./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3115134405 <...> Warning: Permanently added '10.128.1.79' (ED25519) to the list of known hosts. execve("./syz-executor3115134405", ["./syz-executor3115134405"], 0x7ffe07a58050 /* 10 vars */) = 0 brk(NULL) = 0x5555899de000 brk(0x5555899ded00) = 0x5555899ded00 arch_prctl(ARCH_SET_FS, 0x5555899de380) = 0 set_tid_address(0x5555899de650) = 5065 set_robust_list(0x5555899de660, 24) = 0 rseq(0x5555899deca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3115134405", 4096) = 28 getrandom("\x47\x68\xcf\xb5\x42\x1a\x94\x36", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555899ded00 brk(0x5555899ffd00) = 0x5555899ffd00 brk(0x555589a00000) = 0x555589a00000 mprotect(0x7ff2bfda3000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5066 attached , child_tidptr=0x5555899de650) = 5066 [pid 5065] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5066] set_robust_list(0x5555899de660, 24) = 0 ./strace-static-x86_64: Process 5067 attached [pid 5066] mkdir("./syzkaller.PqWLrm", 0700 [pid 5067] set_robust_list(0x5555899de660, 24 [pid 5065] <... clone resumed>, child_tidptr=0x5555899de650) = 5067 [pid 5067] <... set_robust_list resumed>) = 0 [pid 5065] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5067] mkdir("./syzkaller.riIb19", 0700./strace-static-x86_64: Process 5068 attached [pid 5068] set_robust_list(0x5555899de660, 24 [pid 5066] <... mkdir resumed>) = 0 [pid 5068] <... set_robust_list resumed>) = 0 [pid 5067] <... mkdir resumed>) = 0 [pid 5066] chmod("./syzkaller.PqWLrm", 0777 [pid 5065] <... clone resumed>, child_tidptr=0x5555899de650) = 5068 [pid 5067] chmod("./syzkaller.riIb19", 0777 [pid 5068] mkdir("./syzkaller.M6DMdw", 0700 [pid 5067] <... chmod resumed>) = 0 [pid 5066] <... chmod resumed>) = 0 [pid 5065] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5068] <... mkdir resumed>) = 0 [pid 5067] chdir("./syzkaller.riIb19" [pid 5066] chdir("./syzkaller.PqWLrm"./strace-static-x86_64: Process 5069 attached [pid 5065] <... clone resumed>, child_tidptr=0x5555899de650) = 5069 [pid 5068] chmod("./syzkaller.M6DMdw", 0777 [pid 5067] <... chdir resumed>) = 0 [pid 5067] mkdir("./0", 0777 [pid 5065] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5069] set_robust_list(0x5555899de660, 24 [pid 5068] <... chmod resumed>) = 0 [pid 5066] <... chdir resumed>) = 0 [pid 5069] <... set_robust_list resumed>) = 0 [pid 5068] chdir("./syzkaller.M6DMdw" [pid 5067] <... mkdir resumed>) = 0 [pid 5066] mkdir("./0", 0777./strace-static-x86_64: Process 5070 attached [pid 5069] mkdir("./syzkaller.mBgMaO", 0700 [pid 5068] <... chdir resumed>) = 0 [pid 5067] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5065] <... clone resumed>, child_tidptr=0x5555899de650) = 5070 [pid 5070] set_robust_list(0x5555899de660, 24) = 0 [pid 5068] mkdir("./0", 0777 [pid 5066] <... mkdir resumed>) = 0 [pid 5068] <... mkdir resumed>) = 0 ./strace-static-x86_64: Process 5071 attached [pid 5070] mkdir("./syzkaller.zWzLXS", 0700 [pid 5069] <... mkdir resumed>) = 0 [pid 5068] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5067] <... clone resumed>, child_tidptr=0x5555899de650) = 5071 [pid 5066] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5071] set_robust_list(0x5555899de660, 24 [pid 5069] chmod("./syzkaller.mBgMaO", 0777./strace-static-x86_64: Process 5073 attached ./strace-static-x86_64: Process 5072 attached [pid 5071] <... set_robust_list resumed>) = 0 [pid 5070] <... mkdir resumed>) = 0 [pid 5073] set_robust_list(0x5555899de660, 24 [pid 5071] chdir("./0" [pid 5072] set_robust_list(0x5555899de660, 24 [pid 5070] chmod("./syzkaller.zWzLXS", 0777 [pid 5069] <... chmod resumed>) = 0 [pid 5068] <... clone resumed>, child_tidptr=0x5555899de650) = 5072 [pid 5066] <... clone resumed>, child_tidptr=0x5555899de650) = 5073 [pid 5073] <... set_robust_list resumed>) = 0 [pid 5072] <... set_robust_list resumed>) = 0 [pid 5071] <... chdir