./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor898970728 <...> Warning: Permanently added '10.128.1.45' (ED25519) to the list of known hosts. execve("./syz-executor898970728", ["./syz-executor898970728"], 0x7ffda9519dd0 /* 10 vars */) = 0 brk(NULL) = 0x555555ee1000 brk(0x555555ee1d00) = 0x555555ee1d00 arch_prctl(ARCH_SET_FS, 0x555555ee1380) = 0 set_tid_address(0x555555ee1650) = 5057 set_robust_list(0x555555ee1660, 24) = 0 rseq(0x555555ee1ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor898970728", 4096) = 27 getrandom("\xd8\xbf\xd5\x09\x89\xf3\xba\x17", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555ee1d00 brk(0x555555f02d00) = 0x555555f02d00 brk(0x555555f03000) = 0x555555f03000 mprotect(0x7f2690d75000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.UACUaw", 0700) = 0 chmod("./syzkaller.UACUaw", 0777) = 0 chdir("./syzkaller.UACUaw") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5059 attached [pid 5059] set_robust_list(0x555555ee1660, 24 [pid 5057] <... clone resumed>, child_tidptr=0x555555ee1650) = 5059 [pid 5059] <... set_robust_list resumed>) = 0 [pid 5059] chdir("./0") = 0 [pid 5059] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5059] setpgid(0, 0) = 0 [pid 5059] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5059] write(3, "1000", 4) = 4 [pid 5059] close(3) = 0 [pid 5059] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5059] memfd_create("syzkaller", 0) = 3 [pid 5059] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f26888c1000 [pid 5059] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5059] munmap(0x7f26888c1000, 138412032) = 0 [pid 5059] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5059] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5059] close(3) = 0 [pid 5059] mkdir("./file2", 0777) = 0 [ 57.160626][ T5059] loop0: detected capacity change from 0 to 8192 [ 57.186562][ T5059] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 57.199623][ T5059] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 57.209012][ T5059] REISERFS (device loop0): using ordered data mode [ 57.215568][ T5059] reiserfs: using flush barriers [ 57.222301][ T5059] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 57.238922][ T5059] REISERFS (device loop0): checking transaction log (loop0) [ 57.248612][ T5059] REISERFS (device loop0): Using tea hash to sort names [pid 5059] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5059] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5059] chdir("./file2") = 0 [pid 5059] ioctl(4, LOOP_CLR_FD) = 0 [pid 5059] close(4) = 0 [pid 5059] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|FASYNC, 000) = 4 [pid 5059] openat(AT_FDCWD, "blkio.bfq.time", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [ 57.256549][ T5059] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [ 57.269416][ T5059] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5059] write(5, "\x2e\x2f\x66\x69\x6c\x65\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 5059] ftruncate(5, 3676) = 0 [pid 5059] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 5059] write(6, "\x74\x61\x72\x67\x65\x74\x20\x64\x65\x66\x61\x75\x6c\x74\x00", 15) = 15 [pid 5059] exit_group(0) = ? [pid 5059] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5059, si_uid=0, si_status=0, si_utime=0, si_stime=14 /* 0.14 s */} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555ee26f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555eea730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555eea730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file2") = 0 getdents64(3, 0x555555ee26f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5061 attached , child_tidptr=0x555555ee1650) = 5061 [pid 5061] set_robust_list(0x555555ee1660, 24) = 0 [pid 5061] chdir("./1") = 0 [pid 5061] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5061] setpgid(0, 0) = 0 [pid 5061] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5061] write(3, "1000", 