./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2690087991

<...>
Warning: Permanently added '10.128.1.194' (ED25519) to the list of known hosts.
execve("./syz-executor2690087991", ["./syz-executor2690087991"], 0x7fff7df7a340 /* 10 vars */) = 0
brk(NULL)                               = 0x55555c4b9000
brk(0x55555c4b9d00)                     = 0x55555c4b9d00
arch_prctl(ARCH_SET_FS, 0x55555c4b9380) = 0
set_tid_address(0x55555c4b9650)         = 5223
set_robust_list(0x55555c4b9660, 24)     = 0
rseq(0x55555c4b9ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2690087991", 4096) = 28
getrandom("\x81\x9c\x33\xa8\xae\xbf\x32\x55", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55555c4b9d00
brk(0x55555c4dad00)                     = 0x55555c4dad00
brk(0x55555c4db000)                     = 0x55555c4db000
mprotect(0x7f1dc418e000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
mkdir("./syzkaller.RXXyzg", 0700)       = 0
chmod("./syzkaller.RXXyzg", 0777)       = 0
chdir("./syzkaller.RXXyzg")             = 0
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555c4b9650) = 5224
./strace-static-x86_64: Process 5224 attached
[pid  5224] set_robust_list(0x55555c4b9660, 24) = 0
[pid  5224] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5224] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5224] setsid()                    = 1
[pid  5224] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5224] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5224] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5224] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5224] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5224] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5224] unshare(CLONE_NEWNS)        = 0
[pid  5224] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5224] unshare(CLONE_NEWIPC)       = 0
[pid  5224] unshare(CLONE_NEWCGROUP)    = 0
[pid  5224] unshare(CLONE_NEWUTS)       = 0
[pid  5224] unshare(CLONE_SYSVSEM)      = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "16777216", 8)     = 8
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "536870912", 9)    = 9
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "1024", 4)         = 4
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "8192", 4)         = 4
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "1024", 4)         = 4
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "1024", 4)         = 4
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5224] close(3)                    = 0
[pid  5224] getpid()                    = 1
[pid  5224] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5224] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5224] unshare(CLONE_NEWNET)       = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "0 65535", 7)      = 7
[pid  5224] close(3)                    = 0
[pid  5224] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
[pid  5224] write(3, "100000", 6)       = 6
[pid  5224] close(3)                    = 0
[pid  5224] mkdir("./syz-tmp", 0777)    = 0
[pid  5224] mount("", "./syz-tmp", "tmpfs", 0, NULL) = 0
[pid  5224] mkdir("./syz-tmp/newroot", 0777) = 0
[pid  5224] mkdir("./syz-tmp/newroot/dev", 0700) = 0
[pid  5224] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid  5224] mkdir("./syz-tmp/newroot/proc", 0700) = 0
[pid  5224] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL) = 0
[pid  5224] mkdir("./syz-tmp/newroot/selinux", 0700) = 0
[pid  5224] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid  5224] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid  5224] mkdir("./syz-tmp/newroot/sys", 0700) = 0
[pid  5224] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid  5224] mkdir("./syz-tmp/pivot", 0777) = 0
[pid  5224] pivot_root("./syz-tmp", "./syz-tmp/pivot") = 0
[pid  5224] chdir("/")                  = 0
[pid  5224] umount2("./pivot", MNT_DETACH) = 0
[pid  5224] chroot("./newroot")         = 0
[pid  5224] chdir("/")                  = 0
[pid  5224] mkdir("/dev/binderfs", 0777) = 0
[pid  5224] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5224] mkdir("./0", 0777)          = 0
