./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor287620793 <...> Warning: Permanently added '10.128.1.72' (ED25519) to the list of known hosts. execve("./syz-executor287620793", ["./syz-executor287620793"], 0x7fff0fa4d360 /* 10 vars */) = 0 brk(NULL) = 0x55558ea94000 brk(0x55558ea94d40) = 0x55558ea94d40 arch_prctl(ARCH_SET_FS, 0x55558ea943c0) = 0 set_tid_address(0x55558ea94690) = 298 set_robust_list(0x55558ea946a0, 24) = 0 rseq(0x55558ea94ce0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor287620793", 4096) = 27 getrandom("\x3e\x7b\x60\x44\xfa\x63\x41\xdf", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558ea94d40 brk(0x55558eab5d40) = 0x55558eab5d40 brk(0x55558eab6000) = 0x55558eab6000 mprotect(0x7f8d7d034000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXECexecuting program ) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558ea94690) = 299 ./strace-static-x86_64: Process 299 attached [pid 299] set_robust_list(0x55558ea946a0, 24) = 0 [pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 299] setpgid(0, 0) = 0 [pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 299] write(3, "1000", 4) = 4 [pid 299] close(3) = 0 [pid 299] write(1, "executing program\n", 18) = 18 [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] rt_sigaction(SIGRT_1, {sa_handler=0x7f8d7cfd92a0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f8d7cfcb0b0}, NULL, 8) = 0 [pid 299] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 299] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8d7cf4c000 [pid 299] mprotect(0x7f8d7cf4d000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 299] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 299] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f8d7cf6c990, parent_tid=0x7f8d7cf6c990, exit_signal=0, stack=0x7f8d7cf4c000, stack_size=0x20300, tls=0x7f8d7cf6c6c0} => {parent_tid=[300]}, 88) = 300 [pid 299] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 299] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 300 attached [pid 300] set_robust_list(0x7f8d7cf6c9a0, 24) = 0 [pid 300] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 300] mkdir("./file0", 000) = 0 [pid 300] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 299] <... futex resumed>) = 0 [pid 299] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 300] <... futex resumed>) = 1 [pid 300] openat(AT_FDCWD, "/dev/fuse", O_RDWR) = 3 [pid 300] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 299] <... futex resumed>) = 0 [pid 299] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 300] <... futex resumed>) = 1 [pid 300] mount(NULL, "./file0", "fuse", 0, "fd=0x0000000000000003,rootmode=00000000000000000040000,user_id=00000000000000000000,group_id=0000000"...) = 0 [pid 300] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 299] <... futex resumed>) = 0 [pid 299] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 300] <... futex resumed>) = 1 [pid 300] read(3, "\x68\x00\x00\x00\x1a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x24\x00\x00\x00\x00\x00\x02\x00\xfb\xff\xff\x73\x01\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8224) = 104 [pid 300] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 299] <... futex resumed>) = 0 [pid 299] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 300] <... futex resumed>) = 1 [ 29.135140][ T30] audit: type=1400 audit(1745793886.055:66): avc: denied { execmem } for pid=298 comm="syz-executor287" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 300] read(3, [pid 299] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 299] futex(0x7f8d7d03a3fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8d7cf2b000 [pid 299] mprotect(0x7f8d7cf2c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 299] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 299] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f8d7cf4b990, parent_tid=0x7f8d7cf4b990, exit_signal=0, stack=0x7f8d7cf2b000, stack_size=0x20300, tls=0x7f8d7cf4b6c0} => {parent_tid=[302]}, 