Call Trace: [ 25.522351][ T8] [ 25.525138][ T8] dump_stack_lvl+0x151/0x1b7 [ 25.529648][ T8] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 25.535014][ T8] ? _printk+0xd1/0x111 [ 25.539008][ T8] ? __virt_addr_valid+0x242/0x2f0 [ 25.543953][ T8] print_report+0x158/0x4e0 [ 25.548295][ T8] ? __virt_addr_valid+0x242/0x2f0 [ 25.553243][ T8] ? kasan_addr_to_slab+0xd/0x80 [ 25.558015][ T8] ? ext4_find_extent+0xbab/0xdb0 [ 25.562887][ T8] kasan_report+0x13c/0x170 [ 25.567216][ T8] ? ext4_find_extent+0xbab/0xdb0 [ 25.572087][ T8] __asan_report_load4_noabort+0x14/0x20 [ 25.577542][ T8] ext4_find_extent+0xbab/0xdb0 [ 25.582237][ T8] ext4_ext_map_blocks+0x255/0x71e0 [ 25.587264][ T8] ? stack_trace_save+0x113/0x1c0 [ 25.592141][ T8] ? kasan_set_track+0x60/0x70 [ 25.596727][ T8] ? kasan_set_track+0x4b/0x70 [ 25.601324][ T8] ? kasan_save_alloc_info+0x1f/0x30 [ 25.606445][ T8] ? __kasan_slab_alloc+0x6c/0x80 [ 25.611303][ T8] ? slab_post_alloc_hook+0x53/0x2c0 [ 25.616429][ T8] ? kmem_cache_alloc+0x175/0x2c0 [ 25.621287][ T8] ? ext4_ext_release+0x10/0x10 [ 25.626063][ T8] ? writeback_sb_inodes+0xb33/0x18f0 [ 25.631269][ T8] ? wb_writeback+0x3b9/0x9f0 [ 25.635783][ T8] ? wb_workfn+0x399/0x1030 [ 25.640119][ T8] ? process_one_work+0x73d/0xcb0 [ 25.645003][ T8] ? worker_thread+0xa60/0x1260 [ 25.649669][ T8] ? kthread+0x26d/0x300 [ 25.653746][ T8] ? ret_from_fork+0x1f/0x30 [ 25.658178][ T8] ? _raw_read_unlock+0x25/0x40 [ 25.663126][ T8] ? ext4_es_lookup_extent+0x33b/0x950 [ 25.668420][ T8] ext4_map_blocks+0xa42/0x1ce0 [ 25.673191][ T8] ? kasan_save_alloc_info+0x1f/0x30 [ 25.678313][ T8] ? ext4_issue_zeroout+0x250/0x250 [ 25.683353][ T8] ? ext4_inode_journal_mode+0x1a5/0x470 [ 25.688823][ T8] ext4_writepages+0x17b5/0x3fd0 [ 25.693587][ T8] ? update_load_avg+0xd6d/0x1530 [ 25.698458][ T8] ? ext4_read_folio+0x240/0x240 [ 25.703225][ T8] ? xas_start+0x32c/0x3f0 [ 25.707475][ T8] ? xas_load+0x34f/0x370 [ 25.711644][ T8] ? __kasan_check_write+0x14/0x20 [ 25.716676][ T8] ? ext4_read_folio+0x240/0x240 [ 25.721447][ T8] do_writepages+0x385/0x620 [ 25.725963][ T8] ? __writepage+0x130/0x130 [ 25.730475][ T8] ? __update_load_avg_cfs_rq+0xb1/0x2f0 [ 25.735949][ T8] __writeback_single_inode+0xdc/0xb80 [ 25.741239][ T8] writeback_sb_inodes+0xb33/0x18f0 [ 25.746277][ T8] ? queue_io+0x520/0x520 [ 25.750440][ T8] ? __writeback_inodes_wb+0x3f0/0x3f0 [ 25.755735][ T8] ? queue_io+0x3d0/0x520 [ 25.759898][ T8] ? memset+0x35/0x40 [ 25.763717][ T8] wb_writeback+0x3b9/0x9f0 [ 25.768186][ T8] ? inode_cgwb_move_to_attached+0x3c0/0x3c0 [ 25.773978][ T8] ? set_worker_desc+0x158/0x1c0 [ 25.778751][ T8] ? __kasan_check_write+0x14/0x20 [ 25.783700][ T8] wb_workfn+0x399/0x1030 [ 25.787865][ T8] ? inode_wait_for_writeback+0x280/0x280 [ 25.793417][ T8] ? kthread_data+0x53/0xc0 [ 25.797756][ T8] ? _raw_spin_unlock+0x4c/0x70 [ 25.802442][ T8] ? finish_task_switch+0x167/0x7b0 [ 25.807481][ T8] ? __kasan_check_read+0x11/0x20 [ 25.812338][ T8] ? read_word_at_a_time+0x12/0x20 [ 25.817286][ T8] ? strscpy+0x9c/0x260 [ 25.821278][ T8] process_one_work+0x73d/0xcb0 [ 25.825966][ T8] worker_thread+0xa60/0x1260 [ 25.830483][ T8] kthread+0x26d/0x300 [ 25.834382][ T8] ? worker_clr_flags+0x1a0/0x1a0 [ 25.839333][ T8] ? kthread_blkcg+0xd0/0xd0 [ 25.843766][ T8] ret_from_fork+0x1f/0x30 [ 25.848023][ T8] [ 25.850967][ T8] [ 25.853256][ T8] The buggy address belongs to the physical page: [ 25.859523][ T8] page:ffffea0004863c00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1218f0 [ 25.869566][ T8] flags: 0x4000000000000000(zone=1) [ 25.874606][ T8] raw: 4000000000000000 ffffea0004863c48 ffffea0004863bc8 0000000000000000 [ 25.883026][ T8] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 25.891523][ T8] page dumped because: kasan: bad access detected [ 25.897773][ T8] page_owner tracks the page as freed [ 25.903067][ T8] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 261, tgid 261 (sshd), ts 17873501342, free_ts 17925146961 [ 25.921739][ T8] post_alloc_hook+0x213/0x220 [ 25.926340][ T8] prep_new_page+0x1b/0x110 [ 25.930669][ T8] get_page_from_freelist+0x2762/0x27f0 [ 25.936052][ T8] __alloc_pages+0x3a1/0x780 [ 25.940478][ T8] __folio_alloc+0x15/0x40 [ 25.944727][ T8] handle_mm_fault+0x1fb0/0x2f40 [ 25.949765][ T8] exc_page_fault+0x3a6/0x6e0 [ 25.954275][ T8] asm_exc_page_fault+0x27/0x30 [ 25.959145][ T8] page last free stack trace: [ 25.963759][ T8] free_unref_page_prepare+0x83d/0x850 [ 25.969052][ T8] free_unref_page_list+0xf6/0x6c0 [ 25.974000][ T8] release_pages+0xf7f/0xfe0 [ 25.978425][ T8] free_pages_and_swap_cache+0x8a/0xa0 [ 25.983733][ T8] tlb_finish_mmu+0x1e0/0x3f0 [ 25.988236][ T8] unmap_region+0x2c1/0x310 [ 25.992748][ T8] do_mas_align_munmap+0xd05/0x1400 [ 25.997783][ T8] do_mas_munmap+0x23e/0x2b0 [ 26.002209][ T8] __vm_munmap+0x263/0x3a0 [ 26.006463][ T8] __x64_sys_munmap+0x6b/0x80 [ 26.011008][ T8] do_syscall_64+0x3d/0xb0 [ 26.015226][ T8] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 26.020958][ T8] [ 26.023127][ T8] Memory state around the buggy address: [ 26.028599][ T8] ffff8881218f0680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.036497][ T8] ffff8881218f0700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.044663][ T8] >ffff8881218f0780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.052555][ T8] ^ [ 26.056846][ T8] ffff8881218f0800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.064705][ T8] ffff8881218f0880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.072600][ T8] ================================================================== [ 26.080814][ T8] Disabling lock debugging due to kernel taint [ 26.088456][ T8] ------------[ cut here ]------------ [ 26.094012][ T8] kernel BUG at fs/ext4/inode.c:2433! [ 26.099212][ T8] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 26.105098][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 26.116036][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 26.125928][ T8] Workqueue: writeback wb_workfn (flush-7:0) [ 26.131746][ T8] RIP: 0010:ext4_writepages+0x3d6f/0x3fd0 [ 26.137299][ T8] Code: e8 a6 f9 81 ff be 00 10 00 00 48 c7 c7 10 e3 cb 86 4c 89 f2 e8 02 5d ab 00 e9 0f fb ff ff e8 88 f9 81 ff 0f 0b e8 81 f9 81 ff <0f> 0b e8 da 9d 01 03 65 8b 05 db 30 0f 7e 41 89 c7 4c 89 f8 48 c1 [ 26.156745][ T8] RSP: 0018:ffffc90000087000 EFLAGS: 00010293 [ 26.162643][ T8] RAX: ffffffff81f2e06f RBX: dffffc0000000000 RCX: ffff88810037e540 [ 26.170451][ T8] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.178263][ T8] RBP: ffffc90000087410 R08: ffffffff81f2bd7f R09: ffffed10200ad24b [ 26.186348][ T8] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 [ 26.194235][ T8] R13: 0000000000000000 