[pid  5224] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
[pid  5224] ioctl(3, LOOP_CLR_FD)       = -1 ENXIO (No such device or address)
[pid  5224] close(3)                    = 0
[pid  5224] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5227 attached
 <unfinished ...>
[pid  5227] set_robust_list(0x55555c4b9660, 24 <unfinished ...>
[pid  5224] <... clone resumed>, child_tidptr=0x55555c4b9650) = 2
[pid  5227] <... set_robust_list resumed>) = 0
[pid  5227] chdir("./0")                = 0
[pid  5227] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5227] setpgid(0, 0)               = 0
[pid  5227] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5227] write(3, "1000", 4)         = 4
[pid  5227] close(3)                    = 0
[pid  5227] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5227] write(1, "executing program\n", 18executing program
) = 18
[pid  5227] memfd_create("syzkaller", 0) = 3
[pid  5227] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1dbbc00000
[pid  5227] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid  5227] munmap(0x7f1dbbc00000, 138412032) = 0
[pid  5227] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  5227] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid  5227] close(3)                    = 0
[pid  5227] close(4)                    = 0
[pid  5227] mkdir("./bus", 0777)        = 0
[   79.859385][ T5227] loop0: detected capacity change from 0 to 32768
[   79.887881][ T5227] BTRFS: device fsid ed167579-eb65-4e76-9a50-61ac97e9b59d devid 1 transid 8 /dev/loop0 (7:0) scanned by syz-executor269 (5227)
[   79.918940][ T5227] BTRFS info (device loop0): first mount of filesystem ed167579-eb65-4e76-9a50-61ac97e9b59d
[   79.931102][ T5227] BTRFS info (device loop0): using sha256 (sha256-avx2) checksum algorithm
[   80.012207][ T5227] BTRFS info (device loop0): rebuilding free space tree
[   80.047729][ T5227] BTRFS info (device loop0): disabling free space tree
[pid  5227] mount("/dev/loop0", "./bus", "btrfs", MS_NOEXEC, "autodefrag,autodefrag,ref_verify,max_inline=T,clear_cache,discard,noenospc_debug,barrier,nospace_cac"...) = 0
[pid  5227] openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3
[pid  5227] chdir("./bus")              = 0
[pid  5227] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  5227] ioctl(4, LOOP_CLR_FD)       = 0
[pid  5227] close(4)                    = 0
[   80.054930][ T5227] BTRFS info (device loop0): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)
[   80.065538][ T5227] BTRFS info (device loop0): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)
[pid  5227] open("./bus", O_WRONLY|O_CREAT|O_EXCL|O_NONBLOCK|O_SYNC|O_NOFOLLOW|O_CLOEXEC|0x3c, 000) = 4
[pid  5227] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid  5227] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_SYNC|O_NOATIME|FASYNC, 000) = 5
[pid  5227] pwritev2(5, [{iov_base="\xff\x2c\x6e\x6f\x65\x6e\x6f\x73\x70\x63\x5f\x64\x65\x62\x75\x67\x2c\x62\x61\x72\x72\x69\x65\x72\x2c\x6e\x6f\x73\x70\x61\x63\x65\x5f\x63\x61\x63\x68\x65\x2c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=44027}], 1, 21522, 0) = 44027
[pid  5227] open("./bus", O_RDONLY)     = 6
[pid  5227] memfd_create("syzkaller", 0) = 7
[pid  5227] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1dbbc00000
[pid  5227] write(7, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288
[pid  5227] munmap(0x7f1dbbc00000, 138412032) = 0
[pid  5227] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 8
[pid  5227] ioctl(8, LOOP_SET_FD, 7)    = -1 EBUSY (Device or resource busy)
[pid  5227] ioctl(8, LOOP_CLR_FD)       = 0
[pid  5227] ioctl(8, LOOP_SET_FD, 7)    = -1 EBUSY (Device or resource busy)
[pid  5227] close(8)                    = 0
[pid  5227] close(7)                    = 0
