./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor742166099 <...> Warning: Permanently added '10.128.0.78' (ED25519) to the list of known hosts. execve("./syz-executor742166099", ["./syz-executor742166099"], 0x7ffc589b2ce0 /* 10 vars */) = 0 brk(NULL) = 0x555555a28000 brk(0x555555a28d40) = 0x555555a28d40 arch_prctl(ARCH_SET_FS, 0x555555a283c0) = 0 set_tid_address(0x555555a28690) = 297 set_robust_list(0x555555a286a0, 24) = 0 rseq(0x555555a28ce0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor742166099", 4096) = 27 getrandom("\xb5\xf6\x55\xa8\xde\xdf\xdd\x03", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555a28d40 brk(0x555555a49d40) = 0x555555a49d40 brk(0x555555a4a000) = 0x555555a4a000 mprotect(0x7f1ef6b71000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 mkdir("./syzkaller.Mch0qo", 0700) = 0 chmod("./syzkaller.Mch0qo", 0777) = 0 chdir("./syzkaller.Mch0qo") = 0 mkdir("./0", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 298 ./strace-static-x86_64: Process 298 attached [pid 298] set_robust_list(0x555555a286a0, 24) = 0 [pid 298] chdir("./0") = 0 [pid 298] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 298] setpgid(0, 0) = 0 [pid 298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 298] write(3, "1000", 4) = 4 [pid 298] close(3) = 0 [pid 298] symlink("/dev/binderfs", "./binderfs") = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 298] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 298] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 298] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 298] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 298] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 299 attached [pid 299] set_robust_list(0x7f1ef6aad9a0, 24 [pid 298] <... clone3 resumed> => {parent_tid=[299]}, 88) = 299 [pid 299] <... set_robust_list resumed>) = 0 [pid 298] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 299] rt_sigprocmask(SIG_SETMASK, [], [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 299] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 299] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 299] <... futex resumed>) = 0 [pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... bpf resumed>) = 4 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 24.805472][ T28] audit: type=1400 audit(1694295483.169:66): avc: denied { execmem } for pid=297 comm="syz-executor742" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.831192][ T28] audit: type=1400 audit(1694295483.199:67): avc: denied { bpf } for pid=298 comm="syz-executor742" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [pid 299] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] <... futex resumed>) = 0 [pid 298] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 299] write(6, "8", 1) = 1 [pid 299] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 299] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 298] <... futex resumed>) = 0 [pid 298] exit_group(0) = ? [pid 299] <... futex resumed>) = ? [pid 299] +++ exited with 0 +++ [pid 298] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 301 ./strace-static-x86_64: Process 301 attached [pid 301] set_robust_list(0x555555a286a0, 24) = 0 [pid 301] chdir("./1") = 0 [pid 301] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 301] setpgid(0, 0) = 0 [pid 301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 301] write(3, "1000", 4) = 4 [pid 301] close(3) = 0 [pid 301] symlink("/dev/binderfs", "./binderfs") = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 301] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 301] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 301] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 301] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 301] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[302]}, 88) = 302 [pid 301] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 302] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 302] <... futex resumed>) = 1 [pid 302] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 302] write(6, "8", 1) = 1 [pid 302] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 302] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 301] <... futex resumed>) = 0 [pid 301] exit_group(0) = ? [pid 302] <... futex resumed>) = ? [pid 302] +++ exited with 0 +++ [pid 301] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=301, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 303 ./strace-static-x86_64: Process 303 attached [pid 303] set_robust_list(0x555555a286a0, 24) = 0 [pid 303] chdir("./2") = 0 [pid 303] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 303] setpgid(0, 0) = 0 [pid 303] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 303] write(3, "1000", 4) = 4 [pid 303] close(3) = 0 [pid 303] symlink("/dev/binderfs", "./binderfs") = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 303] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 303] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 303] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 303] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 303] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[304]}, 88) = 304 [pid 303] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 304 attached [pid 304] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 304] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 24.852270][ T28] audit: type=1400 audit(1694295483.229:68): avc: denied { prog_load } for pid=298 comm="syz-executor742" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 24.871820][ T28] audit: type=1400 audit(1694295483.229:69): avc: denied { perfmon } for pid=298 comm="syz-executor742" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 304] write(6, "8", 1) = 1 [pid 304] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 24.893802][ T28] audit: type=1400 audit(1694295483.229:70): avc: denied { prog_run } for pid=298 comm="syz-executor742" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 24.910175][ T304] FAULT_INJECTION: forcing a failure. [ 24.910175][ T304] name fail_futex, interval 1, probability 0, space 0, times 1 [ 24.913517][ T28] audit: type=1400 audit(1694295483.229:71): avc: denied { map_create } for pid=298 comm="syz-executor742" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 24.925734][ T304] CPU: 1 PID: 304 Comm: syz-executor742 Not tainted 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 24.944709][ T28] audit: type=1400 audit(1694295483.229:72): avc: denied { map_read map_write } for pid=298 comm="syz-executor742" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 24.954379][ T304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 24.954392][ T304] Call Trace: [ 24.954397][ T304] [ 24.954405][ T304] dump_stack_lvl+0x151/0x1b7 [ 24.994482][ T304] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 24.999769][ T304] dump_stack+0x15/0x17 [ 25.003761][ T304] should_fail_ex+0x3d0/0x520 [ 25.008275][ T304] should_fail+0xb/0x10 [ 25.012270][ T304] get_futex_key+0x177/0xc90 [ 25.016698][ T304] ? futex_setup_timer+0xd0/0xd0 [ 25.021470][ T304] futex_wake+0x1af/0xb60 [ 25.025642][ T304] ? futex_wake_mark+0x170/0x170 [ 25.030590][ T304] ? finish_task_switch+0x167/0x7b0 [ 25.035617][ T304] ? __schedule+0xca1/0x1540 [ 25.040055][ T304] ? __kasan_check_write+0x14/0x20 [ 25.044992][ T304] ? __kasan_check_write+0x14/0x20 [ 25.049935][ T304] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 25.054885][ T304] do_futex+0x501/0x9a0 [ 25.058879][ T304] ? __ia32_sys_get_robust_list+0x90/0x90 [ 25.064434][ T304] __se_sys_futex+0x35e/0x3c0 [ 25.068946][ T304] ? _raw_spin_unlock_irq+0x4d/0x70 [ 25.073980][ T304] ? __x64_sys_futex+0x100/0x100 [ 25.078756][ T304] ? fpregs_restore_userregs+0x130/0x290 [ 25.084220][ T304] __x64_sys_futex+0xe5/0x100 [ 25.088733][ T304] do_syscall_64+0x3d/0xb0 [ 25.092983][ T304] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 25.098711][ T304] RIP: 0033:0x7f1ef6aecf59 [ 25.102967][ T304] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 25.122409][ T304] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 25.130654][ T304] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 25.138466][ T304] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 25.146360][ T304] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [pid 304] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 303] exit_group(0) = ? [pid 304] <... futex resumed>) = ? [pid 304] +++ exited with 0 +++ [pid 303] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=303, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 306 attached , child_tidptr=0x555555a28690) = 306 [pid 306] set_robust_list(0x555555a286a0, 24) = 0 [pid 306] chdir("./3") = 0 [pid 306] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 306] setpgid(0, 0) = 0 [pid 306] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 306] write(3, "1000", 4) = 4 [pid 306] close(3) = 0 [pid 306] symlink("/dev/binderfs", "./binderfs") = 0 [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 306] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 306] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 306] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 306] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 306] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 306] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 307 attached [pid 307] set_robust_list(0x7f1ef6aad9a0, 24 [pid 306] <... clone3 resumed> => {parent_tid=[307]}, 88) = 307 [pid 306] rt_sigprocmask(SIG_SETMASK, [], [pid 307] <... set_robust_list resumed>) = 0 [pid 306] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 307] rt_sigprocmask(SIG_SETMASK, [], [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 307] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] <... futex resumed>) = 1 [pid 307] <... futex resumed>) = 0 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] <... futex resumed>) = 0 [pid 307] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 307] <... bpf resumed>) = 4 [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] <... futex resumed>) = 0 [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] <... futex resumed>) = 0 [pid 307] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 307] <... futex resumed>) = 0 [pid 307] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] <... futex resumed>) = 0 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 307] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 306] <... futex resumed>) = 0 [pid 307] <... bpf resumed>) = 0 [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] <... futex resumed>) = 0 [pid 307] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 306] <... futex resumed>) = 0 [pid 307] <... bind resumed>) = 0 [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] <... futex resumed>) = 0 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] <... futex resumed>) = 0 [pid 307] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 306] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 307] <... openat resumed>) = 6 [pid 307] write(6, "8", 1) = 1 [pid 307] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 307] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 306] <... futex resumed>) = 0 [ 25.154177][ T304] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 25.161986][ T304] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 25.169799][ T304] [pid 306] exit_group(0) = ? [ 25.197361][ T307] FAULT_INJECTION: forcing a failure. [ 25.197361][ T307] name fail_futex, interval 1, probability 0, space 0, times 0 [ 25.210008][ T307] CPU: 1 PID: 307 Comm: syz-executor742 Not tainted 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 25.219846][ T307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 25.229749][ T307] Call Trace: [ 25.232863][ T307] [ 25.235648][ T307] dump_stack_lvl+0x151/0x1b7 [ 25.240156][ T307] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 25.245467][ T307] dump_stack+0x15/0x17 [ 25.249445][ T307] should_fail_ex+0x3d0/0x520 [ 25.253957][ T307] should_fail+0xb/0x10 [ 25.257954][ T307] get_futex_key+0x177/0xc90 [ 25.262375][ T307] ? futex_setup_timer+0xd0/0xd0 [ 25.267153][ T307] ? __this_cpu_preempt_check+0x13/0x20 [ 25.272529][ T307] futex_wait_setup+0xc3/0x330 [ 25.277131][ T307] ? futex_wait_multiple+0x8e0/0x8e0 [ 25.282258][ T307] ? __switch_to+0x62c/0x1190 [ 25.286766][ T307] ? futex_wait+0xf3/0x7e0 [ 25.291018][ T307] ? futex_setup_timer+0xb0/0xd0 [ 25.295791][ T307] futex_wait+0x1b9/0x7e0 [ 25.299956][ T307] ? __sched_clock_gtod_offset+0x100/0x100 [ 25.305818][ T307] ? futex_wait_setup+0x330/0x330 [ 25.310681][ T307] ? __kasan_check_write+0x14/0x20 [ 25.315620][ T307] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 25.320580][ T307] do_futex+0x55a/0x9a0 [ 25.324574][ T307] ? __ia32_sys_get_robust_list+0x90/0x90 [ 25.330244][ T307] __se_sys_futex+0x35e/0x3c0 [ 25.335060][ T307] ? _raw_spin_unlock_irq+0x4d/0x70 [ 25.340097][ T307] ? __x64_sys_futex+0x100/0x100 [ 25.344871][ T307] ? fpregs_restore_userregs+0x130/0x290 [ 25.350346][ T307] __x64_sys_futex+0xe5/0x100 [ 25.354861][ T307] do_syscall_64+0x3d/0xb0 [ 25.359105][ T307] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 25.364932][ T307] RIP: 0033:0x7f1ef6aecf59 [ 25.369184][ T307] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 25.388801][ T307] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [pid 307] <... futex resumed>) = ? [pid 307] +++ exited with 0 +++ [pid 306] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=306, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 308 ./strace-static-x86_64: Process 308 attached [pid 308] set_robust_list(0x555555a286a0, 24) = 0 [pid 308] chdir("./4") = 0 [pid 308] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 308] setpgid(0, 0) = 0 [pid 308] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 308] write(3, "1000", 4) = 4 [pid 308] close(3) = 0 [pid 308] symlink("/dev/binderfs", "./binderfs") = 0 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 308] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 308] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 308] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 308] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 308] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x7f1ef6aad9a0, 24 [pid 308] <... clone3 resumed> => {parent_tid=[309]}, 88) = 309 [pid 309] <... set_robust_list resumed>) = 0 [pid 308] rt_sigprocmask(SIG_SETMASK, [], [pid 309] rt_sigprocmask(SIG_SETMASK, [], [pid 308] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 309] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 308] <... futex resumed>) = 0 [pid 309] <... socket resumed>) = 3 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... futex resumed>) = 1 [pid 308] <... futex resumed>) = 0 [pid 309] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... bpf resumed>) = 4 [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 308] <... futex resumed>) = 0 [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 308] <... futex resumed>) = 0 [pid 309] <... bpf resumed>) = 5 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 308] <... futex resumed>) = 0 [pid 309] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 308] <... futex resumed>) = 0 [pid 309] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 308] <... futex resumed>) = 0 [pid 309] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... bpf resumed>) = 0 [pid 308] <... futex resumed>) = 0 [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... futex resumed>) = 0 [pid 308] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 309] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... bind resumed>) = 0 [pid 308] <... futex resumed>) = 0 [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... futex resumed>) = 0 [pid 308] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 309] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 308] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... openat resumed>) = 6 [pid 308] <... futex resumed>) = 0 [pid 309] write(6, "8", 1 [pid 308] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 309] <... write resumed>) = 1 [pid 309] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 309] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 308] <... futex