4) = 4 [pid 5061] close(3) = 0 [pid 5061] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5061] memfd_create("syzkaller", 0) = 3 [pid 5061] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f26888c1000 [pid 5061] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5061] munmap(0x7f26888c1000, 138412032) = 0 [pid 5061] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5061] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5061] close(3) = 0 [pid 5061] mkdir("./file2", 0777) = 0 [ 57.660678][ T5061] loop0: detected capacity change from 0 to 8192 [ 57.681900][ T5061] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 57.694887][ T5061] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 57.704168][ T5061] REISERFS (device loop0): using ordered data mode [ 57.710673][ T5061] reiserfs: using flush barriers [ 57.716737][ T5061] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 57.733095][ T5061] REISERFS (device loop0): checking transaction log (loop0) [ 57.741633][ T5061] REISERFS (device loop0): Using tea hash to sort names [pid 5061] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5061] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5061] chdir("./file2") = 0 [pid 5061] ioctl(4, LOOP_CLR_FD) = 0 [pid 5061] close(4) = 0 [pid 5061] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|FASYNC, 000) = 4 [pid 5061] openat(AT_FDCWD, "blkio.bfq.time", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [ 57.748822][ T5061] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [ 57.761547][ T5061] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5061] write(5, "\x2e\x2f\x66\x69\x6c\x65\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 5061] ftruncate(5, 3676) = 0 [pid 5061] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 5061] write(6, "\x74\x61\x72\x67\x65\x74\x20\x64\x65\x66\x61\x75\x6c\x74\x00", 15) = 15 [pid 5061] exit_group(0) = ? [pid 5061] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5061, si_uid=0, si_status=0, si_utime=0, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555ee26f0 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 umount2("./1/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555eea730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555eea730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file2") = 0 getdents64(3, 0x555555ee26f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5063 attached , child_tidptr=0x555555ee1650) = 5063 [pid 5063] set_robust_list(0x555555ee1660, 24) = 0 [pid 5063] chdir("./2") = 0 [pid 5063] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5063] setpgid(0, 0) = 0 [pid 5063] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5063] write(3, "1000", 4) = 4 [pid 5063] close(3) = 0 [pid 5063] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5063] memfd_create("syzkaller", 0) = 3 [pid 5063] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f26888c1000 [pid 5063] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5063] munmap(0x7f26888c1000, 138412032) = 0 [pid 5063] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5063] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5063] close(3) = 0 [pid 5063] mkdir("./file2", 0777) = 0 [ 58.218650][ T5063] loop0: detected capacity change from 0 to 8192 [ 58.232660][ T5063] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 58.246041][ T5063] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 58.255386][ T5063] REISERFS (device loop0): using ordered data mode [ 58.261895][ T5063] reiserfs: using flush barriers [ 58.268216][ T5063] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 58.284696][ T5063] REISERFS (device loop0): checking transaction log (loop0) [ 58.292862][ T5063] REISERFS (device loop0): Using tea hash to sort names [ 58.300121][ T5063] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [pid 