[pid  5227] ioctl(6, LOOP_SET_STATUS, {lo_number=0, lo_offset=0x691f3f6d, lo_encrypt_type=0x9bedef3c /* LO_CRYPT_??? */, lo_encrypt_key_size=2121260791, lo_flags=LO_FLAGS_READ_ONLY|LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN|LO_FLAGS_DIRECT_IO|0xb3bb3f80, lo_name="\x8d\x36\xc0\x67\xd6\xf9\xd7\x73\xb0\x97\x22\xe7\x4f\x5c\xb8\x55\xd6\x57\xee\x76\xba\x2b\x77\x3b\xd7\x07\xe5\x24\x53\x49\x1a\x49\xb3\xbf\x4a\xd1\x4e\x8a\x8f\x93\x73\xe9\x2f\xf9\x7c\xf9\x62\x3d\x5c\xf1\xa0\x79\x5e\xbd\xf7\x51\xd1\x7c\xff\xc3\x4e\xbf\xd6"..., lo_encrypt_key="\x97\x6a\xfb\xc6\x56\xfd\x36\x19\xbb\x65\x2f\x39\x34\xac\x1c\x48\x32\xd3\x2f\xfe\x67\xdb\xc3\x6e\x1a\xaf\x5a\xaa\x71\x2e\xad\x8d", ...}) = 0
[pid  5227] mkdir(".", 0777)            = -1 EEXIST (File exists)
[   80.317700][ T5227] loop0: detected capacity change from 32768 to 0
[   80.343308][ T1111] kworker/u8:6: attempt to access beyond end of device
[   80.343308][ T1111] loop0: rw=67112961, sector=10488, nr_sectors = 8 limit=0
[   80.376487][ T1111] BTRFS error (device loop0): bdev /dev/loop0 errs: wr 1, rd 0, flush 0, corrupt 0, gen 0
[   80.388027][ T1111] kworker/u8:6: attempt to access beyond end of device
[   80.388027][ T1111] loop0: rw=67112961, sector=10496, nr_sectors = 8 limit=0
[   80.402397][ T1111] BTRFS error (device loop0): bdev /dev/loop0 errs: wr 2, rd 0, flush 0, corrupt 0, gen 0
[   80.417369][ T1111] kworker/u8:6: attempt to access beyond end of device
[   80.417369][ T1111] loop0: rw=67112961, sector=10504, nr_sectors = 8 limit=0
[   80.445316][ T1111] BTRFS error (device loop0): bdev /dev/loop0 errs: wr 3, rd 0, flush 0, corrupt 0, gen 0
[   80.455687][ T1111] kworker/u8:6: attempt to access beyond end of device
[   80.455687][ T1111] loop0: rw=67112961, sector=10616, nr_sectors = 8 limit=0
[   80.477057][ T1111] BTRFS error (device loop0): bdev /dev/loop0 errs: wr 4, rd 0, flush 0, corrupt 0, gen 0
[   80.502905][ T5227] BTRFS error (device loop0 state A): Transaction aborted (error -5)
[   80.527156][ T5227] BTRFS: error (device loop0 state A) in __btrfs_run_delayed_items:1174: errno=-5 IO failure
[   80.538686][ T5227] BTRFS info (device loop0 state EA): forced readonly
[   80.546154][ T5227] BTRFS warning (device loop0 state EA): Skipping commit of aborted transaction.
[   80.556369][ T5227] BTRFS: error (device loop0 state EA) in cleanup_transaction:2017: errno=-5 IO failure
[pid  5227] mount(NULL, ".", 0x20000f40, MS_NOEXEC|MS_SYNCHRONOUS|MS_REMOUNT|MS_NOATIME|MS_MOVE|MS_SILENT|MS_PRIVATE|MS_RELATIME|MS_I_VERSION|MS_STRICTATIME, "") = -1 EINVAL (Invalid argument)
[pid  5227] close(3)                    = 0
[pid  5227] close(4)                    = 0
[pid  5227] close(5)                    = 0
[pid  5227] close(6)                    = 0
[pid  5227] close(7)                    = -1 EBADF (Bad file descriptor)
[pid  5227] close(8)                    = -1 EBADF (Bad file descriptor)
[pid  5227] close(9)                    = -1 EBADF (Bad file descriptor)
[pid  5227] close(10)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(11)                   = -1 EBADF (Bad file descriptor)
[   80.568453][ T5227] BTRFS error (device loop0 state EMA): remounting read-write after error is not allowed
[pid  5227] close(12)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(13)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(14)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(15)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(16)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(17)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(18)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(19)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(20)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(21)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(22)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(23)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(24)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(25)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(26)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(27)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(28)                   = -1 EBADF (Bad file descriptor)
[pid  5227] close(29)                   = -1 EBADF (Bad file descriptor)
[pid  5227] exit_group(0)               = ?