resumed>) = 0 [pid 309] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 308] exit_group(0 [pid 309] <... futex resumed>) = ? [pid 308] <... exit_group resumed>) = ? [pid 309] +++ exited with 0 +++ [pid 308] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=308, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 310 ./strace-static-x86_64: Process 310 attached [pid 310] set_robust_list(0x555555a286a0, 24) = 0 [pid 310] chdir("./5") = 0 [pid 310] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 310] setpgid(0, 0) = 0 [pid 310] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 310] write(3, "1000", 4) = 4 [pid 310] close(3) = 0 [ 25.397053][ T307] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 25.404982][ T307] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 25.412788][ T307] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 25.420603][ T307] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 25.428414][ T307] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 25.436249][ T307] [pid 310] symlink("/dev/binderfs", "./binderfs") = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 310] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 310] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 310] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 310] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 310] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[311]}, 88) = 311 [pid 310] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 311 attached [pid 311] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 311] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 311] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 311] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 311] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 311] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] <... bpf resumed>) = 5 [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 310] <... futex resumed>) = 0 [pid 311] <... futex resumed>) = 1 [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 311] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 310] <... futex resumed>) = 0 [pid 311] <... bpf resumed>) = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 310] <... futex resumed>) = 0 [pid 311] <... futex resumed>) = 1 [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 311] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] <... bpf resumed>) = 0 [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 311] write(6, "8", 1) = 1 [pid 311] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 311] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 310] <... futex resumed>) = 0 [pid 310] exit_group(0) = ? [pid 311] <... futex resumed>) = ? [pid 311] +++ exited with 0 +++ [pid 310] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=310, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 312 ./strace-static-x86_64: Process 312 attached [pid 312] set_robust_list(0x555555a286a0, 24) = 0 [pid 312] chdir("./6") = 0 [pid 312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 312] setpgid(0, 0) = 0 [pid 312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 312] write(3, "1000", 4) = 4 [pid 312] close(3) = 0 [pid 312] symlink("/dev/binderfs", "./binderfs") = 0 [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 312] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 312] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 312] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 312] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 312] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 313 attached [pid 313] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 312] <... clone3 resumed> => {parent_tid=[313]}, 88) = 313 [pid 312] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 313] <... futex resumed>) = 0 [pid 313] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 313] <... futex resumed>) = 0 [pid 313] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] <... bpf resumed>) = 4 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 313] <... futex resumed>) = 0 [pid 313] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 312] <... futex resumed>) = 1 [pid 313] <... bpf resumed>) = 5 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 313] <... futex resumed>) = 0 [pid 313] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 313] <... futex resumed>) = 0 [pid 313] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 313] <... futex resumed>) = 0 [pid 313] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] <... bind resumed>) = 0 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 313] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 312] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 312] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] <... openat resumed>) = 6 [pid 313] write(6, "8", 1) = 1 [pid 313] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 313] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] exit_group(0) = ? [pid 313] +++ exited with 0 +++ [pid 312] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=312, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 314 ./strace-static-x86_64: Process 314 attached [pid 314] set_robust_list(0x555555a286a0, 24) = 0 [pid 314] chdir("./7") = 0 [pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 314] setpgid(0, 0) = 0 [pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 314] write(3, "1000", 4) = 4 [pid 314] close(3) = 0 [pid 314] symlink("/dev/binderfs", "./binderfs") = 0 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 314] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 314] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 314] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 314] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[315]}, 88) = 315 [pid 314] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 315 attached [pid 315] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 315] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 315] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 1 [pid 315] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 315] <... futex resumed>) = 1 [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 315] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... bpf resumed>) = 5 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 315] <... futex resumed>) = 1 [pid 315] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 315] <... bpf resumed>) = 0 [pid 314] <... futex resumed>) = 0 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 0 [pid 314] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 315] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 315] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 314] <... futex resumed>) = 0 [pid 315] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... bpf resumed>) = 0 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 315] <... futex resumed>) = 1 [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 315] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... bind resumed>) = 0 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 315] <... futex resumed>) = 1 [pid 314] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 315] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 314] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... openat resumed>) = 6 [pid 315] write(6, "8", 1) = 1 [pid 315] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 315] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] exit_group(0 [pid 315] ????( [pid 314] <... exit_group resumed>) = ? [pid 315] <... ???? resumed>) = ? [pid 315] +++ exited with 0 +++ [pid 314] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 316 ./strace-static-x86_64: Process 316 attached [pid 316] set_robust_list(0x555555a286a0, 24) = 0 [pid 316] chdir("./8") = 0 [pid 316] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 316] setpgid(0, 0) = 0 [pid 316] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 316] write(3, "1000", 4) = 4 [pid 316] close(3) = 0 [pid 316] symlink("/dev/binderfs", "./binderfs") = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 316] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 316] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 316] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 316] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 316] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 317 attached => {parent_tid=[317]}, 88) = 317 [pid 317] set_robust_list(0x7f1ef6aad9a0, 24 [pid 316] rt_sigprocmask(SIG_SETMASK, [], [pid 317] <... set_robust_list resumed>) = 0 [pid 316] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 317] rt_sigprocmask(SIG_SETMASK, [], [pid 316] <... futex resumed>) = 0 [pid 317] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 317] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] <... bpf resumed>) = 5 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 317] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 317] <... bpf resumed>) = 0 [pid 316] <... futex resumed>) = 0 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] <... futex resumed>) = 0 [pid 316] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 317] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] <... bpf resumed>) = 0 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 317] write(6, "8", 1) = 1 [pid 317] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 317] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 317] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 316] exit_group(0) = ? [pid 317] <... futex resumed>) = ? [pid 317] +++ exited with 0 +++ [pid 316] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=316, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 318 attached , child_tidptr=0x555555a28690) = 318 [pid 318] set_robust_list(0x555555a286a0, 24) = 0 [pid 318] chdir("./9") = 0 [pid 318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 318] setpgid(0, 0) = 0 [pid 318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 318] write(3, "1000", 4) = 4 [pid 318] close(3) = 0 [pid 318] symlink("/dev/binderfs", "./binderfs") = 0 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 318] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 318] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 318] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 318] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 319 attached => {parent_tid=[319]}, 88) = 319 [pid 319] set_robust_list(0x7f1ef6aad9a0, 24 [pid 318] rt_sigprocmask(SIG_SETMASK, [], [pid 319] <... set_robust_list resumed>) = 0 [pid 319] rt_sigprocmask(SIG_SETMASK, [], [pid 318] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 319] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 318] <... futex resumed>) = 0 [pid 319] <... socket resumed>) = 3 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 318] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 319] <... futex resumed>) = 0 [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] <... bpf resumed>) = 4 [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 319] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... bpf resumed>) = 5 [pid 318] <... futex resumed>) = 0 [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] <... futex resumed>) = 0 [pid 318] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 319] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 318] <... futex resumed>) = 0 [pid 319] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] <... bpf resumed>) = 0 [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 319] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 318] <... futex resumed>) = 0 [pid 319] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] <... bpf resumed>) = 0 [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 319] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] <... bind resumed>) = 0 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 318] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 319] <... futex resumed>) = 0 [pid 318] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 318] <... futex resumed>) = 0 [pid 319] <... openat resumed>) = 6 [pid 318] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] write(6, "8", 1) = 1 [pid 319] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 25.602197][ T319] FAULT_INJECTION: forcing a failure. [ 25.602197][ T319] name fail_futex, interval 1, probability 0, space 0, times 0 [ 25.615057][ T319] CPU: 1 PID: 319 Comm: syz-executor742 Not tainted 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 25.624887][ T319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 25.634856][ T319] Call Trace: [ 25.637968][ T319] [ 25.640747][ T319] dump_stack_lvl+0x151/0x1b7 [ 25.645619][ T319] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 25.651096][ T319] dump_stack+0x15/0x17 [ 25.655153][ T319] should_fail_ex+0x3d0/0x520 [ 25.659669][ T319] should_fail+0xb/0x10 [ 25.663665][ T319] get_futex_key+0x177/0xc90 [ 25.668115][ T319] ? futex_setup_timer+0xd0/0xd0 [ 25.672865][ T319] futex_wake+0x1af/0xb60 [ 25.677028][ T319] ? futex_wake_mark+0x170/0x170 [ 25.681799][ T319] ? finish_task_switch+0x167/0x7b0 [ 25.686835][ T319] ? __schedule+0xca1/0x1540 [ 25.691270][ T319] ? __kasan_check_write+0x14/0x20 [ 25.696222][ T319] ? __kasan_check_write+0x14/0x20 [ 25.701155][ T319] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 25.706104][ T319] do_futex+0x501/0x9a0 [ 25.710097][ T319] ? __ia32_sys_get_robust_list+0x90/0x90 [ 25.715651][ T319] __se_sys_futex+0x35e/0x3c0 [ 25.720160][ T319] ? _raw_spin_unlock_irq+0x4d/0x70 [ 25.725377][ T319] ? __x64_sys_futex+0x100/0x100 [ 25.730146][ T319] ? fpregs_restore_userregs+0x130/0x290 [ 25.735615][ T319] __x64_sys_futex+0xe5/0x100 [ 25.740134][ T319] do_syscall_64+0x3d/0xb0 [ 25.744377][ T319] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 25.750236][ T319] RIP: 0033:0x7f1ef6aecf59 [ 25.754448][ T319] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 25.773990][ T319] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 25.782342][ T319] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 25.790116][ T319] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 25.797928][ T319] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 25.805747][ T319] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 25.813553][ T319] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 25.821370][ T319] [ 25.824702][ T37] ================================================================== [ 25.832578][ T37] BUG: KASAN: use-after-free in consume_skb+0x3c/0x250 [ 25.839256][ T37] Read of size 4 at addr ffff8881099d4374 by task kworker/1:1/37 [ 25.846813][ T37] [ 25.848980][ T37] CPU: 1 PID: 37 Comm: kworker/1:1 Not tainted 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 25.858698][ T37] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 25.868771][ T37] Workqueue: events sk_psock_destroy [ 25.873887][ T37] Call Trace: [ 25.877026][ T37] [ 25.879791][ T37] dump_stack_lvl+0x151/0x1b7 [ 25.884309][ T37] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 25.889712][ T37] ? _printk+0xd1/0x111 [ 25.893708][ T37] ? __virt_addr_valid+0x242/0x2f0 [ 25.899517][ T37] print_report+0x158/0x4e0 [ 25.903862][ T37] ? __virt_addr_valid+0x242/0x2f0 [ 25.908817][ T37] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 25.914883][ T37] ? consume_skb+0x3c/0x250 [ 25.919223][ T37] kasan_report+0x13c/0x170 [ 25.923561][ T37] ? consume_skb+0x3c/0x250 [ 25.928007][ T37] ? __kasan_check_write+0x14/0x20 [ 25.932937][ T37] kasan_check_range+0x294/0x2a0 [ 25.937709][ T37] __kasan_check_read+0x11/0x20 [ 25.942569][ T37] consume_skb+0x3c/0x250 [ 25.946824][ T37] __sk_msg_free+0x2dd/0x370 [ 25.951256][ T37] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 25.956898][ T37] ? skb_dequeue+0x123/0x160 [ 25.961322][ T37] sk_psock_destroy+0x351/0x810 [ 25.966002][ T37] process_one_work+0x73d/0xcb0 [ 25.970698][ T37] worker_thread+0xa60/0x1260 [ 25.975221][ T37] kthread+0x26d/0x300 [ 25.979116][ T37] ? worker_clr_flags+0x1a0/0x1a0 [ 25.984143][ T37] ? kthread_blkcg+0xd0/0xd0 [ 25.988578][ T37] ret_from_fork+0x1f/0x30 [ 25.992825][ T37] [ 25.995695][ T37] [ 25.997856][ T37] Allocated by task 317: [ 26.001937][ T37] kasan_set_track+0x4b/0x70 [ 