resumed>) = 0 [pid 5070] <... chmod resumed>) = 0 [pid 5070] chdir("./syzkaller.zWzLXS" [pid 5069] chdir("./syzkaller.mBgMaO" [pid 5073] chdir("./0" [pid 5072] chdir("./0" [pid 5071] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5070] <... chdir resumed>) = 0 [pid 5069] <... chdir resumed>) = 0 [pid 5073] <... chdir resumed>) = 0 [pid 5072] <... chdir resumed>) = 0 [pid 5071] <... prctl resumed>) = 0 [pid 5070] mkdir("./0", 0777 [pid 5069] mkdir("./0", 0777 [pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5072] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5071] setpgid(0, 0 [pid 5073] <... prctl resumed>) = 0 [pid 5072] <... prctl resumed>) = 0 [pid 5071] <... setpgid resumed>) = 0 [pid 5073] setpgid(0, 0 [pid 5072] setpgid(0, 0 [pid 5070] <... mkdir resumed>) = 0 [pid 5073] <... setpgid resumed>) = 0 [pid 5072] <... setpgid resumed>) = 0 [pid 5071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5070] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5069] <... mkdir resumed>) = 0 [pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5072] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5071] <... openat resumed>) = 3 [pid 5069] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5073] <... openat resumed>) = 3 [pid 5072] <... openat resumed>) = 3 [pid 5071] write(3, "1000", 4) = 4 ./strace-static-x86_64: Process 5075 attached ./strace-static-x86_64: Process 5074 attached [pid 5073] write(3, "1000", 4 [pid 5072] write(3, "1000", 4 [pid 5075] set_robust_list(0x5555899de660, 24 [pid 5074] set_robust_list(0x5555899de660, 24 [pid 5073] <... write resumed>) = 4 [pid 5072] <... write resumed>) = 4 [pid 5071] close(3 [pid 5075] <... set_robust_list resumed>) = 0 [pid 5070] <... clone resumed>, child_tidptr=0x5555899de650) = 5074 [pid 5069] <... clone resumed>, child_tidptr=0x5555899de650) = 5075 [pid 5074] <... set_robust_list resumed>) = 0 [pid 5073] close(3 [pid 5072] close(3 [pid 5071] <... close resumed>) = 0 [pid 5075] chdir("./0" [pid 5074] chdir("./0" [pid 5073] <... close resumed>) = 0 [pid 5072] <... close resumed>) = 0 [pid 5071] symlink("/dev/binderfs", "./binderfs" [pid 5075] <... chdir resumed>) = 0 [pid 5073] symlink("/dev/binderfs", "./binderfs" [pid 5072] symlink("/dev/binderfs", "./binderfs" [pid 5074] <... chdir resumed>) = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5073] <... symlink resumed>) = 0 [pid 5075] setpgid(0, 0 [pid 5072] <... symlink resumed>) = 0 [pid 5071] <... symlink resumed>) = 0 [pid 5074] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5075] <... setpgid resumed>) = 0 [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5074] <... prctl resumed>) = 0 [pid 5071] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5072] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5075] <... openat resumed>) = 3 [pid 5074] setpgid(0, 0 [pid 5073] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5071] <... bpf resumed>) = 3 [pid 5072] <... bpf resumed>) = 3 [pid 5075] write(3, "1000", 4 [pid 5074] <... setpgid resumed>) = 0 [pid 5073] <... bpf resumed>) = 3 [pid 5072] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5071] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5075] <... write resumed>) = 4 [pid 5074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5073] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5072] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5075] close(3 [pid 5074] <... openat resumed>) = 3 [pid 5072] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5071] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5075] <... close resumed>) = 0 [pid 5074] write(3, "1000", 4 [pid 5073] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5071] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5075] symlink("/dev/binderfs", "./binderfs" [pid 5074] <... write resumed>) = 4 [pid 5073] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5072] <... bpf