[pid  5227] +++ exited with 0 +++
[pid  5224] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=40 /* 0.40 s */} ---
[pid  5224] restart_syscall(<... resuming interrupted clone ...>) = 0
[pid  5224] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[pid  5224] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
[pid  5224] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=80, ...}, AT_EMPTY_PATH) = 0
[pid  5224] getdents64(3, 0x55555c4ba6f0 /* 4 entries */, 32768) = 104
[pid  5224] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[pid  5224] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid  5224] unlink("./0/binderfs")      = 0
[pid  5224] umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy)
[pid  5224] newfstatat(AT_FDCWD, "./0/bus", {st_mode=S_IFDIR|0755, st_size=64, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid  5224] umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy)
[pid  5224] openat(AT_FDCWD, "./0/bus", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
[pid  5224] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=64, ...}, AT_EMPTY_PATH) = 0
[pid  5224] getdents64(4, 0x55555c4c2730 /* 2 entries */, 32768) = 48
[pid  5224] getdents64(4, 0x55555c4c2730, 32768) = -1 EIO (Input/output error)
[pid  5224] close(4)                    = 0
[pid  5224] rmdir("./0/bus")            = -1 EBUSY (Device or resource busy)
[pid  5224] umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy)
[pid  5224] exit_group(1)               = ?
[   80.780543][ T5224] BTRFS info (device loop0 state EA): last unmount of filesystem ed167579-eb65-4e76-9a50-61ac97e9b59d
[   80.797247][ T5224] ==================================================================
[   80.805357][ T5224] BUG: KASAN: slab-use-after-free in rb_first_postorder+0x69/0x90
[   80.813212][ T5224] Read of size 8 at addr ffff8880202ab010 by task syz-executor269/5224
[   80.821453][ T5224] 
[   80.823790][ T5224] CPU: 0 UID: 0 PID: 5224 Comm: syz-executor269 Not tainted 6.11.0-syzkaller-02520-gadfc3ded5c33 #0
[   80.834574][ T5224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   80.844650][ T5224] Call Trace:
[   80.847948][ T5224]  <TASK>
[   80.850877][ T5224]  dump_stack_lvl+0x241/0x360
[   80.855564][ T5224]  ? __pfx_dump_stack_lvl+0x10/0x10
[   80.860767][ T5224]  ? __pfx__printk+0x10/0x10
[   80.865355][ T5224]  ? _printk+0xd5/0x120
[   80.869507][ T5224]  ? __virt_addr_valid+0x183/0x530
[   80.874615][ T5224]  ? __virt_addr_valid+0x183/0x530
[   80.879725][ T5224]  print_report+0x169/0x550
[   80.884233][ T5224]  ? __virt_addr_valid+0x183/0x530
[   80.889341][ T5224]  ? __virt_addr_valid+0x183/0x530
[   80.894447][ T5224]  ? __virt_addr_valid+0x45f/0x530
[   80.899568][ T5224]  ? __phys_addr+0xba/0x170
[   80.904067][ T5224]  ? rb_first_postorder+0x69/0x90
[   80.909095][ T5224]  kasan_report+0x143/0x180
[   80.913610][ T5224]  ? rb_first_postorder+0x69/0x90
[   80.918653][ T5224]  rb_first_postorder+0x69/0x90
[   80.923508][ T5224]  btrfs_cleanup_defrag_inodes+0x2f/0x80
[   80.929152][ T5224]  close_ctree+0x2af/0xd20
[   80.933572][ T5224]  ? hook_sb_delete+0x867/0xbb0
[   80.938431][ T5224]  ? __pfx_close_ctree+0x10/0x10
[   80.943393][ T5224]  ? hook_sb_delete+0x1a3/0xbb0
[   80.948246][ T5224]  ? __pfx_fsnotify_sb_delete+0x10/0x10
[   80.953808][ T5224]  ? __pfx_evict_inodes+0x10/0x10
[   80.958836][ T5224]  ? __pfx_btrfs_put_super+0x10/0x10
[   80.964125][ T5224]  generic_shutdown_super+0x139/0x2d0
[   80.969506][ T5224]  kill_anon_super+0x3b/0x70
[   80.974099][ T5224]  btrfs_kill_super+0x41/0x50
[   80.978781][ T5224]  deactivate_locked_super+0xc4/0x130
[   80.984165][ T5224]  cleanup_mnt+0x41f/0x4b0
[   80.988599][ T5224]  ? lockdep_hardirqs_on+0x99/0x150
[   80.993816][ T5224]  task_work_run+0x24f/0x310
[   80.998435][ T5224]  ? __pfx_task_work_run+0x10/0x10
[   81.003572][ T5224]  ? do_exit+0xa2a/0x27f0
[   81.007905][ T5224]  ? kmem_cache_free+0x145/0x350
[   81.012847][ T5224]  do_exit+0xa2f/0x27f0
[   81.017000][ T5224]  ? __pfx_do_exit+0x10/0x10
[   81.021593][ T5224]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   81.027602][ T5224]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   81.033937][ T5224]  ? _raw_spin_unlock_irq+0x23/0x50
[   81.039145][ T5224]  ? lockdep_hardirqs_on+0x99/0x150
[   81.044342][ T5224]  do_group_exit+0x207/0x2c0
[   81.048941][ T5224]  __x64_sys_exit_group+0x3f/0x40
[   81.053979][ T5224]  x64_sys_call+0x2634/0x2640
[   81.058665][ T5224]  do_syscall_64+0xf3/0x230
[   81.063171][ T5224]  ? clear_bhb_loop+0x35/0x90
[   81.067854][ T5224]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.073762][ T5224] RIP: 0033:0x7f1dc41119c9
[   81.078186][ T5224] Code: Unable to access opcode bytes at 0x7f1dc411199f.