26.006381][ T37] kasan_save_alloc_info+0x1f/0x30 [ 26.011312][ T37] __kasan_slab_alloc+0x6c/0x80 [ 26.015996][ T37] slab_post_alloc_hook+0x53/0x2c0 [ 26.020943][ T37] kmem_cache_alloc_node+0x18a/0x2d0 [ 26.026063][ T37] __alloc_skb+0xcc/0x2c0 [ 26.030230][ T37] alloc_skb_with_frags+0xa6/0x680 [ 26.035189][ T37] sock_alloc_send_pskb+0x915/0xa50 [ 26.040213][ T37] unix_dgram_sendmsg+0x5b1/0x2050 [ 26.045333][ T37] ____sys_sendmsg+0x5dc/0x9d0 [ 26.049929][ T37] __sys_sendmmsg+0x3b9/0x6f0 [ 26.054446][ T37] __x64_sys_sendmmsg+0xa0/0xb0 [ 26.059130][ T37] do_syscall_64+0x3d/0xb0 [ 26.063384][ T37] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 26.069297][ T37] [ 26.071457][ T37] Freed by task 37: [ 26.075100][ T37] kasan_set_track+0x4b/0x70 [ 26.079553][ T37] kasan_save_free_info+0x2b/0x40 [ 26.084386][ T37] ____kasan_slab_free+0x131/0x180 [ 26.089334][ T37] __kasan_slab_free+0x11/0x20 [ 26.094142][ T37] kmem_cache_free+0x291/0x510 [ 26.098751][ T37] kfree_skbmem+0x104/0x170 [ 26.103787][ T37] kfree_skb_reason+0xdb/0x250 [ 26.108390][ T37] sk_psock_destroy+0x143/0x810 [ 26.113080][ T37] process_one_work+0x73d/0xcb0 [ 26.117757][ T37] worker_thread+0xa60/0x1260 [ 26.122443][ T37] kthread+0x26d/0x300 [ 26.126362][ T37] ret_from_fork+0x1f/0x30 [ 26.130600][ T37] [ 26.132945][ T37] The buggy address belongs to the object at ffff8881099d4280 [ 26.132945][ T37] which belongs to the cache skbuff_head_cache of size 256 [ 26.147355][ T37] The buggy address is located 244 bytes inside of [ 26.147355][ T37] 256-byte region [ffff8881099d4280, ffff8881099d4380) [ 26.160555][ T37] [ 26.162724][ T37] The buggy address belongs to the physical page: [ 26.168972][ T37] page:ffffea0004267500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099d4 [ 26.179030][ T37] flags: 0x4000000000000200(slab|zone=1) [ 26.184510][ T37] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100b90180 [ 26.192936][ T37] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 26.201344][ T37] page dumped because: kasan: bad access detected [ 26.207590][ T37] page_owner tracks the page as allocated [ 26.213160][ T37] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 292, tgid 292 (sshd), ts 25562268276, free_ts 25556056951 [ 26.230414][ T37] post_alloc_hook+0x213/0x220 [ 26.235012][ T37] prep_new_page+0x1b/0x110 [ 26.239352][ T37] get_page_from_freelist+0x2762/0x27f0 [ 26.244733][ T37] __alloc_pages+0x3a1/0x780 [ 26.249202][ T37] new_slab+0xce/0x4c0 [ 26.253066][ T37] ___slab_alloc+0x6f9/0xb80 [ 26.257492][ T37] __slab_alloc+0x5d/0xa0 [ 26.261658][ T37] kmem_cache_alloc+0x1b9/0x2c0 [ 26.266346][ T37] skb_clone+0x1f8/0x380 [ 26.270425][ T37] dev_queue_xmit_nit+0x248/0xa90 [ 26.275303][ T37] dev_hard_start_xmit+0x140/0x630 [ 26.280234][ T37] sch_direct_xmit+0x298/0x9b0 [ 26.284830][ T37] __dev_queue_xmit+0x17df/0x3660 [ 26.289701][ T37] ip_finish_output2+0xb60/0xf90 [ 26.294552][ T37] __ip_finish_output+0x162/0x370 [ 26.299413][ T37] ip_finish_output+0x31/0x2a0 [ 26.304014][ T37] page last free stack trace: [ 26.308528][ T37] free_unref_page_prepare+0x83d/0x850 [ 26.313833][ T37] free_unref_page_list+0xf6/0x6c0 [ 26.318765][ T37] release_pages+0xf7f/0xfe0 [ 26.323195][ T37] free_pages_and_swap_cache+0x8a/0xa0 [ 26.328490][ T37] tlb_finish_mmu+0x1e0/0x3f0 [ 26.333003][ T37] exit_mmap+0x3e5/0x8a0 [ 26.337516][ T37] __mmput+0x95/0x310 [ 26.341336][ T37] mmput+0x56/0x170 [ 26.344979][ T37] do_exit+0xb29/0x2b80 [ 26.348971][ T37] do_group_exit+0x21a/0x2d0 [ 26.353397][ T37] get_signal+0x169d/0x1820 [ 26.357749][ T37] arch_do_signal_or_restart+0xb0/0x16f0 [ 26.363206][ T37] exit_to_user_mode_loop+0x6b/0xa0 [ 26.368251][ T37] exit_to_user_mode_prepare+0x5a/0xa0 [ 26.374229][ T37] syscall_exit_to_user_mode+0x26/0x130 [ 26.379617][ T37] do_syscall_64+0x49/0xb0 [ 26.383876][ T37] [ 26.386032][ T37] Memory state around the buggy address: [ 26.391505][ T37] ffff8881099d4200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [pid 319] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 318] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 319] <... futex resumed>) = -1 EFAULT (Bad address) [pid 318] exit_group(0) = ? [pid 319] +++ exited with 0 +++ [pid 318] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=318, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/binderfs") = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 321 ./strace-static-x86_64: Process 321 attached [pid 321] set_robust_list(0x555555a286a0, 24) = 0 [pid 321] chdir("./10") = 0 [pid 321] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 321] setpgid(0, 0) = 0 [pid 321] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 321] write(3, "1000", 4) = 4 [pid 321] close(3) = 0 [pid 321] symlink("/dev/binderfs", "./binderfs") = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 321] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 321] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 321] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 321] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 321] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[322]}, 88) = 322 ./strace-static-x86_64: Process 322 attached [pid 321] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 322] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 322] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 321] <... futex resumed>) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 321] <... futex resumed>) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 321] <... futex resumed>) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 321] <... futex resumed>) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 321] <... futex resumed>) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 321] <... futex resumed>) = 0 [pid 321] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 321] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 322] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 322] write(6, "8", 1) = 1 [pid 322] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 26.399417][ T37] ffff8881099d4280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.407297][ T37] >ffff8881099d4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.415291][ T37] ^ [ 26.422835][ T37] ffff8881099d4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.430743][ T37] ffff8881099d4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.438631][ T37] ================================================================== [ 26.448798][ T37] Disabling lock debugging due to kernel taint [pid 322] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 321] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 321] exit_group(0) = ? [ 26.471842][ T322] FAULT_INJECTION: forcing a failure. [ 26.471842][ T322] name fail_futex, interval 1, probability 0, space 0, times 0 [ 26.484657][ T322] CPU: 1 PID: 322 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 26.496115][ T322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 26.506011][ T322] Call Trace: [ 26.509144][ T322] [ 26.511913][ T322] dump_stack_lvl+0x151/0x1b7 [ 26.517032][ T322] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 26.522530][ T322] dump_stack+0x15/0x17 [ 26.526507][ T322] should_fail_ex+0x3d0/0x520 [ 26.531022][ T322] should_fail+0xb/0x10 [ 26.535015][ T322] get_futex_key+0x177/0xc90 [ 26.539546][ T322] ? futex_setup_timer+0xd0/0xd0 [ 26.544304][ T322] futex_wake+0x1af/0xb60 [ 26.548468][ T322] ? futex_wake_mark+0x170/0x170 [ 26.553249][ T322] ? finish_task_switch+0x167/0x7b0 [ 26.558276][ T322] ? __schedule+0xca1/0x1540 [ 26.562712][ T322] ? __kasan_check_write+0x14/0x20 [ 26.567646][ T322] ? __kasan_check_write+0x14/0x20 [ 26.572697][ T322] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 26.577987][ T322] do_futex+0x501/0x9a0 [ 26.581983][ T322] ? __ia32_sys_get_robust_list+0x90/0x90 [ 26.587535][ T322] __se_sys_futex+0x35e/0x3c0 [ 26.592050][ T322] ? _raw_spin_unlock_irq+0x4d/0x70 [ 26.597172][ T322] ? __x64_sys_futex+0x100/0x100 [ 26.601945][ T322] ? fpregs_restore_userregs+0x130/0x290 [ 26.607409][ T322] __x64_sys_futex+0xe5/0x100 [ 26.611921][ T322] do_syscall_64+0x3d/0xb0 [ 26.616189][ T322] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 26.621907][ T322] RIP: 0033:0x7f1ef6aecf59 [ 26.626158][ T322] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 26.645600][ T322] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 26.653843][ T322] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 26.661740][ T322] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 322] <... futex resumed>) = ? [pid 322] +++ exited with 0 +++ [pid 321] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=321, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/binderfs") = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 323 ./strace-static-x86_64: Process 323 attached [pid 323] set_robust_list(0x555555a286a0, 24) = 0 [pid 323] chdir("./11") = 0 [pid 323] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 323] setpgid(0, 0) = 0 [pid 323] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 323] write(3, "1000", 4) = 4 [pid 323] close(3) = 0 [pid 323] symlink("/dev/binderfs", "./binderfs") = 0 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 323] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 323] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 323] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 323] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 323] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 323] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 324 attached => {parent_tid=[324]}, 88) = 324 [pid 323] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 324] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 324] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 323] <... futex resumed>) = 0 [pid 324] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] <... bpf resumed>) = 4 [pid 323] <... futex resumed>) = 0 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] <... futex resumed>) = 0 [pid 323] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 324] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] <... bpf resumed>) = 5 [pid 323] <... futex resumed>) = 0 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] <... futex resumed>) = 0 [pid 323] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 324] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] <... bpf resumed>) = 0 [pid 323] <... futex resumed>) = 0 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] <... futex resumed>) = 0 [pid 323] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 324] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] <... bpf resumed>) = 0 [pid 323] <... futex resumed>) = 0 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] <... futex resumed>) = 0 [pid 323] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 324] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] <... bind resumed>) = 0 [pid 323] <... futex resumed>) = 0 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] <... futex resumed>) = 0 [pid 323] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 324] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 323] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] <... openat resumed>) = 6 [pid 323] <... futex resumed>) = 0 [pid 324] write(6, "8", 1 [pid 323] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 324] <... write resumed>) = 1 [pid 324] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 324] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 323] <... futex resumed>) = 0 [pid 323] exit_group(0) = ? [pid 324] +++ exited with 0 +++ [pid 323] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=323, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/binderfs") = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 325 ./strace-static-x86_64: Process 325 attached [pid 325] set_robust_list(0x555555a286a0, 24) = 0 [pid 325] chdir("./12") = 0 [pid 325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 325] setpgid(0, 0) = 0 [pid 325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 325] write(3, "1000", 4) = 4 [pid 325] close(3) = 0 [pid 325] symlink("/dev/binderfs", "./binderfs") = 0 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 325] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 325] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 325] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 325] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[326]}, 88) = 326 ./strace-static-x86_64: Process 326 attached [pid 325] rt_sigprocmask(SIG_SETMASK, [], [pid 326] set_robust_list(0x7f1ef6aad9a0, 24 [pid 325] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 326] <... set_robust_list resumed>) = 0 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 326] rt_sigprocmask(SIG_SETMASK, [], [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 326] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 326] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... bpf resumed>) = 4 [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] <... futex resumed>) = 0 [pid 326] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... bpf resumed>) = 5 [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] <... futex resumed>) = 0 [pid 326] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 326] <... bpf resumed>) = 0 [pid 325] <... futex resumed>) = 0 [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... futex resumed>) = 0 [pid 325] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 326] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... bpf resumed>) = 0 [ 26.669562][ T322] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 26.677363][ T322] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 26.685180][ T322] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 26.692993][ T322] [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 326] write(6, "8", 1) = 1 [pid 326] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 326] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] <... futex resumed>) = 0 [pid 326] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 325] exit_group(0 [pid 326] <... futex resumed>) = ? [pid 325] <... exit_group resumed>) = ? [pid 326] +++ exited with 0 +++ [pid 325] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=325, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./12/binderfs") = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./12/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 327 ./strace-static-x86_64: Process 327 attached [pid 327] set_robust_list(0x555555a286a0, 24) = 0 [pid 327] chdir("./13") = 0 [pid 327] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 327] setpgid(0, 0) = 0 [pid 327] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 327] write(3, "1000", 4) = 4 [pid 327] close(3) = 0 [pid 327] symlink("/dev/binderfs", "./binderfs") = 0 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 327] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 327] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 327] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 327] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 327] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 327] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 328 attached => {parent_tid=[328]}, 88) = 328 [pid 328] set_robust_list(0x7f1ef6aad9a0, 24 [pid 327] rt_sigprocmask(SIG_SETMASK, [], [pid 328] <... set_robust_list resumed>) = 0 [pid 327] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 328] rt_sigprocmask(SIG_SETMASK, [], [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 328] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 328] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 328] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 328] <... futex resumed>) = 0 [pid 328] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 328] <... bpf resumed>) = 4 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 327] <... futex resumed>) = 0 [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 328] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 327] <... futex resumed>) = 0 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 328] <... bpf resumed>) = 5 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 327] <... futex resumed>) = 0 [pid 328] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 328] <... bpf resumed>) = 0 [pid 327] <... futex resumed>) = 0 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 328] <... futex resumed>) = 0 [pid 327] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 328] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 327] <... futex resumed>) = 0 [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 328] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 327] <... futex resumed>) = 0 [pid 327] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 327] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 328] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 328] write(6, "8", 1) = 1 [pid 328] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 328] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 327] <... futex resumed>) = 0 [pid 327] exit_group(0) = ? [pid 328] +++ exited with 0 +++ [pid 327] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=327, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./13/binderfs") = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./13/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 329 attached , child_tidptr=0x555555a28690) = 329 [pid 329] set_robust_list(0x555555a286a0, 24) = 0 [pid 329] chdir("./14") = 0 [pid 329] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 329] setpgid(0, 0) = 0 [pid 329] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 329] write(3, "1000", 4) = 4 [pid 329] close(3) = 0 [pid 329] symlink("/dev/binderfs", "./binderfs") = 0 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 329] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 329] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 329] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 329] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 329] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 329] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 330 attached => {parent_tid=[330]}, 88) = 330 [pid 330] set_robust_list(0x7f1ef6aad9a0, 24 [pid 329] rt_sigprocmask(SIG_SETMASK, [], [pid 330] <... set_robust_list resumed>) = 0 [pid 329] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] rt_sigprocmask(SIG_SETMASK, [], [pid 329] <... futex resumed>) = 0 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 330] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 329] <... futex resumed>) = 0 [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 330] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 329] <... futex resumed>) = 0 [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 329] <... futex resumed>) = 1 [pid 330] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] <... bpf resumed>) = 5 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 329] <... futex resumed>) = 0 [pid 330] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... bpf resumed>) = 0 [pid 329] <... futex resumed>) = 0 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] <... futex resumed>) = 0 [pid 329] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 330] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... bpf resumed>) = 0 [pid 329] <... futex resumed>) = 0 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] <... futex resumed>) = 0 [pid 329] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 330] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... bind resumed>) = 0 [pid 329] <... futex resumed>) = 0 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] <... futex resumed>) = 0 [pid 329] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 330] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 329] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... openat resumed>) = 6 [pid 329] <... futex resumed>) = 0 [pid 330] write(6, "8", 1 [pid 329] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 330] <... write resumed>) = 1 [pid 330] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 330] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 329] <... futex resumed>) = 0 [pid 330] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 329] exit_group(0 [pid 330] <... futex resumed>) = ? [pid 329] <... exit_group resumed>) = ? [pid 330] +++ exited with 0 +++ [pid 329] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=329, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./14/binderfs") = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./14/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 331 ./strace-static-x86_64: Process 331 attached [pid 331] set_robust_list(0x555555a286a0, 24) = 0 [pid 331] chdir("./15") = 0 [pid 331] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 331] setpgid(0, 0) = 0 [pid 331] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 331] write(3, "1000", 4) = 4 [pid 331] close(3) = 0 [pid 331] symlink("/dev/binderfs", "./binderfs") = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 331] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 331] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 331] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 331] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 331] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 331] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[332]}, 88) = 332 [pid 331] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 332 attached [pid 332] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 332] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 332] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 331] <... futex resumed>) = 0 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 332] <... futex resumed>) = 1 [pid 332] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 331] <... futex resumed>) = 0 [pid 332] <... futex resumed>) = 1 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 332] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 331] <... futex resumed>) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 332] <... bpf resumed>) = 5 [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 331] <... futex resumed>) = 0 [pid 332] <... futex resumed>) = 1 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 332] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 331] <... futex resumed>) = 0 [pid 332] <... bpf resumed>) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 331] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 332] <... futex resumed>) = 0 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 332] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 331] <... futex resumed>) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 332] <... bpf resumed>) = 0 [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 331] <... futex resumed>) = 0 [pid 332] <... futex resumed>) = 1 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 332] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 331] <... futex resumed>) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 332] <... bind resumed>) = 0 [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 331] <... futex resumed>) = 0 [pid 331] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 331] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 332] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 332] write(6, "8", 1) = 1 [pid 332] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 332] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 331] <... futex resumed>) = 0 [pid 331] exit_group(0) = ? [pid 332] +++ exited with 0 +++ [pid 331] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=331, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./15/binderfs") = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./15/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 333 ./strace-static-x86_64: Process 333 attached [pid 333] set_robust_list(0x555555a286a0, 24) = 0 [pid 333] chdir("./16") = 0 [pid 333] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 333] setpgid(0, 0) = 0 [pid 333] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 333] write(3, "1000", 4) = 4 [pid 333] close(3) = 0 [pid 333] symlink("/dev/binderfs", "./binderfs") = 0 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 333] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 333] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 333] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 333] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 333] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 333] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 334 attached => {parent_tid=[334]}, 88) = 334 [pid 334] set_robust_list(0x7f1ef6aad9a0, 24 [pid 333] rt_sigprocmask(SIG_SETMASK, [], [pid 334] <... set_robust_list resumed>) = 0 [pid 333] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 334] rt_sigprocmask(SIG_SETMASK, [], [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 334] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 333] <... futex resumed>) = 0 [pid 334] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] <... socket resumed>) = 3 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 333] <... futex resumed>) = 0 [pid 334] <... futex resumed>) = 1 [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 333] <... futex resumed>) = 0 [pid 334] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 334] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 333] <... futex resumed>) = 0 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 333] <... futex resumed>) = 0 [pid 334] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 334] <... bpf resumed>) = 0 [pid 333] <... futex resumed>) = 0 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] <... futex resumed>) = 0 [pid 333] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 334] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 333] <... futex resumed>) = 0 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] <... bpf resumed>) = 0 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 333] <... futex resumed>) = 0 [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 334] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 333] <... futex resumed>) = 0 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] <... bind resumed>) = 0 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 333] <... futex resumed>) = 0 [pid 333] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 334] <... futex resumed>) = 1 [pid 333] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 334] write(6, "8", 1) = 1 [pid 334] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 334] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 333] <... futex resumed>) = 0 [pid 334] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 333] exit_group(0) = ? [pid 334] <... futex resumed>) = ? [pid 334] +++ exited with 0 +++ [pid 333] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=333, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./16/binderfs") = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./16/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 335 ./strace-static-x86_64: Process 335 attached [pid 335] set_robust_list(0x555555a286a0, 24) = 0 [pid 335] chdir("./17") = 0 [pid 335] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 335] setpgid(0, 0) = 0 [pid 335] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 335] write(3, "1000", 4) = 4 [pid 335] close(3) = 0 [pid 335] symlink("/dev/binderfs", "./binderfs") = 0 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 335] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 335] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 335] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 335] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 335] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[336]}, 88) = 336 [pid 335] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 336 attached [pid 336] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 336] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 336] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... futex resumed>) = 1 [pid 336] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 336] <... futex resumed>) = 1 [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... bpf resumed>) = 5 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 335] <... futex resumed>) = 0 [pid 336] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 335] <... futex resumed>) = 0 [pid 336] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... bpf resumed>) = 0 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 335] <... futex resumed>) = 0 [pid 336] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 335] <... futex resumed>) = 0 [pid 336] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... bpf resumed>) = 0 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 336] <... futex resumed>) = 1 [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... bind resumed>) = 0 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 336] <... futex resumed>) = 1 [pid 335] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 335] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... openat resumed>) = 6 [pid 336] write(6, "8", 1) = 1 [pid 336] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 336] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 335] <... futex resumed>) = 0 [pid 336] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 335] exit_group(0) = ? [ 26.836457][ T336] FAULT_INJECTION: forcing a failure. [ 26.836457][ T336] name fail_futex, interval 1, probability 0, space 0, times 0 [ 26.849226][ T336] CPU: 1 PID: 336 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 26.860772][ T336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 26.870952][ T336] Call Trace: [ 26.874046][ T336] [ 26.876824][ T336] dump_stack_lvl+0x151/0x1b7 [ 26.881352][ T336] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 26.886633][ T336] ? check_preempt_wakeup+0x720/0xb30 [ 26.891839][ T336] ? enqueue_task+0x195/0x1420 [ 26.896443][ T336] dump_stack+0x15/0x17 [ 26.900430][ T336] should_fail_ex+0x3d0/0x520 [ 26.905249][ T336] should_fail+0xb/0x10 [ 26.909206][ T336] get_futex_key+0x177/0xc90 [ 26.913742][ T336] ? futex_setup_timer+0xd0/0xd0 [ 26.918497][ T336] ? __this_cpu_preempt_check+0x13/0x20 [ 26.923911][ T336] futex_wait_setup+0xc3/0x330 [ 26.928497][ T336] ? futex_wait_multiple+0x8e0/0x8e0 [ 26.933597][ T336] ? __switch_to+0x62c/0x1190 [ 26.938120][ T336] ? futex_wait+0xf3/0x7e0 [ 26.942377][ T336] ? futex_setup_timer+0xb0/0xd0 [ 26.947148][ T336] futex_wait+0x1b9/0x7e0 [ 26.951305][ T336] ? __sched_clock_gtod_offset+0x100/0x100 [ 26.956982][ T336] ? futex_wait_setup+0x330/0x330 [ 26.961886][ T336] ? __kasan_check_write+0x14/0x20 [ 26.966786][ T336] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 26.971700][ T336] do_futex+0x55a/0x9a0 [ 26.975701][ T336] ? __ia32_sys_get_robust_list+0x90/0x90 [ 26.981263][ T336] __se_sys_futex+0x35e/0x3c0 [ 26.985765][ T336] ? _raw_spin_unlock_irq+0x4d/0x70 [ 26.990967][ T336] ? __x64_sys_futex+0x100/0x100 [ 26.995741][ T336] ? fpregs_restore_userregs+0x130/0x290 [ 27.001209][ T336] __x64_sys_futex+0xe5/0x100 [ 27.005720][ T336] do_syscall_64+0x3d/0xb0 [ 27.009975][ T336] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 27.015700][ T336] RIP: 0033:0x7f1ef6aecf59 [ 27.020046][ T336] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 27.039482][ T336] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 27.047728][ T336] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 27.055539][ T336] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 27.063351][ T336] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 27.071163][ T336] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 27.078971][ T336] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [pid 336] <... futex resumed>) = ? [pid 336] +++ exited with 0 +++ [pid 335] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=335, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./17/binderfs") = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./17/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./17/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 337 ./strace-static-x86_64: Process 337 attached [pid 337] set_robust_list(0x555555a286a0, 24) = 0 [pid 337] chdir("./18") = 0 [pid 337] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 337] setpgid(0, 