R14: ffff888100569290 R15: ffffc900000872e0 [ 26.202044][ T8] FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 26.210903][ T8] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.217495][ T8] CR2: 00007ffc64833d68 CR3: 00000001225e0000 CR4: 00000000003506b0 [ 26.225319][ T8] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.233120][ T8] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.240930][ T8] Call Trace: [ 26.244060][ T8] [ 26.246840][ T8] ? update_load_avg+0xd6d/0x1530 [ 26.251790][ T8] ? ext4_read_folio+0x240/0x240 [ 26.256557][ T8] ? xas_start+0x32c/0x3f0 [ 26.260806][ T8] ? xas_load+0x34f/0x370 [ 26.264975][ T8] ? __kasan_check_write+0x14/0x20 [ 26.269933][ T8] ? ext4_read_folio+0x240/0x240 [ 26.274701][ T8] do_writepages+0x385/0x620 [ 26.279121][ T8] ? __writepage+0x130/0x130 [ 26.283810][ T8] ? __update_load_avg_cfs_rq+0xb1/0x2f0 [ 26.289278][ T8] __writeback_single_inode+0xdc/0xb80 [ 26.294576][ T8] writeback_sb_inodes+0xb33/0x18f0 [ 26.299613][ T8] ? queue_io+0x520/0x520 [ 26.305070][ T8] ? __writeback_inodes_wb+0x3f0/0x3f0 [ 26.310368][ T8] ? queue_io+0x3d0/0x520 [ 26.314534][ T8] ? memset+0x35/0x40 [ 26.318444][ T8] wb_writeback+0x3b9/0x9f0 [ 26.322782][ T8] ? inode_cgwb_move_to_attached+0x3c0/0x3c0 [ 26.328593][ T8] ? set_worker_desc+0x158/0x1c0 [ 26.333368][ T8] ? __kasan_check_write+0x14/0x20 [ 26.338316][ T8] wb_workfn+0x399/0x1030 [ 26.342488][ T8] ? inode_wait_for_writeback+0x280/0x280 [ 26.348034][ T8] ? kthread_data+0x53/0xc0 [ 26.352376][ T8] ? _raw_spin_unlock+0x4c/0x70 [ 26.357062][ T8] ? finish_task_switch+0x167/0x7b0 [ 26.362096][ T8] ? __kasan_check_read+0x11/0x20 [ 26.366953][ T8] ? read_word_at_a_time+0x12/0x20 [ 26.371902][ T8] ? strscpy+0x9c/0x260 [ 26.375894][ T8] process_one_work+0x73d/0xcb0 [ 26.380591][ T8] worker_thread+0xa60/0x1260 [ 26.385103][ T8] kthread+0x26d/0x300 [ 26.389022][ T8] ? worker_clr_flags+0x1a0/0x1a0 [ 26.393877][ T8] ? kthread_blkcg+0xd0/0xd0 [ 26.398289][ T8] ret_from_fork+0x1f/0x30 [ 26.402562][ T8] [ 26.405404][ T8] Modules linked in: [ 26.410802][ T8] ---[ end trace 0000000000000000 ]--- [ 26.416141][ T8] RIP: 0010:ext4_writepages+0x3d6f/0x3fd0 [ 26.421660][ T8] Code: e8 a6 f9 81 ff be 00 10 00 00 48 c7 c7 10 e3 cb 86 4c 89 f2 e8 02 5d ab 00 e9 0f fb ff ff e8 88 f9 81 ff 0f 0b e8 81 f9 81 ff <0f> 0b e8 da 9d 01 03 65 8b 05 db 30 0f 7e 41 89 c7 4c 89 f8 48 c1 [ 26.441140][ T8] RSP: 0018:ffffc90000087000 EFLAGS: 00010293 [ 26.447050][ T8] RAX: ffffffff81f2e06f RBX: dffffc0000000000 RCX: ffff88810037e540 [ 26.454949][ T8] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.462837][ T8] RBP: ffffc90000087410 R08: ffffffff81f2bd7f R09: ffffed10200ad24b [ 26.470538][ T8] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 [ 26.478505][ T8] R13: 0000000000000000 R14: ffff888100569290 R15: ffffc900000872e0 [ 26.486374][ T8] FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 26.495107][ T8] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.501472][ T8] CR2: 0000000020006000 CR3: 000000010e83f000 CR4: 00000000003506a0 [ 26.509313][ T8] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.517216][ T8] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.525025][ T8] Kernel panic - not syncing: Fatal exception [ 26.531229][ T8] Kernel Offset: disabled [ 26.535360][ T8] Rebooting in 86400 seconds..