[   81.085200][ T5224] RSP: 002b:00007ffff609b6a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   81.093614][ T5224] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1dc41119c9
[   81.101588][ T5224] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
[   81.109558][ T5224] RBP: 00007f1dc4194390 R08: ffffffffffffffb8 R09: 0000000000000000
[   81.117561][ T5224] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f1dc4194390
[   81.125551][ T5224] R13: 0000000000000000 R14: 00007f1dc4195100 R15: 00007f1dc40df980
[   81.133542][ T5224]  </TASK>
[   81.136562][ T5224] 
[   81.138894][ T5224] Allocated by task 5227:
[   81.143214][ T5224]  kasan_save_track+0x3f/0x80
[   81.147895][ T5224]  __kasan_slab_alloc+0x66/0x80
[   81.152747][ T5224]  kmem_cache_alloc_noprof+0x135/0x2a0
[   81.158237][ T5224]  btrfs_add_inode_defrag+0x15c/0x790
[   81.163641][ T5224]  cow_file_range+0x380/0x11f0
[   81.168408][ T5224]  btrfs_run_delalloc_range+0x33d/0xf70
[   81.173958][ T5224]  writepage_delalloc+0x482/0x7d0
[   81.178989][ T5224]  btrfs_writepages+0x1157/0x2370
[   81.184025][ T5224]  do_writepages+0x35d/0x870
[   81.188618][ T5224]  filemap_fdatawrite_wbc+0x125/0x180
[   81.193998][ T5224]  filemap_fdatawrite_range+0x120/0x180
[   81.199549][ T5224]  btrfs_sync_file+0x3ac/0x1230
[   81.204399][ T5224]  btrfs_do_write_iter+0x5e0/0x760
[   81.209511][ T5224]  do_iter_readv_writev+0x608/0x890
[   81.214716][ T5224]  vfs_writev+0x376/0xba0
[   81.219048][ T5224]  __se_sys_pwritev2+0x1ca/0x2d0
[   81.223987][ T5224]  do_syscall_64+0xf3/0x230
[   81.228492][ T5224]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.234389][ T5224] 
[   81.236716][ T5224] Freed by task 5227:
[   81.240690][ T5224]  kasan_save_track+0x3f/0x80
[   81.245367][ T5224]  kasan_save_free_info+0x40/0x50
[   81.250407][ T5224]  poison_slab_object+0xe0/0x150
[   81.255345][ T5224]  __kasan_slab_free+0x37/0x60
[   81.260118][ T5224]  kmem_cache_free+0x145/0x350
[   81.264891][ T5224]  btrfs_cleanup_defrag_inodes+0x51/0x80
[   81.270528][ T5224]  btrfs_reconfigure+0x269c/0x2d40
[   81.275643][ T5224]  reconfigure_super+0x445/0x880
[   81.280589][ T5224]  path_mount+0xc22/0xfa0
[   81.284918][ T5224]  __se_sys_mount+0x2d6/0x3c0
[   81.289593][ T5224]  do_syscall_64+0xf3/0x230
[   81.294098][ T5224]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.299995][ T5224] 
[   81.302315][ T5224] The buggy address belongs to the object at ffff8880202ab000
[   81.302315][ T5224]  which belongs to the cache btrfs_inode_defrag of size 56
[   81.316891][ T5224] The buggy address is located 16 bytes inside of
[   81.316891][ T5224]  freed 56-byte region [ffff8880202ab000, ffff8880202ab038)
[   81.330509][ T5224] 
[   81.332830][ T5224] The buggy address belongs to the physical page:
[   81.339241][ T5224] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x202ab
[   81.348006][ T5224] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   81.355117][ T5224] page_type: 0xfdffffff(slab)
[   81.359792][ T5224] raw: 00fff00000000000 ffff888034903dc0 dead000000000122 0000000000000000
[   81.368808][ T5224] raw: 0000000000000000 00000000802e002e 00000001fdffffff 0000000000000000