0) = 0 [pid 337] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 337] write(3, "1000", 4) = 4 [pid 337] close(3) = 0 [pid 337] symlink("/dev/binderfs", "./binderfs") = 0 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 337] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 337] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 337] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 337] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 337] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 337] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[338]}, 88) = 338 [pid 337] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 338 attached [pid 338] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 338] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 338] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 337] <... futex resumed>) = 0 [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 338] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 337] <... futex resumed>) = 0 [pid 338] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 338] <... bpf resumed>) = 5 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 337] <... futex resumed>) = 0 [pid 338] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 338] <... bpf resumed>) = 0 [pid 337] <... futex resumed>) = 0 [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 338] <... futex resumed>) = 0 [pid 337] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 338] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 337] <... futex resumed>) = 0 [pid 338] <... bpf resumed>) = 0 [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 338] <... futex resumed>) = 0 [pid 337] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 338] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 338] <... bind resumed>) = 0 [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 338] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 337] <... futex resumed>) = 0 [pid 337] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 338] <... futex resumed>) = 0 [pid 338] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 337] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 338] <... openat resumed>) = 6 [pid 338] write(6, "8", 1) = 1 [pid 338] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 27.086796][ T336] [pid 338] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 337] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 337] exit_group(0) = ? [ 27.113123][ T338] FAULT_INJECTION: forcing a failure. [ 27.113123][ T338] name fail_futex, interval 1, probability 0, space 0, times 0 [ 27.125838][ T338] CPU: 1 PID: 338 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 27.137206][ T338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 27.147103][ T338] Call Trace: [ 27.150230][ T338] [ 27.153013][ T338] dump_stack_lvl+0x151/0x1b7 [ 27.157518][ T338] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 27.162815][ T338] dump_stack+0x15/0x17 [ 27.166806][ T338] should_fail_ex+0x3d0/0x520 [ 27.171318][ T338] should_fail+0xb/0x10 [ 27.175308][ T338] get_futex_key+0x177/0xc90 [ 27.179734][ T338] ? futex_setup_timer+0xd0/0xd0 [ 27.184509][ T338] futex_wake+0x1af/0xb60 [ 27.188673][ T338] ? futex_wake_mark+0x170/0x170 [ 27.193446][ T338] ? finish_task_switch+0x167/0x7b0 [ 27.198483][ T338] ? __schedule+0xca1/0x1540 [ 27.202907][ T338] ? __kasan_check_write+0x14/0x20 [ 27.207858][ T338] ? __kasan_check_write+0x14/0x20 [ 27.212803][ T338] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 27.217754][ T338] do_futex+0x501/0x9a0 [ 27.221750][ T338] ? __ia32_sys_get_robust_list+0x90/0x90 [ 27.227301][ T338] __se_sys_futex+0x35e/0x3c0 [ 27.231808][ T338] ? _raw_spin_unlock_irq+0x4d/0x70 [ 27.236845][ T338] ? __x64_sys_futex+0x100/0x100 [ 27.241621][ T338] ? fpregs_restore_userregs+0x130/0x290 [ 27.247095][ T338] __x64_sys_futex+0xe5/0x100 [ 27.251605][ T338] do_syscall_64+0x3d/0xb0 [ 27.255850][ T338] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 27.261840][ T338] RIP: 0033:0x7f1ef6aecf59 [ 27.266091][ T338] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 27.285534][ T338] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 27.293778][ T338] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 27.301591][ T338] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 338] <... futex resumed>) = ? [pid 338] +++ exited with 0 +++ [pid 337] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=337, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./18/binderfs") = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./18/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./18/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 339 ./strace-static-x86_64: Process 339 attached [pid 339] set_robust_list(0x555555a286a0, 24) = 0 [pid 339] chdir("./19") = 0 [pid 339] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 339] setpgid(0, 0) = 0 [pid 339] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 339] write(3, "1000", 4) = 4 [pid 339] close(3) = 0 [pid 339] symlink("/dev/binderfs", "./binderfs") = 0 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 339] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 339] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 339] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 339] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 339] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 339] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 340 attached [pid 340] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 340] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 340] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 339] <... clone3 resumed> => {parent_tid=[340]}, 88) = 340 [pid 339] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = 0 [pid 339] <... futex resumed>) = 1 [pid 340] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... socket resumed>) = 3 [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 339] <... futex resumed>) = 0 [pid 340] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 339] <... futex resumed>) = 0 [pid 340] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... bpf resumed>) = 4 [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 339] <... futex resumed>) = 0 [pid 340] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... bpf resumed>) = 5 [pid 339] <... futex resumed>) = 0 [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... futex resumed>) = 0 [pid 339] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 340] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... bpf resumed>) = 0 [pid 339] <... futex resumed>) = 0 [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... futex resumed>) = 0 [pid 339] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 340] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... bpf resumed>) = 0 [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 339] <... futex resumed>) = 0 [pid 340] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... bind resumed>) = 0 [pid 339] <... futex resumed>) = 0 [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... futex resumed>) = 0 [pid 339] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 340] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 339] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... openat resumed>) = 6 [pid 339] <... futex resumed>) = 0 [pid 340] write(6, "8", 1 [pid 339] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... write resumed>) = 1 [pid 340] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 27.309402][ T338] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 27.317218][ T338] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 27.325025][ T338] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 27.332855][ T338] [pid 340] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 339] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 339] exit_group(0) = ? [ 27.358884][ T340] FAULT_INJECTION: forcing a failure. [ 27.358884][ T340] name fail_futex, interval 1, probability 0, space 0, times 0 [ 27.371601][ T340] CPU: 1 PID: 340 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 27.382976][ T340] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 27.392869][ T340] Call Trace: [ 27.395992][ T340] [ 27.398774][ T340] dump_stack_lvl+0x151/0x1b7 [ 27.403283][ T340] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 27.408596][ T340] dump_stack+0x15/0x17 [ 27.412574][ T340] should_fail_ex+0x3d0/0x520 [ 27.417088][ T340] should_fail+0xb/0x10 [ 27.421080][ T340] get_futex_key+0x177/0xc90 [ 27.425506][ T340] ? futex_setup_timer+0xd0/0xd0 [ 27.430279][ T340] futex_wake+0x1af/0xb60 [ 27.434451][ T340] ? futex_wake_mark+0x170/0x170 [ 27.439216][ T340] ? finish_task_switch+0x167/0x7b0 [ 27.444258][ T340] ? __schedule+0xca1/0x1540 [ 27.448676][ T340] ? __kasan_check_write+0x14/0x20 [ 27.453631][ T340] ? __kasan_check_write+0x14/0x20 [ 27.458572][ T340] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 27.463521][ T340] do_futex+0x501/0x9a0 [ 27.467514][ T340] ? __ia32_sys_get_robust_list+0x90/0x90 [ 27.473067][ T340] __se_sys_futex+0x35e/0x3c0 [ 27.477578][ T340] ? _raw_spin_unlock_irq+0x4d/0x70 [ 27.482619][ T340] ? __x64_sys_futex+0x100/0x100 [ 27.487389][ T340] ? fpregs_restore_userregs+0x130/0x290 [ 27.492887][ T340] __x64_sys_futex+0xe5/0x100 [ 27.497372][ T340] do_syscall_64+0x3d/0xb0 [ 27.501627][ T340] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 27.507363][ T340] RIP: 0033:0x7f1ef6aecf59 [ 27.511761][ T340] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 27.531472][ T340] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 27.539701][ T340] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 27.547658][ T340] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 340] <... futex resumed>) = ? [pid 340] +++ exited with 0 +++ [pid 339] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=339, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./19/binderfs") = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./19/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./19/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 342 attached , child_tidptr=0x555555a28690) = 342 [pid 342] set_robust_list(0x555555a286a0, 24) = 0 [pid 342] chdir("./20") = 0 [pid 342] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 342] setpgid(0, 0) = 0 [pid 342] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 342] write(3, "1000", 4) = 4 [pid 342] close(3) = 0 [pid 342] symlink("/dev/binderfs", "./binderfs") = 0 [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 342] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 342] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 342] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 342] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 342] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 342] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 343 attached => {parent_tid=[343]}, 88) = 343 [pid 342] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 343] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 343] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 343] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 342] <... futex resumed>) = 0 [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 343] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 343] <... bpf resumed>) = 4 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 342] <... futex resumed>) = 0 [pid 343] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 343] <... bpf resumed>) = 5 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 343] <... futex resumed>) = 0 [pid 342] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 343] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 343] <... bpf resumed>) = 0 [pid 342] <... futex resumed>) = 0 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 343] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 343] <... futex resumed>) = 0 [pid 342] <... futex resumed>) = 1 [pid 343] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 343] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 343] <... futex resumed>) = 0 [pid 342] <... futex resumed>) = 1 [pid 343] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 343] <... bind resumed>) = 0 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 342] <... futex resumed>) = 0 [pid 343] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 342] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 343] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 343] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 342] <... futex resumed>) = 0 [pid 343] <... openat resumed>) = 6 [pid 342] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 343] write(6, "8", 1) = 1 [pid 343] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 343] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 342] <... futex resumed>) = 0 [pid 343] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 342] exit_group(0 [pid 343] <... futex resumed>) = ? [pid 342] <... exit_group resumed>) = ? [pid 343] +++ exited with 0 +++ [pid 342] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=342, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./20/binderfs") = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./20/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./20/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 344 ./strace-static-x86_64: Process 344 attached [pid 344] set_robust_list(0x555555a286a0, 24) = 0 [pid 344] chdir("./21") = 0 [pid 344] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 344] setpgid(0, 0) = 0 [pid 344] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 344] write(3, "1000", 4) = 4 [pid 344] close(3) = 0 [pid 344] symlink("/dev/binderfs", "./binderfs") = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 344] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 344] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 344] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 344] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 344] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 344] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 345 attached => {parent_tid=[345]}, 88) = 345 [pid 345] set_robust_list(0x7f1ef6aad9a0, 24 [pid 344] rt_sigprocmask(SIG_SETMASK, [], [pid 345] <... set_robust_list resumed>) = 0 [pid 344] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 345] rt_sigprocmask(SIG_SETMASK, [], [pid 344] <... futex resumed>) = 0 [pid 345] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] <... futex resumed>) = 0 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [ 27.555447][ T340] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 27.563255][ T340] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 27.571150][ T340] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 27.578967][ T340] [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] <... bpf resumed>) = 4 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] <... futex resumed>) = 0 [pid 345] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] <... bpf resumed>) = 5 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 344] <... futex resumed>) = 0 [pid 345] <... futex resumed>) = 1 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 345] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 344] <... futex resumed>) = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] <... bpf resumed>) = 0 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] <... futex resumed>) = 0 [pid 345] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] <... bpf resumed>) = 0 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] <... futex resumed>) = 0 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] <... futex resumed>) = 0 [pid 344] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 344] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 345] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 345] write(6, "8", 1) = 1 [pid 345] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 345] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] <... futex resumed>) = 0 [pid 344] exit_group(0) = ? [pid 345] +++ exited with 0 +++ [pid 344] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=344, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./21/binderfs") = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./21/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./21/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 346 attached , child_tidptr=0x555555a28690) = 346 [pid 346] set_robust_list(0x555555a286a0, 24) = 0 [pid 346] chdir("./22") = 0 [pid 346] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 346] setpgid(0, 0) = 0 [pid 346] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 346] write(3, "1000", 4) = 4 [pid 346] close(3) = 0 [pid 346] symlink("/dev/binderfs", "./binderfs") = 0 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 346] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 346] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 346] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 346] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 346] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 346] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 347 attached [pid 347] set_robust_list(0x7f1ef6aad9a0, 24 [pid 346] <... clone3 resumed> => {parent_tid=[347]}, 88) = 347 [pid 347] <... set_robust_list resumed>) = 0 [pid 346] rt_sigprocmask(SIG_SETMASK, [], [pid 347] rt_sigprocmask(SIG_SETMASK, [], [pid 346] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 347] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 347] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 346] <... futex resumed>) = 0 [pid 347] <... socket resumed>) = 3 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 346] <... futex resumed>) = 0 [pid 347] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 347] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 346] <... futex resumed>) = 0 [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 347] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 346] <... futex resumed>) = 0 [pid 347] <... bpf resumed>) = 5 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 346] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 347] <... futex resumed>) = 0 [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 347] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 346] <... futex resumed>) = 0 [pid 347] <... bpf resumed>) = 0 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 346] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 347] <... futex resumed>) = 0 [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 347] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 346] <... futex resumed>) = 0 [pid 347] <... bpf resumed>) = 0 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 346] <... futex resumed>) = 0 [pid 347] <... futex resumed>) = 1 [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 347] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 346] <... futex resumed>) = 0 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] <... bind resumed>) = 0 [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 346] <... futex resumed>) = 0 [pid 347] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 346] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 346] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 347] <... openat resumed>) = 6 [pid 347] write(6, "8", 1) = 1 [pid 347] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 347] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 346] <... futex resumed>) = 0 [pid 346] exit_group(0) = ? [pid 347] +++ exited with 0 +++ [pid 346] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=346, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./22/binderfs") = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./22/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./22/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 348 ./strace-static-x86_64: Process 348 attached [pid 348] set_robust_list(0x555555a286a0, 24) = 0 [pid 348] chdir("./23") = 0 [pid 348] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 348] setpgid(0, 0) = 0 [pid 348] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 348] write(3, "1000", 4) = 4 [pid 348] close(3) = 0 [pid 348] symlink("/dev/binderfs", "./binderfs") = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 348] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 348] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 348] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 348] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 348] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[349]}, 88) = 349 [pid 348] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 349 attached [pid 349] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 349] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 349] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 349] <... futex resumed>) = 1 [pid 349] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 349] <... futex resumed>) = 1 [pid 349] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 349] <... futex resumed>) = 1 [pid 349] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 349] <... futex resumed>) = 1 [pid 349] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 349] <... futex resumed>) = 1 [pid 349] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 349] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 348] <... futex resumed>) = 0 [pid 348] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 349] <... openat resumed>) = 6 [pid 349] write(6, "8", 1) = 1 [pid 349] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 349] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 348] <... futex resumed>) = 0 [pid 348] exit_group(0 [pid 349] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 348] <... exit_group resumed>) = ? [pid 349] <... futex resumed>) = ? [pid 349] +++ exited with 0 +++ [pid 348] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=348, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./23/binderfs") = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./23/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./23/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 350 ./strace-static-x86_64: Process 350 attached [pid 350] set_robust_list(0x555555a286a0, 24) = 0 [pid 350] chdir("./24") = 0 [pid 350] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 350] setpgid(0, 0) = 0 [pid 350] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 350] write(3, "1000", 4) = 4 [pid 350] close(3) = 0 [pid 350] symlink("/dev/binderfs", "./binderfs") = 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 350] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 350] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 350] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 350] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 350] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 351 attached [pid 351] set_robust_list(0x7f1ef6aad9a0, 24 [pid 350] <... clone3 resumed> => {parent_tid=[351]}, 88) = 351 [pid 351] <... set_robust_list resumed>) = 0 [pid 351] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 351] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 350] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 351] <... futex resumed>) = 0 [pid 351] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] <... socket resumed>) = 3 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 351] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 350] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 351] <... futex resumed>) = 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] <... futex resumed>) = 0 [pid 351] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] <... bpf resumed>) = 5 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 351] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] <... futex resumed>) = 0 [pid 351] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 351] write(6, "8", 1) = 1 [pid 351] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 351] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 351] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 350] <... futex resumed>) = 0 [pid 350] exit_group(0) = ? [pid 351] <... futex resumed>) = ? [pid 351] +++ exited with 0 +++ [pid 350] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=350, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./24/binderfs") = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./24/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./24/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 352 ./strace-static-x86_64: Process 352 attached [pid 352] set_robust_list(0x555555a286a0, 24) = 0 [pid 352] chdir("./25") = 0 [pid 352] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 352] setpgid(0, 0) = 0 [pid 352] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 352] write(3, "1000", 4) = 4 [pid 352] close(3) = 0 [pid 352] symlink("/dev/binderfs", "./binderfs") = 0 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 352] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 352] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 352] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 352] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 352] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 352] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[353]}, 88) = 353 [pid 352] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 353 attached [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 353] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 353] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 352] <... futex resumed>) = 0 [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 353] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] <... bpf resumed>) = 4 [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 352] <... futex resumed>) = 0 [pid 353] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 353] <... bpf resumed>) = 5 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 353] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 352] <... futex resumed>) = 0 [pid 353] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 353] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 352] <... futex resumed>) = 0 [pid 353] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 353] <... bpf resumed>) = 0 [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] <... futex resumed>) = 0 [pid 352] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 353] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] <... bind resumed>) = 0 [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 352] <... futex resumed>) = 0 [pid 352] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 353] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 352] <... futex resumed>) = 0 [pid 352] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 353] <... openat resumed>) = 6 [pid 353] write(6, "8", 1) = 1 [pid 353] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 353] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 352] <... futex resumed>) = 0 [pid 353] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 352] exit_group(0 [pid 353] <... futex resumed>) = ? [pid 352] <... exit_group resumed>) = ? [pid 353] +++ exited with 0 +++ [pid 352] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=352, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./25/binderfs") = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./25/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./25/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 mkdir("./26", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 354 attached [pid 354] set_robust_list(0x555555a286a0, 24) = 0 [pid 354] chdir("./26") = 0 [pid 354] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 354] setpgid(0, 0) = 0 [pid 354] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 297] <... clone resumed>, child_tidptr=0x555555a28690) = 354 [pid 354] <... openat resumed>) = 3 [pid 354] write(3, "1000", 4) = 4 [pid 354] close(3) = 0 [pid 354] symlink("/dev/binderfs", "./binderfs") = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 354] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 354] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 354] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 354] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 354] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 355 attached => {parent_tid=[355]}, 88) = 355 [pid 354] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 355] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 355] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 354] <... futex resumed>) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 354] <... futex resumed>) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 354] <... futex resumed>) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 354] <... futex resumed>) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 354] <... futex resumed>) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 354] <... futex resumed>) = 0 [pid 354] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 354] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 355] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 355] write(6, "8", 1) = 1 [pid 355] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 27.743709][ T355] FAULT_INJECTION: forcing a failure. [ 27.743709][ T355] name fail_futex, interval 1, probability 0, space 0, times 0 [ 27.756612][ T355] CPU: 1 PID: 355 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 27.767983][ T355] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 27.778065][ T355] Call Trace: [ 27.781178][ T355] [ 27.783951][ T355] dump_stack_lvl+0x151/0x1b7 [ 27.788859][ T355] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 27.794147][ T355] ? newidle_balance+0x8bd/0x1090 [ 27.799013][ T355] dump_stack+0x15/0x17 [ 27.803213][ T355] should_fail_ex+0x3d0/0x520 [ 27.807724][ T355] should_fail+0xb/0x10 [ 27.811713][ T355] get_futex_key+0x177/0xc90 [ 27.816146][ T355] ? futex_setup_timer+0xd0/0xd0 [ 27.820917][ T355] futex_wake+0x1af/0xb60 [ 27.825082][ T355] ? futex_wake_mark+0x170/0x170 [ 27.829852][ T355] ? finish_task_switch+0x167/0x7b0 [ 27.834888][ T355] ? __schedule+0xca1/0x1540 [ 27.839320][ T355] ? __kasan_check_write+0x14/0x20 [ 27.844259][ T355] ? __kasan_check_write+0x14/0x20 [ 27.849207][ T355] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 27.854156][ T355] do_futex+0x501/0x9a0 [ 27.858151][ T355] ? __ia32_sys_get_robust_list+0x90/0x90 [ 27.863704][ T355] __se_sys_futex+0x35e/0x3c0 [ 27.868223][ T355] ? _raw_spin_unlock_irq+0x4d/0x70 [ 27.873258][ T355] ? __x64_sys_futex+0x100/0x100 [ 27.878026][ T355] ? fpregs_restore_userregs+0x130/0x290 [ 27.883494][ T355] __x64_sys_futex+0xe5/0x100 [ 27.888005][ T355] do_syscall_64+0x3d/0xb0 [ 27.892256][ T355] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 27.897983][ T355] RIP: 0033:0x7f1ef6aecf59 [ 27.902243][ T355] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 27.923088][ T355] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 27.931419][ T355] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 355] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 354] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 355] <... futex resumed>) = -1 EFAULT (Bad address) [pid 354] exit_group(0) = ? [pid 355] +++ exited with 0 +++ [pid 354] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=354, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./26/binderfs") = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./26/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./26/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 356 ./strace-static-x86_64: Process 356 attached [pid 356] set_robust_list(0x555555a286a0, 24) = 0 [pid 356] chdir("./27") = 0 [pid 356] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 356] setpgid(0, 0) = 0 [pid 356] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 356] write(3, "1000", 4) = 4 [pid 356] close(3) = 0 [pid 356] symlink("/dev/binderfs", "./binderfs") = 0 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 356] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 356] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 356] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 356] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 356] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 356] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 357 attached [pid 357] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 357] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 357] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 356] <... clone3 resumed> => {parent_tid=[357]}, 88) = 357 [pid 356] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 357] <... futex resumed>) = 0 [pid 356] <... futex resumed>) = 1 [pid 357] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] <... socket resumed>) = 3 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 356] <... futex resumed>) = 0 [pid 357] <... futex resumed>) = 1 [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 357] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] <... bpf resumed>) = 4 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 356] <... futex resumed>) = 0 [pid 357] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] <... bpf resumed>) = 5 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 356] <... futex resumed>) = 0 [pid 357] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 357] <... bpf resumed>) = 0 [pid 356] <... futex resumed>) = 0 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] <... futex resumed>) = 0 [pid 356] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 357] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 357] <... bpf resumed>) = 0 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] <... futex resumed>) = 0 [pid 356] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 357] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 357] <... bind resumed>) = 0 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] <... futex resumed>) = 0 [pid 356] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 356] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 357] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 356] <... futex resumed>) = 0 [pid 357] <... openat resumed>) = 6 [pid 356] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 357] write(6, "8", 1) = 1 [pid 357] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 357] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 356] <... futex resumed>) = 0 [ 27.939230][ T355] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 27.947045][ T355] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 27.954854][ T355] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 27.962661][ T355] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 27.970491][ T355] [pid 356] exit_group(0) = ? [ 28.001238][ T357] FAULT_INJECTION: forcing a failure. [ 28.001238][ T357] name failslab, interval 1, probability 0, space 0, times 0 [ 28.013925][ T357] CPU: 0 PID: 357 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 28.025281][ T357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 28.035177][ T357] Call Trace: [ 28.038298][ T357] [ 28.041080][ T357] dump_stack_lvl+0x151/0x1b7 [ 28.045593][ T357] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 28.050884][ T357] ? memset+0x35/0x40 [ 28.054705][ T357] dump_stack+0x15/0x17 [ 28.058698][ T357] should_fail_ex+0x3d0/0x520 [ 28.063208][ T357] ? taskstats_exit+0x277/0x940 [ 28.067895][ T357] __should_failslab+0xaf/0xf0 [ 28.072498][ T357] should_failslab+0x9/0x20 [ 28.076846][ T357] kmem_cache_alloc+0x3b/0x2c0 [ 28.081439][ T357] taskstats_exit+0x277/0x940 [ 28.085947][ T357] ? sync_mm_rss+0x291/0x2e0 [ 28.090378][ T357] do_exit+0x9f7/0x2b80 [ 28.094378][ T357] ? put_task_struct+0x80/0x80 [ 28.098970][ T357] ? __kasan_check_write+0x14/0x20 [ 28.103916][ T357] ? __kasan_check_write+0x14/0x20 [ 28.108860][ T357] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 28.113817][ T357] do_group_exit+0x21a/0x2d0 [ 28.118235][ T357] ? __kasan_check_write+0x14/0x20 [ 28.123184][ T357] get_signal+0x169d/0x1820 [ 28.127527][ T357] ? ptrace_notify+0x350/0x350 [ 28.132121][ T357] ? __schedule+0xca1/0x1540 [ 28.136551][ T357] arch_do_signal_or_restart+0xb0/0x16f0 [ 28.142024][ T357] ? __kasan_check_write+0x14/0x20 [ 28.146972][ T357] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 28.151923][ T357] ? _raw_spin_lock_irqsave+0x210/0x210 [ 28.157293][ T357] ? cgroup_update_frozen+0x15f/0x980 [ 28.162594][ T357] ? __kasan_check_write+0x14/0x20 [ 28.167536][ T357] ? ptrace_stop+0x71d/0x930 [ 28.171963][ T357] ? get_sigframe_size+0x10/0x10 [ 28.176741][ T357] exit_to_user_mode_loop+0x6b/0xa0 [ 28.181779][ T357] exit_to_user_mode_prepare+0x5a/0xa0 [ 28.187064][ T357] syscall_exit_to_user_mode+0x26/0x130 [ 28.192444][ T357] do_syscall_64+0x49/0xb0 [ 28.196695][ T357] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 28.202441][ T357] RIP: 0033:0x7f1ef6aecf59 [ 28.206678][ T357] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 28.226120][ T357] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 28.234369][ T357] RAX: 0000000000000001 RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 28.242263][ T357] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 357] +++ exited with 0 +++ [pid 356] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=356, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./27/binderfs") = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./27/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./27/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 358 ./strace-static-x86_64: Process 358 attached [pid 358] set_robust_list(0x555555a286a0, 24) = 0 [pid 358] chdir("./28") = 0 [pid 358] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 358] setpgid(0, 0) = 0 [pid 358] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 358] write(3, "1000", 4) = 4 [pid 358] close(3) = 0 [pid 358] symlink("/dev/binderfs", "./binderfs") = 0 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 358] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 358] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 358] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 358] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 358] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 358] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 359 attached => {parent_tid=[359]}, 88) = 359 [pid 359] set_robust_list(0x7f1ef6aad9a0, 24 [pid 358] rt_sigprocmask(SIG_SETMASK, [], [pid 359] <... set_robust_list resumed>) = 0 [pid 358] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 359] rt_sigprocmask(SIG_SETMASK, [], [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 359] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 358] <... futex resumed>) = 0 [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 359] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 358] <... futex resumed>) = 0 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] <... bpf resumed>) = 4 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 358] <... futex resumed>) = 0 [pid 359] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] <... bpf resumed>) = 5 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 358] <... futex resumed>) = 0 [pid 359] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 359] <... bpf resumed>) = 0 [pid 358] <... futex resumed>) = 0 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 359] <... futex resumed>) = 0 [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 359] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] <... bpf resumed>) = 0 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 358] <... futex resumed>) = 0 [pid 359] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] <... bind resumed>) = 0 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 358] <... futex resumed>) = 0 [pid 358] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 358] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 359] write(6, "8", 1) = 1 [pid 359] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 359] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 358] <... futex resumed>) = 0 [pid 358] exit_group(0) = ? [pid 359] +++ exited with 0 +++ [pid 358] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=358, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./28/binderfs") = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./28/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./28/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 360 attached [pid 360] set_robust_list(0x555555a286a0, 24) = 0 [pid 360] chdir("./29") = 0 [pid 360] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 360] setpgid(0, 0) = 0 [pid 297] <... clone resumed>, child_tidptr=0x555555a28690) = 360 [pid 360] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 360] write(3, "1000", 4) = 4 [pid 360] close(3) = 0 [pid 360] symlink("/dev/binderfs", "./binderfs") = 0 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 360] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 360] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 360] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 360] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 360] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[361]}, 88) = 361 [pid 360] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 361 attached [pid 361] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 361] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 361] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] <... futex resumed>) = 0 [pid 361] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 361] <... futex resumed>) = 0 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 28.250075][ T357] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 28.257882][ T357] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 28.265696][ T357] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 28.273516][ T357] [pid 361] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] <... futex resumed>) = 0 [pid 361] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 361] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 360] <... futex resumed>) = 0 [pid 361] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 361] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 360] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] <... futex resumed>) = 0 [pid 361] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 361] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 360] <... futex resumed>) = 0 [pid 361] <... openat resumed>) = 6 [pid 360] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] write(6, "8", 1) = 1 [pid 361] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 361] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 360] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 360] exit_group(0) = ? [ 28.320974][ T361] FAULT_INJECTION: forcing a failure. [ 28.320974][ T361] name fail_futex, interval 1, probability 0, space 0, times 0 [ 28.333804][ T361] CPU: 1 PID: 361 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 28.345169][ T361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 28.355063][ T361] Call Trace: [ 28.358187][ T361] [ 28.360965][ T361] dump_stack_lvl+0x151/0x1b7 [ 28.365481][ T361] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 28.370779][ T361] ? newidle_balance+0x8bd/0x1090 [ 28.375636][ T361] dump_stack+0x15/0x17 [ 28.379627][ T361] should_fail_ex+0x3d0/0x520 [ 28.384148][ T361] should_fail+0xb/0x10 [ 28.388129][ T361] get_futex_key+0x177/0xc90 [ 28.393782][ T361] ? futex_setup_timer+0xd0/0xd0 [ 28.398565][ T361] futex_wake+0x1af/0xb60 [ 28.402715][ T361] ? futex_wake_mark+0x170/0x170 [ 28.407485][ T361] ? finish_task_switch+0x167/0x7b0 [ 28.412520][ T361] ? __schedule+0xca1/0x1540 [ 28.416960][ T361] ? __kasan_check_write+0x14/0x20 [ 28.421895][ T361] ? __kasan_check_write+0x14/0x20 [ 28.426838][ T361] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 28.431801][ T361] do_futex+0x501/0x9a0 [ 28.435786][ T361] ? __ia32_sys_get_robust_list+0x90/0x90 [ 28.441337][ T361] __se_sys_futex+0x35e/0x3c0 [ 28.445854][ T361] ? _raw_spin_unlock_irq+0x4d/0x70 [ 28.450880][ T361] ? __x64_sys_futex+0x100/0x100 [ 28.455654][ T361] ? fpregs_restore_userregs+0x130/0x290 [ 28.461125][ T361] __x64_sys_futex+0xe5/0x100 [ 28.465640][ T361] do_syscall_64+0x3d/0xb0 [ 28.469889][ T361] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 28.475622][ T361] RIP: 0033:0x7f1ef6aecf59 [ 28.479875][ T361] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 28.499315][ T361] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 28.507556][ T361] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 361] <... futex resumed>) = ? [pid 361] +++ exited with 0 +++ [pid 360] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=360, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./29/binderfs") = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./29/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./29/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 362 ./strace-static-x86_64: Process 362 attached [pid 362] set_robust_list(0x555555a286a0, 24) = 0 [pid 362] chdir("./30") = 0 [pid 362] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 362] setpgid(0, 0) = 0 [pid 362] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 362] write(3, "1000", 4) = 4 [pid 362] close(3) = 0 [pid 362] symlink("/dev/binderfs", "./binderfs") = 0 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 362] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 362] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 362] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 362] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 362] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 362] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 363 attached [pid 363] set_robust_list(0x7f1ef6aad9a0, 24 [pid 362] <... clone3 resumed> => {parent_tid=[363]}, 88) = 363 [pid 363] <... set_robust_list resumed>) = 0 [pid 362] rt_sigprocmask(SIG_SETMASK, [], [pid 363] rt_sigprocmask(SIG_SETMASK, [], [pid 362] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 363] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 363] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 362] <... futex resumed>) = 0 [pid 363] <... socket resumed>) = 3 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 362] <... futex resumed>) = 0 [pid 363] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] <... bpf resumed>) = 4 [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 362] <... futex resumed>) = 0 [pid 363] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 363] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 362] <... futex resumed>) = 0 [pid 363] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 363] <... bpf resumed>) = 0 [pid 362] <... futex resumed>) = 0 [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] <... futex resumed>) = 0 [pid 362] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 363] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 363] <... bpf resumed>) = 0 [pid 362] <... futex resumed>) = 0 [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] <... futex resumed>) = 0 [pid 362] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 363] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 363] <... bind resumed>) = 0 [pid 362] <... futex resumed>) = 0 [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] <... futex resumed>) = 0 [pid 362] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 363] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 362] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 363] <... openat resumed>) = 6 [pid 362] <... futex resumed>) = 0 [pid 363] write(6, "8", 1 [pid 362] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 363] <... write resumed>) = 1 [pid 363] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 363] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 362] <... futex resumed>) = 0 [pid 363] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 362] exit_group(0 [pid 363] <... futex resumed>) = ? [pid 362] <... exit_group resumed>) = ? [pid 363] +++ exited with 0 +++ [pid 362] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=362, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./30/binderfs") = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./30/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./30/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 364 ./strace-static-x86_64: Process 364 attached [pid 364] set_robust_list(0x555555a286a0, 24) = 0 [pid 