88) = 302 [pid 299] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 299] futex(0x7f8d7d03a3f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x7f8d7cf4b9a0, 24) = 0 [pid 302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 302] write(3, "\x50\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x26\x00\x00\x00\x01\x00\x01\x00\x4e\x76\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 80) = 80 [pid 302] futex(0x7f8d7d03a3fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 299] <... futex resumed>) = 0 [pid 299] futex(0x7f8d7d03a3f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 299] futex(0x7f8d7d03a3fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 302] write(4, "14", 2) = 2 [pid 302] creat("./file0/file0", 000 [pid 300] <... read resumed>"\x2e\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x01\x00\x00\x00\x00\x00\x00\x66\x69\x6c\x65\x30\x00", 8192) = 46 [pid 300] write(3, "\x90\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"..., 144) = 144 [pid 300] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 29.167122][ T30] audit: type=1400 audit(1745793886.085:67): avc: denied { integrity } for pid=298 comm="syz-executor287" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 29.196574][ T30] audit: type=1400 audit(1745793886.085:68): avc: denied { read write } for pid=299 comm="syz-executor287" name="fuse" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 29.229035][ T30] audit: type=1400 audit(1745793886.085:69): avc: denied { open } for pid=299 comm="syz-executor287" path="/dev/fuse" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 29.235192][ T302] FAULT_INJECTION: forcing a failure. [ 29.235192][ T302] name failslab, interval 1, probability 0, space 0, times 1 [ 29.259265][ T30] audit: type=1400 audit(1745793886.085:70): avc: denied { mounton } for pid=299 comm="syz-executor287" path="/root/file0" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 29.273399][ T302] CPU: 1 PID: 302 Comm: syz-executor287 Not tainted 5.15.180-syzkaller-android13-5.15.180_r00 #0 [ 29.300693][ T30] audit: type=1400 audit(1745793886.085:71): avc: denied { mount } for pid=299 comm="syz-executor287" name="/" dev="fuse" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 29.312981][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 29.313014][ T302] Call Trace: [ 29.313022][ T302] [ 29.313030][ T302] __dump_stack+0x21/0x30 [ 29.366181][ T302] dump_stack_lvl+0xee/0x150 [ 29.371274][ T302] ? show_regs_print_info+0x20/0x20 [ 29.378023][ T302] dump_stack+0x15/0x20 [ 29.384732][ T302] should_fail+0x3c1/0x510 [ 29.390805][ T302] __should_failslab+0xa4/0xe0 [ 29.398002][ T302] should_failslab+0x9/0x20 [ 29.404999][ T302] slab_pre_alloc_hook+0x3b/0xe0 [ 29.410466][ T302] kmem_cache_alloc_trace+0x48/0x270 [ 29.415912][ T302] ? fuse_file_alloc+0xb1/0x240 [ 29.421826][ T302] fuse_file_alloc+0xb1/0x240 [ 29.427363][ T302] fuse_atomic_open+0x57e/0x2140 [ 29.433344][ T302] ? rcu_gp_kthread_wake+0x90/0x90 [ 29.440463][ T302] ? fuse_rename2+0x25f0/0x25f0 [ 29.445498][ T302] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 29.452963][ T302] ? avc_xperms_populate+0x4d3/0x590 [ 29.458365][ T302] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 29.465445][ T302] ? selinux_determine_inode_label+0x290/0x3e0 [ 29.472083][ T302] ? may_create+0x377/0x460 [ 29.476715][ T302] ? selinux_determine_inode_label+0x3e0/0x3e0 [ 29.484553][ T302] ? make_kgid+0x640/0x640 [ 29.489443][ T302] ? selinux_inode_create+0x22/0x30 [ 29.495713][ T302] ? security_inode_create+0xbd/0x110 [ 29.501745][ T302] ? fuse_rename2+0x25f0/0x25f0 [ 29.506830][ T302] path_openat+0xe31/0x2f10 [ 29.512079][ T302] ? do_filp_open+0x3e0/0x3e0 [ 29.517190][ T302] do_filp_open+0x1b3/0x3e0 [ 29.522895][ T302] ? vfs_tmpfile+0x2d0/0x2d0 [ 29.527690][ T302] do_sys_openat2+0x14c/0x7b0 [ 29.532661][ T302] ? _raw_spin_unlock_irq+0x4e/0x70 [ 29.538148][ T302] ? do_sys_open+0xe0/0xe0 [ 29.542876][ T302] ? do_notify_parent+0x800/0x800 [ 29.548583][ T302] ? __kasan_check_write+0x14/0x20 [ 29.554066][ T302] __x64_sys_creat+0x8e/0xb0 [ 29.559093][ T302] x64_sys_call+0x94a/0x9a0 [ 29.564731][ T302] do_syscall_64+0x4c/0xa0 [ 29.569216][ T302] ? clear_bhb_loop+0x35/0x90 [ 29.574168][ T302] ? clear_bhb_loop+0x35/0x90 [ 29.578997][ T302] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.585678][ T302] RIP: 0033:0x7f8d7cfb3819 [ 29.590485][ T302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 29.613341][ T302] RSP: 002b:00007f8d7cf4b208 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 29.622441][ T302] RAX: ffffffffffffffda RBX: 00007f8d7d03a3f8 RCX: 00007f8d7cfb3819 [pid 300] futex(0x7f8d7d03a3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 299] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 299] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 300] <... futex resumed>) = 0 [pid 299] <... futex resumed>) = 1 [pid 300] read(3, [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... creat resumed>) = -1 ENOMEM (Cannot allocate memory) [pid 302] futex(0x7f8d7d03a3fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 29.632625][ T302] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000180 [ 29.642306][ T302] RBP: 00007f8d7d03a3f0 R08: 00007f8d7cf4afa6 R09: 0000000000003431 [ 29.651454][ T302] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8d7d007344 [ 29.660152][ T302] R13: 00007f8d7cf4b210 R14: 0000000000000002 R15: 0000200000000180 [ 29.669753][ T302] [pid 302] futex(0x7f8d7d03a3f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 299] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 299] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 299] exit_group(0 [pid 302] <... futex resumed>) = ? [pid 300] <... read resumed> ) = ? [pid 299] <... exit_group resumed>) = ? [pid 302] +++ exited with 0 +++ [pid 300] +++ exited with 0 +++ [pid 299] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=299, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 304 attached [pid 304] set_robust_list(0x55558ea946a0, 24) = 0 [pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 304] setpgid(0, 0) = 0 [pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 298] <... clone resumed>, child_tidptr=0x55558ea94690) = 304 [pid 304] <... openat resumed>) = 3 [pid 304] write(3, "1000", 4) = 4 [pid 304] close(3) = 0 executing program [pid 304] write(1, "executing program\n", 18) = 18 [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] rt_sigaction(SIGRT_1, {sa_handler=0x7f8d7cfd92a0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f8d7cfcb0b0}, NULL, 8) = 0 [pid 304] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8d7cf4c000 [pid 304] mprotect(0x7f8d7cf4d000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 304] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 304] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f8d7cf6c990, parent_tid=0x7f8d7cf6c990, exit_signal=0, stack=0x7f8d7cf4c000, stack_size=0x20300, tls=0x7f8d7cf6c6c0} => {parent_tid=[305]}, 88) = 305 [pid 304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 304] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 305 attached [pid 305] set_robust_list(0x7f8d7cf6c9a0, 24) = 0 [pid 305] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 305] mkdir("./file0", 000) = -1 EEXIST (File exists) [pid 305] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... futex resumed>) = 1 [pid 305] openat(AT_FDCWD, "/dev/fuse", O_RDWR) = 3 [pid 305] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... futex resumed>) = 1 [pid 305] mount(NULL, "./file0", "fuse", 0, "fd=0x0000000000000003,rootmode=00000000000000000040000,user_id=00000000000000000000,group_id=0000000"...) = 0 [pid 305] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... futex resumed>) = 1 [pid 305] read(3, "\x68\x00\x00\x00\x1a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x24\x00\x00\x00\x00\x00\x02\x00\xfb\xff\xff\x73\x01\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8224) = 