[   81.377382][ T5224] page dumped because: kasan: bad access detected
[   81.383806][ T5224] page_owner tracks the page as allocated
[   81.389523][ T5224] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5227, tgid 5227 (syz-executor269), ts 80158262358, free_ts 80157631587
[   81.408895][ T5224]  post_alloc_hook+0x1f3/0x230
[   81.413661][ T5224]  get_page_from_freelist+0x2e4c/0x2f10
[   81.419212][ T5224]  __alloc_pages_noprof+0x256/0x6c0
[   81.424411][ T5224]  alloc_slab_page+0x5f/0x120
[   81.429107][ T5224]  allocate_slab+0x5a/0x2f0
[   81.433608][ T5224]  ___slab_alloc+0xcd1/0x14b0
[   81.438286][ T5224]  __slab_alloc+0x58/0xa0
[   81.442610][ T5224]  kmem_cache_alloc_noprof+0x1c1/0x2a0
[   81.448090][ T5224]  btrfs_add_inode_defrag+0x15c/0x790
[   81.453459][ T5224]  cow_file_range+0x380/0x11f0
[   81.458221][ T5224]  btrfs_run_delalloc_range+0x33d/0xf70
[   81.463768][ T5224]  writepage_delalloc+0x482/0x7d0
[   81.468791][ T5224]  btrfs_writepages+0x1157/0x2370
[   81.473817][ T5224]  do_writepages+0x35d/0x870
[   81.478411][ T5224]  filemap_fdatawrite_wbc+0x125/0x180
[   81.483783][ T5224]  filemap_fdatawrite_range+0x120/0x180
[   81.489329][ T5224] page last free pid 5218 tgid 5218 stack trace:
[   81.495651][ T5224]  free_unref_page+0xd19/0xea0
[   81.500412][ T5224]  skb_release_data+0x6dc/0x8a0
[   81.505260][ T5224]  __kfree_skb+0x55/0x70
[   81.509496][ T5224]  tcp_rcv_established+0x10a5/0x2020
[   81.514776][ T5224]  tcp_v4_do_rcv+0x96d/0xc70
[   81.519366][ T5224]  __release_sock+0x214/0x350
[   81.524045][ T5224]  release_sock+0x61/0x1f0
[   81.528460][ T5224]  tcp_sendmsg+0x3a/0x50
[   81.532696][ T5224]  __sock_sendmsg+0x1a6/0x270
[   81.537374][ T5224]  sock_write_iter+0x2d7/0x3f0
[   81.542141][ T5224]  vfs_write+0xa6d/0xc90
[   81.546383][ T5224]  ksys_write+0x1a0/0x2c0
[   81.550713][ T5224]  do_syscall_64+0xf3/0x230
[   81.555217][ T5224]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.561113][ T5224] 
[   81.563432][ T5224] Memory state around the buggy address:
[   81.569055][ T5224]  ffff8880202aaf00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   81.577110][ T5224]  ffff8880202aaf80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   81.585177][ T5224] >ffff8880202ab000: fa fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   81.593232][ T5224]                          ^
[   81.597813][ T5224]  ffff8880202ab080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   81.605867][ T5224]  ffff8880202ab100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   81.613917][ T5224] ==================================================================
[   81.622212][ T5224] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   81.629434][ T5224] CPU: 0 UID: 0 PID: 5224 Comm: syz-executor269 Not tainted 6.11.0-syzkaller-02520-gadfc3ded5c33 #0
[   81.640225][ T5224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   81.650313][ T5224] Call Trace:
[   81.653613][ T5224]  <TASK>
[   81.656562][ T5224]  dump_stack_lvl+0x241/0x360
[   81.661293][ T5224]  ? __pfx_dump_stack_lvl+0x10/0x10
[   81.666542][ T5224]  ? __pfx__printk+0x10/0x10
[   81.671158][ T5224]  ? lock_release+0xbf/0xa30
[   81.675783][ T5224]  ? vscnprintf+0x5d/0x90