resumed>) = 4 [pid 5071] <... bpf resumed>) = 4 [pid 5075] <... symlink resumed>) = 0 [pid 5074] close(3 [pid 5072] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5071] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5074] <... close resumed>) = 0 [pid 5073] <... bpf resumed>) = 4 [pid 5074] symlink("/dev/binderfs", "./binderfs" [pid 5073] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5075] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5074] <... symlink resumed>) = 0 [pid 5073] <... bpf resumed>) = 5 [pid 5072] <... bpf resumed>) = 5 [pid 5071] <... bpf resumed>) = 5 [pid 5075] <... bpf resumed>) = 3 [pid 5071] exit_group(0 [pid 5074] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5075] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5073] exit_group(0 [pid 5071] <... exit_group resumed>) = ? [pid 5075] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5074] <... bpf resumed>) = 3 [pid 5073] <... exit_group resumed>) = ? [pid 5072] exit_group(0 [pid 5075] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5074] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5073] +++ exited with 0 +++ [pid 5072] <... exit_group resumed>) = ? [pid 5071] +++ exited with 0 +++ [pid 5075] <... bpf resumed>) = 4 [pid 5066] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5073, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5067] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5071, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5066] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5067] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5066] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5067] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5066] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 5075] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5074] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5072] +++ exited with 0 +++ [pid 5067] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 5066] <... openat resumed>) = 3 [pid 5074] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5067] <... openat resumed>) = 3 [pid 5074] <... bpf resumed>) = 4 [pid 5068] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5072, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5067] newfstatat(3, "", [pid 5066] newfstatat(3, "", [pid 5068] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5074] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5068] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5067] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5066] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5068] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5067] getdents64(3, [pid 5066] getdents64(3, [pid 5068] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5067] <... getdents64 resumed>0x5555899df6f0 /* 3 entries */, 32768) = 80 [pid 5066] <... getdents64 resumed>0x5555899df6f0 /* 3 entries */, 32768) = 80 [pid 5068] getdents64(3, [pid 5067] umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5066] umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5067] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5067] newfstatat(AT_FDCWD, "./0/binderfs", [pid 5066] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5068] <... getdents64 resumed>0x5555899df6f0 /* 3 entries */, 32768) = 80 [pid 5068] umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 5068] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5068] unlink("./0/binderfs" [pid 5067] <... newfstatat resumed>{st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5066] newfstatat(AT_FDCWD, "./0/binderfs", [pid 5068] <... unlink resumed>) = 0 [pid 5067] unlink("./0/binderfs" [pid 5066] <... newfstatat resumed>{st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5068] getdents64(3, 0x5555899df6f0 /* 0 entries */, 32768) = 0 [pid 5066] unlink("./0/binderfs" [pid 5068] close(3 [pid 5067] <... unlink resumed>) = 0 [pid 5066] <... unlink resumed>) = 0 [pid 5068] <... close resumed>) = 0 [pid 5066] getdents64(3, [pid 5067] getdents64(3, 0x5555899df6f0 /* 0 entries */, 32768) = 0 [pid 5067] close(3) = 0 [ 69.060515][ T5068] ================================================================== [ 69.060528][ T5067] BUG: unable to handle page fault for address: ffffc90003b58000 [ 69.070088][ T5068] BUG: KASAN: stack-out-of-bounds in hash+0x19b/0x410 [ 69.079013][ T5067] #PF: supervisor read access in kernel mode [ 69.086009][ T5068] Read of size 4 at addr ffffc90003b87be0 by task syz-executor311/5068 [ 69.092524][ T5067] #PF: error_code(0x0000) - not-present page [ 69.100828][ T5068] [ 69.100837][ T5068] CPU: 0 PID: 5068 Comm: syz-executor311 Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 [ 69.107492][ T5067] PGD 14c00067 [ 69.109823][ T5068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 69.121104][ T5067] P4D 14c00067 [ 69.124727][ T5068] Call Trace: [ 69.124739][ T5068] [ 69.135379][ T5067] PUD 15ad6067 [ 69.139014][ T5068] dump_stack_lvl+0x1e7/0x2e0 [ 69.142728][ T5067] PMD 1ea95067 [ 69.145751][ T5068] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.149362][ T5067] PTE 0 [ 69.154056][ T5068] ? __pfx__printk+0x10/0x10 [ 69.157938][ T5067] [ 69.157949][ T5067] Oops: 0000 [#1] PREEMPT SMP KASAN PTI [ 69.163393][ T5068] ? _printk+0xd5/0x120 [ 69.166263][ T5067] CPU: 1 PID: 5067 Comm: syz-executor311 Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 [ 69.170836][ T5068] print_report+0x169/0x550 [ 69.173146][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 69.178874][ T5068] ? __virt_addr_valid+0xbd/0x520 [ 69.183285][ T5067] RIP: 0010:hash+0xd3/0x410 [ 69.194125][ T5068] ? hash+0x19b/0x410 [ 69.199031][ T5067] Code: ff df 0f b6 04 10 84 c0 0f 85 a7 00 00 00 45 03 6f f4 49 8d 7c 24 04 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b3 00 00 00 <41> 03 5f f8 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 [ 69.209879][ T5068] kasan_report+0x143/0x180 [ 69.215592][ T5067] RSP: 0018:ffffc90003b57ad8 EFLAGS: 00010286 [ 69.222609][ T5068] ? hash+0x19b/0x410 [ 69.227394][ T5067] [ 69.227406][ T5067] RAX: 0000000000000000 RBX: 000000007a0bd864 RCX: ffffffff81b5da0b [ 69.248065][ T5068] hash+0x19b/0x410 [ 69.252927][ T5067] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90003b58000 [ 69.259264][ T5068] bloom_map_peek_elem+0xb2/0x1b0 [ 69.263644][ T5067] RBP: 00000000e16c5d2c R08: ffffffff81b5d8f0 R09: 1ffffffff2598ea0 [ 69.266129][ T5068] ? bpf_trace_run2+0x1fc/0x530 [ 69.274296][ T5067] R10: dffffc0000000000 R11: ffffffffa0001c58 R12: ffffc90003b57ffc [ 69.278080][ T5068] bpf_prog_00798911c748094f+0x42/0x46 [ 69.286033][ T5067] R13: 000000004e7bdfe8 R14: 000000003ffffe60 R15: ffffc90003b58008 [ 69.291033][ T5068] bpf_trace_run2+0x2ec/0x530 [ 69.299149][ T5067] FS: 00005555899de380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 [ 69.304328][ T5068] ? __pfx_bpf_trace_run2+0x10/0x10 [ 69.312364][ T5067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.318577][ T5068] ? do_raw_spin_lock+0x14f/0x370 [ 69.327597][ T5067] CR2: ffffc90003b58000 CR3: 000000007851e000 CR4: 00000000003506f0 [ 69.332464][ T5068] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 69.342683][ T5067] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 69.348661][ T5068] ? __pfx___bpf_trace_ext4_drop_inode+0x10/0x10 [ 69.356098][ T5067] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 69.362520][ T5068] __traceiter_ext4_drop_inode+0x76/0xd0 [ 69.371098][ T5067] Call Trace: [ 69.371114][ T5067] [ 69.377246][ T5068] ext4_drop_inode+0x20a/0x270 [ 69.385537][ T5067] ? __die_body+0x88/0xe0 [ 69.392189][ T5068] ? __pfx_ext4_drop_inode+0x10/0x10 [ 69.401114][ T5067] ? page_fault_oops+0x817/0xb30 [ 69.406751][ T5068] iput+0x45e/0x900 [ 69.410113][ T5067] ? __pfx_validate_chain+0x10/0x10 [ 69.413217][ T5068] vfs_rmdir+0x38f/0x4c0 [ 69.418216][ T5067] ? __pfx_page_fault_oops+0x10/0x10 [ 69.423044][ T5068] do_rmdir+0x3b5/0x580 [ 69.428647][ T5067] ? __pfx_is_prefetch+0x10/0x10 [ 69.433993][ T5068] ? __pfx_do_rmdir+0x10/0x10 [ 69.439081][ T5067] ? kernelmode_fixup_or_oops+0x20e/0x2b0 [ 69.445259][ T5068] ? strncpy_from_user+0x1a4/0x2f0 [ 69.449772][ T5067] ? __bad_area_nosemaphore+0x127/0x780 [ 69.455686][ T5068] __x64_sys_rmdir+0x49/0x60 [ 69.459831][ T5067] ? mark_lock+0x9a/0x350 [ 69.464758][ T5068] do_syscall_64+0xfb/0x240 [ 69.469682][ T5067] ? __pfx_validate_chain+0x10/0x10 [ 69.476001][ T5068] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 69.481273][ T5067] ? __pfx___bad_area_nosemaphore+0x10/0x10 [ 69.487500][ T5068] RIP: 0033:0x7ff2bfd2ffb7 [ 69.492322][ T5067] ? spurious_kernel_fault+0x11b/0x520 [ 69.496838][ T5068] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.501787][ T5067] ? exc_page_fault+0x5bd/0x890 [ 69.507241][ T5068] RSP: 002b:00007ffcc67298e8 EFLAGS: 00000207 [ 69.513211][ T5067] ? asm_exc_page_fault+0x26/0x30 [ 69.520575][ T5068] ORIG_RAX: 0000000000000054 [ 69.525693][ T5067] ? 0xffffffffa0001c58 [ 69.531495][ T5068] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff2bfd2ffb7 [ 69.551466][ T5067] ? hash+0x80/0x410 [ 69.556564][ T5068] RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007ffcc672aa10 [ 69.563134][ T5067] ? hash+0x19b/0x410 [ 69.568352][ T5068] RBP: 0000000000000065 R08: 00005555899df73b R09: 0000000000000000 [ 69.573378][ T5067] ? hash+0xd3/0x410 [ 69.578392][ T5068] R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffcc672aa10 [ 69.586984][ T5067] ? hash+0x19b/0x410 [ 69.591137][ T5068] R13: 00005555899df6c0 R14: 00007ffcc672aa10 R15: 0000000000000001 [ 69.599471][ T5067] bloom_map_peek_elem+0xb2/0x1b0 [ 69.603626][ T5068] [ 69.611776][ T5067] ? bpf_trace_run2+0x1fc/0x530 [ 69.615813][ T5068] [ 69.615827][ T5068] The buggy address belongs to stack of task syz-executor311/5068 [ 69.624764][ T5067] bpf_prog_00798911c748094f+0x42/0x46 [ 69.629001][ T5068] and is located at offset 0 in frame: [ 69.637414][ T5067] bpf_trace_run2+0x2ec/0x530 [ 69.642407][ T5068] bpf_trace_run2+0x0/0x530 [ 69.645417][ T5067] ? __pfx_bpf_trace_run2+0x10/0x10 [ 69.650387][ T5068] [ 69.650396][ T5068] This frame has 2 objects: [ 69.652975][ T5067] ? do_raw_spin_lock+0x14f/0x370 [ 69.660952][ T5068] [32, 48) 'run_ctx.i' [ 69.666685][ T5067] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 69.672395][ T5068] [64, 80) 'args' [ 69.677047][ T5067] ? __pfx___bpf_trace_ext4_drop_inode+0x10/0x10 [ 69.681609][ T5068] [ 69.681621][ T5068] The buggy address belongs to the virtual mapping at [ 69.681621][ T5068] [ffffc90003b80000, ffffc90003b89000) created by: [ 69.681621][ T5068] copy_process+0x5d1/0x3df0 [ 69.687419][ T5067] __traceiter_ext4_drop_inode+0x76/0xd0 [ 69.689926][ T5068] [ 69.689934][ T5068] The buggy address belongs to the physical page: [ 69.695587][ T5067] ext4_drop_inode+0x20a/0x270 [ 69.700690][ T5068] page:ffffea0001fc66c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f19b [ 69.706283][ T5067] ? __pfx_ext4_drop_inode+0x10/0x10 [ 69.712635][ T5068] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 69.716807][ T5067] iput+0x45e/0x900 [ 69.723660][ T5068] page_type: 0xffffffff() [ 69.725999][ T5067] vfs_rmdir+0x38f/0x4c0 [ 69.745257][ T5068] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 69.751230][ T5067] do_rmdir+0x3b5/0x580 [ 69.753532][ T5068] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 69.759949][ T5067] ? __pfx_do_rmdir+0x10/0x10 [ 69.765036][ T5068] page dumped because: kasan: bad access detected [ 69.775331][ T5067] ? strncpy_from_user+0x1a4/0x2f0 [ 69.780715][ T5068] page_owner tracks the page as allocated [ 69.780728][ T5068] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5065, tgid 5065 (syz-executor311), ts 68918043920, free_ts 58778880861 [ 69.788923][ T5067] __x64_sys_rmdir+0x49/0x60 [ 69.792807][ T5068] post_alloc_hook+0x1ea/0x210 [ 69.797126][ T5067] do_syscall_64+0xfb/0x240 [ 69.801355][ T5068] get_page_from_freelist+0x33ea/0x3580 [ 69.810303][ T5067] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 69.814625][ T5068] __alloc_pages+0x256/0x680 [ 69.823361][ T5067] RIP: 0033:0x7ff2bfd2ffb7 [ 69.828160][ T5068] alloc_pages_mpol+0x3de/0x650 [ 69.834621][ T5067] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.839843][ T5068] __vmalloc_node_range+0x9a4/0x14a0 [ 69.845745][ T5067] RSP: 002b:00007ffcc67298e8 EFLAGS: 00000207 [ 69.866047][ T5068] dup_task_struct+0x3e9/0x7d0 [ 69.871077][ T5067] ORIG_RAX: 0000000000000054 [ 69.875947][ T5068] copy_process+0x5d1/0x3df0 [ 69.880633][ T5067] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff2bfd2ffb7 [ 69.886851][ T5068] kernel_clone+0x21e/0x8d0 [ 69.893088][ T5067] RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007ffcc672aa10 [ 69.898143][ T5068] __x64_sys_clone+0x258/0x2a0 [ 69.902730][ T5067] RBP: 0000000000000065 R08: 00005555899df73b R09: 0000000000000000 [ 69.908109][ T5068] do_syscall_64+0xfb/0x240 [ 69.929467][ T5067] R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffcc672aa10 [ 69.934922][ T5068] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 69.941067][ T5067] R13: 00005555899df6c0 R14: 00007ffcc672aa10 R15: 0000000000000001 [ 69.946006][ T5068] page last free pid 5037 tgid 5037 stack trace: [ 69.950681][ T5067] [ 69.955357][ T5068] free_unref_page_prepare+0x968/0xa90 [ 69.964566][ T5067] Modules linked in: [ 69.969325][ T5068] free_unref_page+0x37/0x3f0 [ 69.969363][ T5068] pipe_read+0x6f2/0x13e0 [ 69.969381][ T5068] vfs_read+0x97b/0xb70 [ 69.969395][ T5068] ksys_read+0x1a0/0x2c0 [ 69.978840][ T5067] CR2: ffffc90003b58000 [ 69.983867][ T5068] do_syscall_64+0xfb/0x240 [ 69.992098][ T5067] ---[ end trace 0000000000000000 ]--- [ 69.996805][ T5068] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 70.005296][ T5067] RIP: 0010:hash+0xd3/0x410 [ 70.011800][ T5068] [ 70.019846][ T5067] Code: ff df 0f b6 04 10 84 c0 0f 85 a7 00 00 00 45 03 6f f4 49 8d 7c 24 04 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b3 00 00 00 <41> 03 5f f8 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 [ 70.026301][ T5068] Memory state around the buggy address: [ 70.026313][ T5068] ffffc90003b87a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.029303][ T5067] RSP: 0018:ffffc90003b57ad8 EFLAGS: 00010286 [ 70.034765][ T5068] ffffc90003b87b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.038771][ T5067] [ 70.038785][ T5067] RAX: 0000000000000000 RBX: 000000007a0bd864 RCX: ffffffff81b5da0b [ 70.043814][ T5068] >ffffc90003b87b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 70.048563][ T5067] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90003b58000 [ 70.052989][ T5068] ^ [ 70.057390][ T5067] RBP: 00000000e16c5d2c R08: ffffffff81b5d8f0 R09: 1ffffffff2598ea0 [ 70.061533][ T5068] ffffc90003b87c00: 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00 [ 70.066377][ T5067] R10: dffffc0000000000 R11: ffffffffa0001c58 R12: ffffc90003b57ffc [ 70.072163][ T5068] ffffc90003b87c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.078382][ T5067] R13: 000000004e7bdfe8 R14: 000000003ffffe60 R15: ffffc90003b58008 [ 70.083059][ T5068] ================================================================== [ 70.083460][ T5068] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.085571][ T5067] FS: 00005555899de380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 [ 70.085589][ T5067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 70.085600][ T5067] CR2: ffffc90003b58000 CR3: 000000007851e000 CR4: 00000000003506f0 [ 70.085615][ T5067] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 70.085624][ T5067] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.219427][ T5068] Shutting down cpus with NMI [ 71.412024][ T5068] Kernel Offset: disabled [ 71.416939][ T5068] Rebooting in 86400 seconds..