5063] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5063] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5063] chdir("./file2") = 0 [pid 5063] ioctl(4, LOOP_CLR_FD) = 0 [pid 5063] close(4) = 0 [pid 5063] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|FASYNC, 000) = 4 [pid 5063] openat(AT_FDCWD, "blkio.bfq.time", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [ 58.312838][ T5063] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5063] write(5, "\x2e\x2f\x66\x69\x6c\x65\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 5063] ftruncate(5, 3676) = 0 [pid 5063] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 5063] write(6, "\x74\x61\x72\x67\x65\x74\x20\x64\x65\x66\x61\x75\x6c\x74\x00", 15) = 15 [pid 5063] exit_group(0) = ? [pid 5063] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5063, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=10 /* 0.10 s */} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555ee26f0 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("./2/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555eea730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555eea730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file2") = 0 getdents64(3, 0x555555ee26f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5065 attached , child_tidptr=0x555555ee1650) = 5065 [pid 5065] set_robust_list(0x555555ee1660, 24) = 0 [pid 5065] chdir("./3") = 0 [pid 5065] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5065] setpgid(0, 0) = 0 [pid 5065] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5065] write(3, "1000", 4) = 4 [pid 5065] close(3) = 0 [pid 5065] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5065] memfd_create("syzkaller", 0) = 3 [pid 5065] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f26888c1000 [pid 5065] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5065] munmap(0x7f26888c1000, 138412032) = 0 [pid 5065] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5065] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5065] close(3) = 0 [pid 5065] mkdir("./file2", 0777) = 0 [ 58.649739][ T5065] loop0: detected capacity change from 0 to 8192 [ 58.664374][ T5065] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 58.677357][ T5065] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 58.686735][ T5065] REISERFS (device loop0): using ordered data mode [ 58.693240][ T5065] reiserfs: using flush barriers [ 58.699271][ T5065] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 58.715978][ T5065] REISERFS (device loop0): checking transaction log (loop0) [ 58.724275][ T5065] REISERFS (device loop0): Using tea hash to sort names [ 58.731493][ T5065] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [pid 5065] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5065] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5065] chdir("./file2") = 0 [pid 5065] ioctl(4, LOOP_CLR_FD) = 0 [pid 5065] close(4) = 0 [pid 5065] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|FASYNC, 000) = 4 [pid 5065] openat(AT_FDCWD, "blkio.bfq.time", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [ 58.744299][ T5065] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5065] write(5, "\x2e\x2f\x66\x69\x6c\x65\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 5065] ftruncate(5, 3676) = 0 [pid 5065] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 5065] write(6, "\x74\x61\x72\x67\x65\x74\x20\x64\x65\x66\x61\x75\x6c\x74\x00", 15) = 15 [pid 5065] exit_group(0) = ? [pid 5065] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5065, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555ee26f0 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 umount2("./3/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555eea730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555eea730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file2") = 0 getdents64(3, 0x555555ee26f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5067 attached , child_tidptr=0x555555ee1650) = 5067 [pid 5067] set_robust_list(0x555555ee1660, 24) = 0 [pid 5067] chdir("./4") = 0 [pid 5067] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5067] setpgid(0, 0) = 0 [pid 5067] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5067] write(3, "1000", 4) = 4 [pid 5067] close(3) = 0 [pid 5067] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5067] memfd_create("syzkaller", 0) = 3 [pid 5067] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f26888c1000 [pid 5067] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5067] munmap(0x7f26888c1000, 138412032) = 0 [pid 5067] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5067] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5067] close(3) = 0 [pid 5067] mkdir("./file2", 0777) = 0 [ 59.121236][ T5067] loop0: detected capacity change from 0 to 8192 [ 59.147040][ T5067] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 59.160065][ T5067] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 59.169312][ T5067] REISERFS (device loop0): using ordered data mode [ 59.176056][ T5067] reiserfs: using flush barriers [ 59.182053][ T5067] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 59.198730][ T5067] REISERFS (device loop0): checking transaction log (loop0) [ 59.207120][ T5067] REISERFS (device loop0): Using tea hash to sort names [pid 5067] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5067] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5067] chdir("./file2") = 0 [pid 5067] ioctl(4, LOOP_CLR_FD) = 0 [pid 5067] close(4) = 0 [pid 5067] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|FASYNC, 000) = 4 [pid 5067] openat(AT_FDCWD, "blkio.bfq.time", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [ 59.214537][ T5067] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [ 59.227256][ T5067] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5067] write(5, "\x2e\x2f\x66\x69\x6c\x65\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 5067] ftruncate(5, 3676) = 0 [pid 5067] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 5067] write(6, "\x74\x61\x72\x67\x65\x74\x20\x64\x65\x66\x61\x75\x6c\x74\x00", 15) = 15 [pid 5067] exit_group(0) = ? [pid 5067] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5067, si_uid=0, si_status=0, si_utime=0, si_stime=16 /* 0.16 s */} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555ee26f0 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 umount2("./4/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555eea730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555eea730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file2") = 0 getdents64(3, 0x555555ee26f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5069 attached , child_tidptr=0x555555ee1650) = 5069 [pid 5069] set_robust_list(0x555555ee1660, 24) = 0 [pid 5069] chdir("./5") = 0 [pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5069] setpgid(0, 0) = 0 [pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5069] write(3, "1000", 4) = 4 [pid 5069] close(3) = 0 [pid 5069] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5069] memfd_create("syzkaller", 0) = 3 [pid 5069] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f26888c1000 [pid 5069] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5069] munmap(0x7f26888c1000, 138412032) = 0 [pid 5069] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5069] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5069] close(3) = 0 [pid 5069] mkdir("./file2", 0777) = 0 [ 59.693042][ T5069] loop0: detected capacity change from 0 to 8192 [ 59.708240][ T5069] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 59.721229][ T5069] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 59.730456][ T5069] REISERFS (device loop0): using ordered data mode [ 59.736986][ T5069] reiserfs: using flush barriers [ 59.743176][ T5069] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 59.759712][ T5069] REISERFS (device loop0): checking transaction log (loop0) [ 59.767823][ T5069] REISERFS (device loop0): Using tea hash to sort names [ 59.775006][ T5069] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [pid 5069] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5069] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5069] chdir("./file2") = 0 [pid 5069] ioctl(4, LOOP_CLR_FD) = 0 [pid 5069] close(4) = 0 [pid 5069] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|FASYNC, 000) = 4 [ 59.787764][ T5069] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5069] openat(AT_FDCWD, "blkio.bfq.time", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [pid 5069] write(5, "\x2e\x2f\x66\x69\x6c\x65\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 5069] ftruncate(5, 3676) = 0 [pid 5069] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [ 59.879406][ T5069] ================================================================== [ 59.887497][ T5069] BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x635/0xab0 [ 59.895223][ T5069] Read of size 48 at addr ffff888077d6aff0 by task syz-executor898/5069 [ 59.903532][ T5069] [ 59.905850][ T5069] CPU: 0 PID: 5069 Comm: syz-executor898 Not tainted 6.6.0-syzkaller-16201-gb57b17e88bf5 #0 [ 59.915923][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 59.925972][ T5069] Call Trace: [ 59.929241][ T5069] [ 59.932158][ T5069] dump_stack_lvl+0x1e7/0x2d0 [ 59.936841][ T5069] ? nf_tcp_handle_invalid+0x650/0x650 [ 59.942287][ T5069] ? panic+0x850/0x850 [ 59.946367][ T5069] ? _printk+0xd5/0x120 [ 59.950515][ T5069] print_report+0x163/0x540 [ 59.955039][ T5069] ? __virt_addr_valid+0x22f/0x2e0 [ 59.960143][ T5069] ? __phys_addr+0xba/0x170 [ 59.964630][ T5069] ? leaf_paste_in_buffer+0x635/0xab0 [ 59.969992][ T5069] kasan_report+0x142/0x170 [ 59.974484][ T5069] ? leaf_paste_in_buffer+0x635/0xab0 [ 59.979846][ T5069] kasan_check_range+0x27e/0x290 [ 59.984766][ T5069] ? leaf_paste_in_buffer+0x635/0xab0 [ 59.990125][ T5069] __asan_memcpy+0x29/0x70 [ 59.994529][ T5069] leaf_paste_in_buffer+0x635/0xab0 [ 59.999718][ T5069] leaf_copy_dir_entries+0x71e/0xc60 [ 60.005004][ T5069] ? leaf_copy_items_entirely+0xee0/0xee0 [ 60.010713][ T5069] leaf_copy_boundary_item+0xbbe/0x21b0 [ 60.016429][ T5069] leaf_move_items+0xd1a/0x2960 [ 60.021265][ T5069] ? page_ext_put+0x9c/0xb0 [ 60.025762][ T5069] ? mark_lock+0x9a/0x340 [ 60.030088][ T5069] ? reiserfs_convert_objectid_map_v1+0x460/0x460 [ 60.036489][ T5069] ? __lock_acquire+0x1345/0x7f70 [ 60.041501][ T5069] ? __lock_acquire+0x1345/0x7f70 [ 60.046514][ T5069] leaf_shift_left+0xbe/0x430 [ 60.051178][ T5069] balance_leaf+0x15d1/0x12510 [ 60.055931][ T5069] ? kernel_text_address+0xa3/0xe0 [ 60.061027][ T5069] ? __kernel_text_address+0xd/0x40 [ 60.066215][ T5069] ? unwind_get_return_address+0x91/0xc0 [ 60.071833][ T5069] ? entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.077894][ T5069] ? do_balance+0x8f0/0x8f0 [ 60.082479][ T5069] ? __mutex_trylock_common+0x182/0x2e0 [ 60.088015][ T5069] ? __might_sleep+0xc0/0xc0 [ 60.092593][ T5069] ? trace_raw_output_contention_end+0xd0/0xd0 [ 60.098729][ T5069] ? rcu_is_watching+0x15/0xb0 [ 60.103482][ T5069] ? trace_contention_end+0x3c/0xf0 [ 60.108662][ T5069] ? __mutex_lock+0x2ee/0xd60 [ 60.113328][ T5069] ? __mutex_unlock_slowpath+0x21c/0x750 [ 60.118948][ T5069] ? reiserfs_write_lock_nested+0x5f/0xd0 [ 60.124653][ T5069] ? get_empty_nodes+0x5dd/0xd90 [ 60.129576][ T5069] ? mutex_lock_nested+0x20/0x20 [ 60.134502][ T5069] ? get_neighbors+0x1010/0x1010 [ 60.139509][ T5069] ? __wake_up+0x10/0x10 [ 60.143737][ T5069] ? get_neighbors+0xab3/0x1010 [ 60.148574][ T5069] ? reiserfs_prepare_for_journal+0x26d/0x280 [ 60.154623][ T5069] ? fix_nodes+0x7b03/0x8ce0 [ 60.159214][ T5069] do_balance+0x30d/0x8f0 [ 60.163529][ T5069] ? get_right_neighbor_position+0x210/0x210 [ 60.169594][ T5069] ? reiserfs_insert_item+0x60e/0xc30 [ 60.174954][ T5069] reiserfs_insert_item+0xacc/0xc30 [ 60.180141][ T5069] ? reiserfs_paste_into_item+0x870/0x870 [ 60.185871][ T5069] ? show_alloc_options+0xc00/0xc00 [ 60.191054][ T5069] ? journal_begin+0x1f3/0x360 [ 60.195805][ T5069] ? copy_item_head+0x22/0x30 [ 60.200467][ T5069] ? reiserfs_get_block+0x1fe4/0x5130 [ 60.205825][ T5069] reiserfs_get_block+0x20ae/0x5130 [ 60.211110][ T5069] ? make_le_item_head+0x570/0x570 [ 60.216210][ T5069] ? kmem_cache_alloc+0x1be/0x350 [ 60.221218][ T5069] ? alloc_buffer_head+0x2d/0x2a0 [ 60.226227][ T5069] ? folio_alloc_buffers+0x34d/0x8e0 [ 60.231496][ T5069] ? __block_write_begin_int+0x1f4/0x1ac0 [ 60.237203][ T5069] ? reiserfs_write_begin+0x24d/0x520 [ 60.242561][ T5069] ? vfs_write+0x792/0xb20 [ 60.246962][ T5069] ? verify_lock_unused+0x140/0x140 [ 60.252154][ T5069] ? __asan_memset+0x23/0x40 [ 60.256735][ T5069] ? create_empty_buffers+0x53e/0x740 [ 60.262102][ T5069] ? do_raw_spin_unlock+0x13b/0x8b0 [ 60.267307][ T5069] ? _raw_spin_unlock+0x28/0x40 [ 60.272142][ T5069] ? create_empty_buffers+0x53e/0x740 [ 60.277505][ T5069] __block_write_begin_int+0x54d/0x1ac0 [ 60.283052][ T5069] ? make_le_item_head+0x570/0x570 [ 60.288145][ T5069] ? folio_zero_new_buffers+0x530/0x530 [ 60.293683][ T5069] ? __block_write_begin+0x64/0x150 [ 60.298869][ T5069] reiserfs_write_begin+0x24d/0x520 [ 60.304067][ T5069] generic_perform_write+0x31b/0x630 [ 60.309345][ T5069] ? generic_file_direct_write+0x3f0/0x3f0 [ 60.315147][ T5069] ? __generic_file_write_iter+0x101/0x230 [ 60.320942][ T5069] generic_file_write_iter+0xaf/0x310 [ 60.326303][ T5069] vfs_write+0x792/0xb20 [ 60.330534][ T5069] ? file_end_write+0x250/0x250 [ 60.335374][ T5069] ? lockdep_hardirqs_on+0x98/0x140 [ 60.340561][ T5069] ? __fdget_pos+0x2c7/0x340 [ 60.345139][ T5069] ksys_write+0x1a0/0x2c0 [ 60.349454][ T5069] ? __ia32_sys_read+0x90/0x90 [ 60.354201][ T5069] ? syscall_enter_from_user_mode+0x32/0x230 [ 60.360172][ T5069] ? syscall_enter_from_user_mode+0x8c/0x230 [ 60.366139][ T5069] do_syscall_64+0x44/0x110 [ 60.370628][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.376517][ T5069] RIP: 0033:0x7f2690d00229 [ 60.380918][ T5069] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.400505][ T5069] RSP: 002b:00007ffda522ff68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 60.408903][ T5069] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2690d00229 [ 60.416862][ T5069] RDX: 000000000000000f RSI: 0000000020000100 RDI: 0000000000000006 [ 60.424818][ T5069] RBP: 0000000000000000 R08: 00007ffda522ffa0 R09: 00007ffda522ffa0 [ 60.432770][ T5069] R10: 00007ffda522ffa0 R11: 0000000000000246 R12: 00007ffda522ff8c [ 60.440743][ T5069] R13: 0000000000000005 R14: 431bde82d7b634db R15: 00007ffda522ffc0 [ 60.448728][ T5069] [ 60.451750][ T5069] [ 60.454060][ T5069] The buggy address belongs to the physical page: [ 60.460543][ T5069] page:ffffea0001df5a80 refcount:3 mapcount:0 mapping:ffff88801b083678 index:0x214 pfn:0x77d6a [ 60.470853][ T5069] memcg:ffff888016262000 [ 60.475078][ T5069] aops:def_blk_aops ino:700000 [ 60.479826][ T5069] flags: 0xfff00000008104(referenced|active|private|node=0|zone=1|lastcpupid=0x7ff) [ 60.489189][ T5069] page_type: 0xffffffff() [ 60.493511][ T5069] raw: 00fff00000008104 0000000000000000 dead000000000122 ffff88801b083678 [ 60.502164][ T5069] raw: 0000000000000214 ffff88807ca31570 00000003ffffffff ffff888016262000 [ 60.510752][ T5069] page dumped because: kasan: bad access detected [ 60.517161][ T5069] page_owner tracks the page as allocated [ 60.522864][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5069, tgid 5069 (syz-executor898), ts 59867192679, free_ts 59866961221 [ 60.543518][ T5069] post_alloc_hook+0x1e6/0x210 [ 60.548278][ T5069] get_page_from_freelist+0x339a/0x3530 [ 60.553806][ T5069] __alloc_pages+0x255/0x670 [ 60.558379][ T5069] alloc_pages_mpol+0x3de/0x640 [ 60.563215][ T5069] folio_alloc+0x12a/0x330 [ 60.567619][ T5069] filemap_alloc_folio+0xde/0x500 [ 60.572628][ T5069] __filemap_get_folio+0x431/0xbb0 [ 60.577724][ T5069] bdev_getblk+0x246/0x6d0 [ 60.582128][ T5069] get_empty_nodes+0x719/0xd90 [ 60.586879][ T5069] fix_nodes+0x261b/0x8ce0 [ 60.591279][ T5069] reiserfs_insert_item+0x9e8/0xc30 [ 60.596494][ T5069] indirect2direct+0x699/0xc00 [ 60.601320][ T5069] reiserfs_cut_from_item+0xba6/0x2580 [ 60.606773][ T5069] reiserfs_do_truncate+0x9b9/0x14c0 [ 60.612045][ T5069] reiserfs_truncate_file+0x4da/0x820 [ 60.617402][ T5069] reiserfs_setattr+0xbc9/0x1140 [ 60.622323][ T5069] page last free stack trace: [ 60.626973][ T5069] free_unref_page_prepare+0x92a/0xa50 [ 60.632437][ T5069] free_unref_page_list+0x596/0x830 [ 60.637638][ T5069] release_pages+0x2113/0x23f0 [ 60.642404][ T5069] __folio_batch_release+0x84/0x100 [ 60.647591][ T5069] truncate_inode_pages_range+0x45d/0x11a0 [ 60.653389][ T5069] truncate_setsize+0xcf/0xf0 [ 60.658054][ T5069] reiserfs_setattr+0xbbc/0x1140 [ 60.662978][ T5069] notify_change+0xb99/0xe60 [ 60.667553][ T5069] do_truncate+0x220/0x300 [ 60.671957][ T5069] do_sys_ftruncate+0x2f3/0x390 [ 60.676788][ T5069] do_syscall_64+0x44/0x110 [ 60.681276][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.687156][ T5069] [ 60.689462][ T5069] Memory state around the buggy address: [ 60.695070][ T5069] ffff888077d6af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.703128][ T5069] ffff888077d6af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.711180][ T5069] >ffff888077d6b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.719227][ T5069] ^ [ 60.723274][ T5069] ffff888077d6b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.731316][ T5069] ffff888077d6b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.739357][ T5069] ================================================================== [ 60.747933][ T5069] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 60.755133][ T5069] CPU: 0 PID: 5069 Comm: syz-executor898 Not tainted 6.6.0-syzkaller-16201-gb57b17e88bf5 #0 [ 60.765204][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 60.775259][ T5069] Call Trace: [ 60.778529][ T5069] [ 60.781452][ T5069] dump_stack_lvl+0x1e7/0x2d0 [ 60.786127][ T5069] ? nf_tcp_handle_invalid+0x650/0x650 [ 60.791577][ T5069] ? panic+0x850/0x850 [ 60.795645][ T5069] ? vscnprintf+0x5d/0x80 [ 60.799961][ T5069] panic+0x349/0x850 [ 60.803934][ T5069] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 60.810081][ T5069] ? check_panic_on_warn+0x21/0xa0 [ 60.815180][ T5069] ? __memcpy_flushcache+0x2b0/0x2b0 [ 60.820459][ T5069] ? _raw_spin_unlock_irqrestore+0x12c/0x140 [ 60.826425][ T5069] ? _raw_spin_unlock+0x40/0x40 [ 60.831256][ T5069] ? print_report+0x4fb/0x540 [ 60.835919][ T5069] check_panic_on_warn+0x82/0xa0 [ 60.840840][ T5069] ? leaf_paste_in_buffer+0x635/0xab0 [ 60.846199][ T5069] end_report+0x6e/0x130 [ 60.850429][ T5069] kasan_report+0x153/0x170 [ 60.854918][ T5069] ? leaf_paste_in_buffer+0x635/0xab0 [ 60.860282][ T5069] kasan_check_range+0x27e/0x290 [ 60.865205][ T5069] ? leaf_paste_in_buffer+0x635/0xab0 [ 60.870563][ T5069] __asan_memcpy+0x29/0x70 [ 60.874967][ T5069] leaf_paste_in_buffer+0x635/0xab0 [ 60.880158][ T5069] leaf_copy_dir_entries+0x71e/0xc60 [ 60.885519][ T5069] ? leaf_copy_items_entirely+0xee0/0xee0 [ 60.891235][ T5069] leaf_copy_boundary_item+0xbbe/0x21b0 [ 60.896873][ T5069] leaf_move_items+0xd1a/0x2960 [ 60.901717][ T5069] ? page_ext_put+0x9c/0xb0 [ 60.906209][ T5069] ? mark_lock+0x9a/0x340 [ 60.910531][ T5069] ? reiserfs_convert_objectid_map_v1+0x460/0x460 [ 60.916933][ T5069] ? __lock_acquire+0x1345/0x7f70 [ 60.921945][ T5069] ? __lock_acquire+0x1345/0x7f70 [ 60.926960][ T5069] leaf_shift_left+0xbe/0x430 [ 60.931664][ T5069] balance_leaf+0x15d1/0x12510 [ 60.936434][ T5069] ? kernel_text_address+0xa3/0xe0 [ 60.941547][ T5069] ? __kernel_text_address+0xd/0x40 [ 60.946744][ T5069] ? unwind_get_return_address+0x91/0xc0 [ 60.952461][ T5069] ? entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.958530][ T5069] ? do_balance+0x8f0/0x8f0 [ 60.963022][ T5069] ? __mutex_trylock_common+0x182/0x2e0 [ 60.968726][ T5069] ? __might_sleep+0xc0/0xc0 [ 60.973317][ T5069] ? trace_raw_output_contention_end+0xd0/0xd0 [ 60.979457][ T5069] ? rcu_is_watching+0x15/0xb0 [ 60.984209][ T5069] ? trace_contention_end+0x3c/0xf0 [ 60.989484][ T5069] ? __mutex_lock+0x2ee/0xd60 [ 60.994153][ T5069] ? __mutex_unlock_slowpath+0x21c/0x750 [ 60.999772][ T5069] ? reiserfs_write_lock_nested+0x5f/0xd0 [ 61.005489][ T5069] ? get_empty_nodes+0x5dd/0xd90 [ 61.010414][ T5069] ? mutex_lock_nested+0x20/0x20 [ 61.015346][ T5069] ? get_neighbors+0x1010/0x1010 [ 61.020267][ T5069] ? __wake_up+0x10/0x10 [ 61.024497][ T5069] ? get_neighbors+0xab3/0x1010 [ 61.029333][ T5069] ? reiserfs_prepare_for_journal+0x26d/0x280 [ 61.035394][ T5069] ? fix_nodes+0x7b03/0x8ce0 [ 61.039978][ T5069] do_balance+0x30d/0x8f0 [ 61.044292][ T5069] ? get_right_neighbor_position+0x210/0x210 [ 61.050285][ T5069] ? reiserfs_insert_item+0x60e/0xc30 [ 61.055660][ T5069] reiserfs_insert_item+0xacc/0xc30 [ 61.060862][ T5069] ? reiserfs_paste_into_item+0x870/0x870 [ 61.066602][ T5069] ? show_alloc_options+0xc00/0xc00 [ 61.071879][ T5069] ? journal_begin+0x1f3/0x360 [ 61.076637][ T5069] ? copy_item_head+0x22/0x30 [ 61.081305][ T5069] ? reiserfs_get_block+0x1fe4/0x5130 [ 61.086672][ T5069] reiserfs_get_block+0x20ae/0x5130 [ 61.091878][ T5069] ? make_le_item_head+0x570/0x570 [ 61.096982][ T5069] ? kmem_cache_alloc+0x1be/0x350 [ 61.101996][ T5069] ? alloc_buffer_head+0x2d/0x2a0 [ 61.107011][ T5069] ? folio_alloc_buffers+0x34d/0x8e0 [ 61.112287][ T5069] ? __block_write_begin_int+0x1f4/0x1ac0 [ 61.117995][ T5069] ? reiserfs_write_begin+0x24d/0x520 [ 61.123354][ T5069] ? vfs_write+0x792/0xb20 [ 61.127763][ T5069] ? verify_lock_unused+0x140/0x140 [ 61.132957][ T5069] ? __asan_memset+0x23/0x40 [ 61.137538][ T5069] ? create_empty_buffers+0x53e/0x740 [ 61.142904][ T5069] ? do_raw_spin_unlock+0x13b/0x8b0 [ 61.148265][ T5069] ? _raw_spin_unlock+0x28/0x40 [ 61.153099][ T5069] ? create_empty_buffers+0x53e/0x740 [ 61.158462][ T5069] __block_write_begin_int+0x54d/0x1ac0 [ 61.164010][ T5069] ? make_le_item_head+0x570/0x570 [ 61.169109][ T5069] ? folio_zero_new_buffers+0x530/0x530 [ 61.174649][ T5069] ? __block_write_begin+0x64/0x150 [ 61.179836][ T5069] reiserfs_write_begin+0x24d/0x520 [ 61.185024][ T5069] generic_perform_write+0x31b/0x630 [ 61.190307][ T5069] ? generic_file_direct_write+0x3f0/0x3f0 [ 61.196104][ T5069] ? __generic_file_write_iter+0x101/0x230 [ 61.201929][ T5069] generic_file_write_iter+0xaf/0x310 [ 61.207295][ T5069] vfs_write+0x792/0xb20 [ 61.211623][ T5069] ? file_end_write+0x250/0x250 [ 61.216465][ T5069] ? lockdep_hardirqs_on+0x98/0x140 [ 61.221656][ T5069] ? __fdget_pos+0x2c7/0x340 [ 61.226246][ T5069] ksys_write+0x1a0/0x2c0 [ 61.230568][ T5069] ? __ia32_sys_read+0x90/0x90 [ 61.235321][ T5069] ? syscall_enter_from_user_mode+0x32/0x230 [ 61.241291][ T5069] ? syscall_enter_from_user_mode+0x8c/0x230 [ 61.247267][ T5069] do_syscall_64+0x44/0x110 [ 61.251770][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.257659][ T5069] RIP: 0033:0x7f2690d00229 [ 61.262061][ T5069] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.281648][ T5069] RSP: 002b:00007ffda522ff68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 61.290045][ T5069] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2690d00229 [ 61.298003][ T5069] RDX: 000000000000000f RSI: 0000000020000100 RDI: 0000000000000006 [ 61.305960][ T5069] RBP: 0000000000000000 R08: 00007ffda522ffa0 R09: 00007ffda522ffa0 [ 61.313916][ T5069] R10: 00007ffda522ffa0 R11: 0000000000000246 R12: 00007ffda522ff8c [ 61.321875][ T5069] R13: 0000000000000005 R14: 431bde82d7b634db R15: 00007ffda522ffc0 [ 61.329838][ T5069] [ 61.333066][ T5069] Kernel Offset: disabled [ 61.337378][ T5069] Rebooting in 86400 seconds..