104 [pid 305] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... futex resumed>) = 1 [pid 305] read(3, [pid 304] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 304] futex(0x7f8d7d03a3fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8d7cf2b000 [pid 304] mprotect(0x7f8d7cf2c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 304] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 304] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f8d7cf4b990, parent_tid=0x7f8d7cf4b990, exit_signal=0, stack=0x7f8d7cf2b000, stack_size=0x20300, tls=0x7f8d7cf4b6c0} => {parent_tid=[306]}, 88) = 306 [pid 304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 304] futex(0x7f8d7d03a3f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 306 attached [pid 306] set_robust_list(0x7f8d7cf4b9a0, 24) = 0 [pid 306] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 306] write(3, "\x50\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x26\x00\x00\x00\x01\x00\x01\x00\x4e\x76\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 80) = 80 [pid 306] futex(0x7f8d7d03a3fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7f8d7d03a3f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7f8d7d03a3fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... futex resumed>) = 1 [pid 306] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 306] write(4, "14", 2) = 2 [pid 306] creat("./file0/file0", 000 [pid 305] <... read resumed>"\x2e\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x32\x01\x00\x00\x00\x00\x00\x00\x66\x69\x6c\x65\x30\x00", 8192) = 46 [pid 305] write(3, "\x90\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"..., 144) = 144 [pid 305] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 29.868802][ T30] audit: type=1400 audit(1745793886.785:72): avc: denied { mounton } for pid=304 comm="syz-executor287" path="/root/file0" dev="fuse" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [pid 305] futex(0x7f8d7d03a3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 304] futex(0x7f8d7d03a3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... futex resumed>) = 0 [pid 304] <... futex resumed>) = 1 [pid 305] read(3, [pid 304] futex(0x7f8d7d03a3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... read resumed>"\x3e\x00\x00\x00\x23\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x32\x01\x00\x00\x00\x00\x00\x00\x41\x82\x00\x00\x00\x80\x00\x00\x3f\x00\x00\x00\x00\x00\x00\x00\x66\x69\x6c\x65\x30\x00", 8192) = 62 [pid 305] write(3, "\xa0\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\xfb\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x7f\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 160) = 160 [pid 305] futex(0x7f8d7d03a3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [ 29.974950][ T306] FAULT_INJECTION: forcing a failure. [ 29.974950][ T306] name failslab, interval 1, probability 0, space 0, times 0 [ 29.991557][ T306] CPU: 1 PID: 306 Comm: syz-executor287 Not tainted 5.15.180-syzkaller-android13-5.15.180_r00 #0 [ 30.004713][ T306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 30.016713][ T306] Call Trace: [ 30.023472][ T306] [ 30.028114][ T306] __dump_stack+0x21/0x30 [ 30.033539][ T306] dump_stack_lvl+0xee/0x150 [ 30.039623][ T306] ? show_regs_print_info+0x20/0x20 [ 30.046431][ T306] dump_stack+0x15/0x20 [ 30.050999][ T306] should_fail+0x3c1/0x510 [ 30.056710][ T306] __should_failslab+0xa4/0xe0 [ 30.063839][ T306] should_failslab+0x9/0x20 [pid 305] futex(0x7f8d7d03a3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] exit_group(0 [pid 305] <... futex resumed>) = ? [pid 304] <... exit_group resumed>) = ? [pid 305] +++ exited with 0 +++ [ 30.070373][ T306] slab_pre_alloc_hook+0x3b/0xe0 [ 30.076088][ T306] kmem_cache_alloc_trace+0x48/0x270 [ 30.083138][ T306] ? fuse_alloc_inode+0x179/0x210 [ 30.089247][ T306] fuse_alloc_inode+0x179/0x210 [ 30.094920][ T306] ? fuse_get_tree_submount+0xfa0/0xfa0 [ 30.101628][ T306] ? fuse_iget+0x990/0x990 [ 30.106092][ T306] ? fuse_iget+0x990/0x990 [ 30.111480][ T306] iget5_locked+0xb1/0x270 [ 30.117533][ T306] ? fuse_inode_eq+0x80/0x80 [ 30.122667][ T306] fuse_iget+0x36f/0x990 [ 30.127680][ T306] ? entry_attr_timeout+0x116/0x170 [ 30.134159][ T306] ? fuse_init_inode+0x3b0/0x3b0 [ 30.140446][ T306] ? fuse_passthrough_setup+0x78/0x140 [ 30.148274][ T306] fuse_atomic_open+0xe3c/0x2140 [ 30.153336][ T306] ? fuse_rename2+0x25f0/0x25f0 [ 30.159195][ T306] ? __d_alloc+0x473/0x6a0 [ 30.164493][ T306] ? selinux_determine_inode_label+0x290/0x3e0 [ 30.171060][ T306] ? may_create+0x377/0x460 [ 30.176927][ T306] ? selinux_determine_inode_label+0x3e0/0x3e0 [ 30.185171][ T306] ? make_kgid+0x640/0x640 [ 30.190148][ T306] ? selinux_inode_create+0x22/0x30 [ 30.196750][ T306] ? security_inode_create+0xbd/0x110 [ 30.205789][ T306] ? fuse_rename2+0x25f0/0x25f0 [ 30.211656][ T306] path_openat+0xe31/0x2f10 [ 30.219511][ T306] ? do_filp_open+0x3e0/0x3e0 [ 30.229171][ T306] do_filp_open+0x1b3/0x3e0 [ 30.235188][ T306] ? vfs_tmpfile+0x2d0/0x2d0 [ 30.246292][ T306] do_sys_openat2+0x14c/0x7b0 [ 30.252847][ T306] ? _raw_spin_unlock_irq+0x4e/0x70 [ 30.260558][ T306] ? do_sys_open+0xe0/0xe0 [ 30.266557][ T306] ? do_notify_parent+0x800/0x800 [ 30.272985][ T306] ? __kasan_check_write+0x14/0x20 [ 30.279347][ T306] __x64_sys_creat+0x8e/0xb0 [ 30.284903][ T306] x64_sys_call+0x94a/0x9a0 [ 30.291650][ T306] do_syscall_64+0x4c/0xa0 [ 30.296929][ T306] ? clear_bhb_loop+0x35/0x90 [ 30.304192][ T306] ? clear_bhb_loop+0x35/0x90 [ 30.310654][ T306] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 30.318856][ T306] RIP: 0033:0x7f8d7cfb3819 [ 30.325812][ T306] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 30.354911][ T306] RSP: 002b:00007f8d7cf4b208 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 30.365471][ T306] RAX: ffffffffffffffda RBX: 00007f8d7d03a3f8 RCX: 00007f8d7cfb3819 [ 30.374632][ T306] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000180 [ 30.397894][ T306] RBP: 00007f8d7d03a3f0 R08: 00007f8d7cf4afa6 R09: 0000000000003431 [ 30.417883][ T306] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8d7d007344 [ 30.434498][ T306] R13: 00007f8d7cf4b210 R14: 0000000000000002 R15: 0000200000000180 [ 30.444540][ T306] [ 30.449441][ T306] general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN [ 30.464028][ T306] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 30.474759][ T306] CPU: 1 PID: 306 Comm: syz-executor287 Not tainted 5.15.180-syzkaller-android13-5.15.180_r00 #0 [ 30.486606][ T306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 30.497648][ T306] RIP: 0010:fuse_file_put+0x10d/0x1560 [ 30.504015][ T306] Code: 7c 24 28 bf 01 00 00 00 44 89 fe e8 1d 73 71 ff 41 83 ff 01 0f 85 da 00 00 00 48 8b 44 24 10 4c 8d 78 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 e4 dc af ff 4c 8d b4 24 80 00 00 [ 30.527008][ T306] RSP: 0018:ffffc900009a6fe0 EFLAGS: 00010206 [ 30.533897][ T306] RAX: 0000000000000005 RBX: 1ffff92000134e08 RCX: ffff88810d334f00 [ 30.544304][ T306] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 30.553337][ T306] RBP: ffffc900009a7340 R08: dffffc0000000000 R09: ffffed10237fa546 [ 30.563093][ T306] R10: ffffed10237fa546 R11: 1ffff110237fa545 R12: ffff88811bfd2a00 [ 30.572726][ T306] R13: dffffc0000000000 R14: ffff88811bfd2a28 R15: 0000000000000028 [ 30.581311][ T306] FS: 00007f8d7cf4b6c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 30.592208][ T306] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 30.599999][ T306] CR2: 000020000000a000 CR3: 000000012301a000 CR4: 00000000003506a0 [ 30.609326][ T306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.618481][ T306] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.626826][ T306] Call Trace: [ 30.630762][ T306] [ 30.633798][ T306] ? fuse_lock_owner_id+0x170/0x170 [ 30.640117][ T306] ? debug_smp_processor_id+0x17/0x20 [ 30.646327][ T306] ? kasan_quarantine_put+0x34/0x190 [ 30.652222][ T306] ? kmem_cache_free+0x100/0x320 [ 30.657673][ T306] ? ____kasan_slab_free+0x130/0x160 [ 30.663902][ T306] ? __kasan_check_write+0x14/0x20 [ 30.669384][ T306] ? _raw_spin_lock_irqsave+0xb0/0x110 [ 30.675308][ T306] ? _raw_spin_lock+0xe0/0xe0 [ 30.680943][ T306] ? kmem_cache_free+0x100/0x320 [ 30.686992][ T306] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 30.693210][ T306] ? __wake_up+0x116/0x180 [ 30.698049][ T306] ? fuse_iget+0x990/0x990 [ 30.702871][ T306] ? fuse_iget+0x990/0x990 [ 30.707962][ T306] ? remove_wait_queue+0x140/0x140 [ 30.713603][ T306] ? _raw_spin_trylock_bh+0x130/0x130 [ 30.719563][ T306] ? fuse_iget+0x5be/0x990 [ 30.724558][ T306] ? fuse_prepare_release+0x225/0x400 [ 30.730782][ T306] fuse_sync_release+0x84/0xb0 [ 30.735520][ T306] fuse_atomic_open+0x19de/0x2140 [ 30.741418][ T306] ? fuse_rename2+0x25f0/0x25f0 [ 30.746378][ T306] ? __d_alloc+0x473/0x6a0 [ 30.751381][ T306] ? selinux_determine_inode_label+0x290/0x3e0 [ 30.757845][ T306] ? may_create+0x377/0x460 [ 30.762512][ T306] ? selinux_determine_inode_label+0x3e0/0x3e0 [ 30.769583][ T306] ? make_kgid+0x640/0x640 [ 30.774427][ T306] ? selinux_inode_create+0x22/0x30 [ 30.780029][ T306] ? security_inode_create+0xbd/0x110 [ 30.785750][ T306] ? fuse_rename2+0x25f0/0x25f0 [ 30.790722][ T306] path_openat+0xe31/0x2f10 [ 30.795580][ T306] ? do_filp_open+0x3e0/0x3e0 [ 30.801144][ T306] do_filp_open+0x1b3/0x3e0 [ 30.806046][ T306] ? vfs_tmpfile+0x2d0/0x2d0 [ 30.811203][ T306] do_sys_openat2+0x14c/0x7b0 [ 30.817468][ T306] ? _raw_spin_unlock_irq+0x4e/0x70 [ 30.823446][ T306] ? do_sys_open+0xe0/0xe0 [ 30.828373][ T306] ? do_notify_parent+0x800/0x800 [ 30.833378][ T306] ? __kasan_check_write+0x14/0x20 [ 30.839369][ T306] __x64_sys_creat+0x8e/0xb0 [ 30.844028][ T306] x64_sys_call+0x94a/0x9a0 [ 30.849169][ T306] do_syscall_64+0x4c/0xa0 [ 30.853969][ T306] ? clear_bhb_loop+0x35/0x90 [ 30.859593][ T306] ? clear_bhb_loop+0x35/0x90 [ 30.866020][ T306] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 30.873850][ T306] RIP: 0033:0x7f8d7cfb3819 [ 30.879291][ T306] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 30.903053][ T306] RSP: 002b:00007f8d7cf4b208 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 30.912807][ T306] RAX: ffffffffffffffda RBX: 00007f8d7d03a3f8 RCX: 00007f8d7cfb3819 [ 30.923178][ T306] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000180 [ 30.933404][ T306] RBP: 00007f8d7d03a3f0 R08: 00007f8d7cf4afa6 R09: 0000000000003431 [ 30.944435][ T306] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8d7d007344 [ 30.953759][ T306] R13: 00007f8d7cf4b210 R14: 0000000000000002 R15: 0000200000000180 [ 30.963339][ T306] [ 30.966823][ T306] Modules linked in: [ 30.971018][ T306] ---[ end trace a8c0bc1d2f7f24c8 ]--- [ 30.979314][ T306] RIP: 0010:fuse_file_put+0x10d/0x1560 [ 30.986000][ T306] Code: 7c 24 28 bf 01 00 00 00 44 89 fe e8 1d 73 71 ff 41 83 ff 01 0f 85 da 00 00 00 48 8b 44 24 10 4c 8d 78 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 e4 dc af ff 4c 8d b4 24 80 00 00 [ 31.012273][ T306] RSP: 0018:ffffc900009a6fe0 EFLAGS: 00010206 [ 31.020872][ T306] RAX: 0000000000000005 RBX: 1ffff92000134e08 RCX: ffff88810d334f00 [ 31.031337][ T306] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 31.043080][ T306] RBP: ffffc900009a7340 R08: dffffc0000000000 R09: ffffed10237fa546 [ 31.054500][ T306] R10: ffffed10237fa546 R11: 1ffff110237fa545 R12: ffff88811bfd2a00 [ 31.064957][ T306] R13: dffffc0000000000 R14: ffff88811bfd2a28 R15: 0000000000000028 [ 31.075596][ T306] FS: 00007f8d7cf4b6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 31.088406][ T306] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 31.095925][ T306] CR2: 00007f8d7d002638 CR3: 000000012301a000 CR4: 00000000003506b0 [ 31.106657][ T306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 31.116125][ T306] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 31.129703][ T306] Kernel panic - not syncing: Fatal exception [ 31.139710][ T306] Kernel Offset: disabled [ 31.147517][ T306] Rebooting in 86400 seconds..