[   81.680149][ T5224]  panic+0x349/0x860
[   81.684065][ T5224]  ? check_panic_on_warn+0x21/0xb0
[   81.689174][ T5224]  ? __pfx_panic+0x10/0x10
[   81.693585][ T5224]  ? mark_lock+0x9a/0x350
[   81.697919][ T5224]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   81.703812][ T5224]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   81.709709][ T5224]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   81.716034][ T5224]  ? print_report+0x502/0x550
[   81.720709][ T5224]  check_panic_on_warn+0x86/0xb0
[   81.725637][ T5224]  ? rb_first_postorder+0x69/0x90
[   81.730655][ T5224]  end_report+0x77/0x160
[   81.734917][ T5224]  kasan_report+0x154/0x180
[   81.739423][ T5224]  ? rb_first_postorder+0x69/0x90
[   81.744443][ T5224]  rb_first_postorder+0x69/0x90
[   81.749297][ T5224]  btrfs_cleanup_defrag_inodes+0x2f/0x80
[   81.754948][ T5224]  close_ctree+0x2af/0xd20
[   81.759379][ T5224]  ? hook_sb_delete+0x867/0xbb0
[   81.764240][ T5224]  ? __pfx_close_ctree+0x10/0x10
[   81.769175][ T5224]  ? hook_sb_delete+0x1a3/0xbb0
[   81.774023][ T5224]  ? __pfx_fsnotify_sb_delete+0x10/0x10
[   81.779578][ T5224]  ? __pfx_evict_inodes+0x10/0x10
[   81.784610][ T5224]  ? __pfx_btrfs_put_super+0x10/0x10
[   81.789897][ T5224]  generic_shutdown_super+0x139/0x2d0
[   81.795273][ T5224]  kill_anon_super+0x3b/0x70
[   81.799868][ T5224]  btrfs_kill_super+0x41/0x50
[   81.804553][ T5224]  deactivate_locked_super+0xc4/0x130
[   81.809929][ T5224]  cleanup_mnt+0x41f/0x4b0
[   81.814344][ T5224]  ? lockdep_hardirqs_on+0x99/0x150
[   81.819551][ T5224]  task_work_run+0x24f/0x310
[   81.824148][ T5224]  ? __pfx_task_work_run+0x10/0x10
[   81.829262][ T5224]  ? do_exit+0xa2a/0x27f0
[   81.833607][ T5224]  ? kmem_cache_free+0x145/0x350
[   81.838553][ T5224]  do_exit+0xa2f/0x27f0
[   81.842707][ T5224]  ? __pfx_do_exit+0x10/0x10
[   81.847292][ T5224]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   81.853279][ T5224]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   81.859619][ T5224]  ? _raw_spin_unlock_irq+0x23/0x50
[   81.864823][ T5224]  ? lockdep_hardirqs_on+0x99/0x150
[   81.870020][ T5224]  do_group_exit+0x207/0x2c0
[   81.874609][ T5224]  __x64_sys_exit_group+0x3f/0x40
[   81.879630][ T5224]  x64_sys_call+0x2634/0x2640
[   81.884334][ T5224]  do_syscall_64+0xf3/0x230
[   81.888842][ T5224]  ? clear_bhb_loop+0x35/0x90
[   81.893526][ T5224]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.899425][ T5224] RIP: 0033:0x7f1dc41119c9
[   81.903836][ T5224] Code: Unable to access opcode bytes at 0x7f1dc411199f.
[   81.910847][ T5224] RSP: 002b:00007ffff609b6a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   81.919263][ T5224] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1dc41119c9
[   81.927232][ T5224] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
[   81.935231][ T5224] RBP: 00007f1dc4194390 R08: ffffffffffffffb8 R09: 0000000000000000
[   81.943285][ T5224] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f1dc4194390
[   81.951288][ T5224] R13: 0000000000000000 R14: 00007f1dc4195100 R15: 00007f1dc40df980
[   81.959301][ T5224]  </TASK>
[   81.962606][ T5224] Kernel Offset: disabled
[   81.966934][ T5224] Rebooting in 86400 seconds..