364] chdir("./31") = 0 [pid 364] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 364] setpgid(0, 0) = 0 [pid 364] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 364] write(3, "1000", 4) = 4 [pid 364] close(3) = 0 [pid 364] symlink("/dev/binderfs", "./binderfs") = 0 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 364] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 364] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 364] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 364] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 364] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 364] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 365 attached [pid 365] set_robust_list(0x7f1ef6aad9a0, 24 [pid 364] <... clone3 resumed> => {parent_tid=[365]}, 88) = 365 [pid 365] <... set_robust_list resumed>) = 0 [pid 364] rt_sigprocmask(SIG_SETMASK, [], [pid 365] rt_sigprocmask(SIG_SETMASK, [], [pid 364] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 365] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 365] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... socket resumed>) = 3 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 365] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 364] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 365] <... futex resumed>) = 0 [pid 364] <... futex resumed>) = 1 [pid 365] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... bpf resumed>) = 4 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 364] <... futex resumed>) = 0 [pid 365] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... bpf resumed>) = 5 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 364] <... futex resumed>) = 0 [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 365] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 364] <... futex resumed>) = 0 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... bpf resumed>) = 0 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 364] <... futex resumed>) = 0 [pid 365] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... bpf resumed>) = 0 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 364] <... futex resumed>) = 0 [pid 365] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... bind resumed>) = 0 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 364] <... futex resumed>) = 0 [pid 365] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 364] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 365] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 364] <... futex resumed>) = 0 [pid 365] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 364] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 365] <... openat resumed>) = 6 [pid 365] write(6, "8", 1) = 1 [pid 365] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 365] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 364] <... futex resumed>) = 0 [ 28.515381][ T361] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 28.523180][ T361] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 28.530990][ T361] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 28.538800][ T361] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 28.547841][ T361] [pid 365] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 364] exit_group(0) = ? [ 28.598978][ T365] FAULT_INJECTION: forcing a failure. [ 28.598978][ T365] name fail_futex, interval 1, probability 0, space 0, times 0 [ 28.611992][ T365] CPU: 1 PID: 365 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 28.623362][ T365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 28.633255][ T365] Call Trace: [ 28.636382][ T365] [ 28.639159][ T365] dump_stack_lvl+0x151/0x1b7 [ 28.643672][ T365] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 28.648969][ T365] dump_stack+0x15/0x17 [ 28.652960][ T365] should_fail_ex+0x3d0/0x520 [ 28.657477][ T365] should_fail+0xb/0x10 [ 28.661461][ T365] get_futex_key+0x177/0xc90 [ 28.665903][ T365] ? futex_setup_timer+0xd0/0xd0 [ 28.670669][ T365] ? __this_cpu_preempt_check+0x13/0x20 [ 28.676046][ T365] futex_wait_setup+0xc3/0x330 [ 28.680648][ T365] ? futex_wait_multiple+0x8e0/0x8e0 [ 28.685764][ T365] ? __switch_to+0x62c/0x1190 [ 28.690278][ T365] ? futex_wait+0xf3/0x7e0 [ 28.694538][ T365] ? futex_setup_timer+0xb0/0xd0 [ 28.699310][ T365] futex_wait+0x1b9/0x7e0 [ 28.703472][ T365] ? __sched_clock_gtod_offset+0x100/0x100 [ 28.709114][ T365] ? futex_wait_setup+0x330/0x330 [ 28.713987][ T365] ? __kasan_check_write+0x14/0x20 [ 28.718923][ T365] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 28.723869][ T365] do_futex+0x55a/0x9a0 [ 28.727865][ T365] ? __ia32_sys_get_robust_list+0x90/0x90 [ 28.733419][ T365] __se_sys_futex+0x35e/0x3c0 [ 28.737928][ T365] ? _raw_spin_unlock_irq+0x4d/0x70 [ 28.742972][ T365] ? __x64_sys_futex+0x100/0x100 [ 28.747737][ T365] ? fpregs_restore_userregs+0x130/0x290 [ 28.753203][ T365] __x64_sys_futex+0xe5/0x100 [ 28.757723][ T365] do_syscall_64+0x3d/0xb0 [ 28.761973][ T365] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 28.767697][ T365] RIP: 0033:0x7f1ef6aecf59 [ 28.771953][ T365] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 28.791398][ T365] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [pid 365] <... futex resumed>) = ? [pid 365] +++ exited with 0 +++ [pid 364] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=364, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./31/binderfs") = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./31/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./31/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 367 ./strace-static-x86_64: Process 367 attached [pid 367] set_robust_list(0x555555a286a0, 24) = 0 [pid 367] chdir("./32") = 0 [pid 367] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 367] setpgid(0, 0) = 0 [pid 367] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 367] write(3, "1000", 4) = 4 [pid 367] close(3) = 0 [pid 367] symlink("/dev/binderfs", "./binderfs") = 0 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 367] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 367] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 367] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 367] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 367] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 367] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 368 attached [pid 368] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 368] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 368] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 367] <... clone3 resumed> => {parent_tid=[368]}, 88) = 368 [pid 367] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 368] <... futex resumed>) = 0 [pid 368] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 367] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 368] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 367] <... futex resumed>) = 0 [pid 368] <... openat resumed>) = 6 [pid 367] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 368] write(6, "8", 1) = 1 [pid 368] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 368] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 367] <... futex resumed>) = 0 [pid 368] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 367] exit_group(0) = ? [pid 368] <... futex resumed>) = ? [pid 368] +++ exited with 0 +++ [pid 367] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=367, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./32", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./32/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./32/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./32/binderfs") = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./32/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./32/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./32") = 0 mkdir("./33", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 369 ./strace-static-x86_64: Process 369 attached [pid 369] set_robust_list(0x555555a286a0, 24) = 0 [pid 369] chdir("./33") = 0 [pid 369] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 369] setpgid(0, 0) = 0 [pid 369] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 369] write(3, "1000", 4) = 4 [pid 369] close(3) = 0 [pid 369] symlink("/dev/binderfs", "./binderfs") = 0 [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 369] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 369] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 369] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 369] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 369] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 369] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 370 attached => {parent_tid=[370]}, 88) = 370 [pid 370] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 370] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 370] <... futex resumed>) = 0 [pid 369] <... futex resumed>) = 1 [pid 370] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 370] <... bpf resumed>) = 4 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] <... futex resumed>) = 0 [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 369] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 370] write(6, "8", 1) = 1 [pid 370] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 370] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 370] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [ 28.799634][ T365] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 28.807450][ T365] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 28.815259][ T365] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 28.823071][ T365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 28.830885][ T365] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 28.838699][ T365] [pid 369] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 369] exit_group(0) = ? [ 28.879445][ T370] FAULT_INJECTION: forcing a failure. [ 28.879445][ T370] name fail_futex, interval 1, probability 0, space 0, times 0 [ 28.892118][ T370] CPU: 1 PID: 370 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 28.903418][ T370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 28.913313][ T370] Call Trace: [ 28.916433][ T370] [ 28.919210][ T370] dump_stack_lvl+0x151/0x1b7 [ 28.923722][ T370] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 28.929027][ T370] dump_stack+0x15/0x17 [ 28.933009][ T370] should_fail_ex+0x3d0/0x520 [ 28.937521][ T370] should_fail+0xb/0x10 [ 28.941518][ T370] get_futex_key+0x177/0xc90 [ 28.945938][ T370] ? futex_setup_timer+0xd0/0xd0 [ 28.950711][ T370] ? __this_cpu_preempt_check+0x13/0x20 [ 28.956095][ T370] futex_wait_setup+0xc3/0x330 [ 28.960695][ T370] ? futex_wait_multiple+0x8e0/0x8e0 [ 28.965812][ T370] ? __switch_to+0x62c/0x1190 [ 28.970325][ T370] ? futex_wait+0xf3/0x7e0 [ 28.974578][ T370] ? futex_setup_timer+0xb0/0xd0 [ 28.979355][ T370] futex_wait+0x1b9/0x7e0 [ 28.983519][ T370] ? __sched_clock_gtod_offset+0x100/0x100 [ 28.989163][ T370] ? futex_wait_setup+0x330/0x330 [ 28.994025][ T370] ? __kasan_check_write+0x14/0x20 [ 28.998966][ T370] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 29.003922][ T370] do_futex+0x55a/0x9a0 [ 29.007908][ T370] ? __ia32_sys_get_robust_list+0x90/0x90 [ 29.013465][ T370] __se_sys_futex+0x35e/0x3c0 [ 29.017974][ T370] ? _raw_spin_unlock_irq+0x4d/0x70 [ 29.023010][ T370] ? __x64_sys_futex+0x100/0x100 [ 29.027785][ T370] ? fpregs_restore_userregs+0x130/0x290 [ 29.033258][ T370] __x64_sys_futex+0xe5/0x100 [ 29.037768][ T370] do_syscall_64+0x3d/0xb0 [ 29.042016][ T370] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 29.047830][ T370] RIP: 0033:0x7f1ef6aecf59 [ 29.052086][ T370] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 29.071534][ T370] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [pid 370] <... futex resumed>) = ? [pid 370] +++ exited with 0 +++ [pid 369] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=369, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./33", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./33/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./33/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 29.079781][ T370] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 29.087584][ T370] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 29.095399][ T370] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 29.103215][ T370] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 29.111016][ T370] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 29.118841][ T370] unlink("./33/binderfs") = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./33/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./33/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./33") = 0 mkdir("./34", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 371 ./strace-static-x86_64: Process 371 attached [pid 371] set_robust_list(0x555555a286a0, 24) = 0 [pid 371] chdir("./34") = 0 [pid 371] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 371] setpgid(0, 0) = 0 [pid 371] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 371] write(3, "1000", 4) = 4 [pid 371] close(3) = 0 [pid 371] symlink("/dev/binderfs", "./binderfs") = 0 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 371] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 371] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 371] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 371] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 371] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 372 attached => {parent_tid=[372]}, 88) = 372 [pid 372] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 372] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 372] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 371] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... futex resumed>) = 0 [pid 371] <... futex resumed>) = 1 [pid 372] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... socket resumed>) = 3 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 372] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... bpf resumed>) = 4 [pid 371] <... futex resumed>) = 0 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 0 [pid 371] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 372] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... bpf resumed>) = 5 [pid 371] <... futex resumed>) = 0 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 0 [pid 371] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 372] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... bpf resumed>) = 0 [pid 371] <... futex resumed>) = 0 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 0 [pid 371] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 372] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... bpf resumed>) = 0 [pid 371] <... futex resumed>) = 0 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 0 [pid 371] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 372] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... bind resumed>) = 0 [pid 371] <... futex resumed>) = 0 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 0 [pid 371] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 372] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 371] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 372] <... openat resumed>) = 6 [pid 371] <... futex resumed>) = 0 [pid 372] write(6, "8", 1 [pid 371] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... write resumed>) = 1 [pid 372] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 372] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 371] exit_group(0) = ? [ 29.190882][ T372] FAULT_INJECTION: forcing a failure. [ 29.190882][ T372] name fail_futex, interval 1, probability 0, space 0, times 0 [ 29.203585][ T372] CPU: 1 PID: 372 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 29.214951][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 29.224851][ T372] Call Trace: [ 29.227968][ T372] [ 29.230750][ T372] dump_stack_lvl+0x151/0x1b7 [ 29.235266][ T372] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 29.240558][ T372] ? newidle_balance+0x887/0x1090 [ 29.245421][ T372] dump_stack+0x15/0x17 [ 29.249408][ T372] should_fail_ex+0x3d0/0x520 [ 29.253921][ T372] should_fail+0xb/0x10 [ 29.257914][ T372] get_futex_key+0x177/0xc90 [ 29.262346][ T372] ? futex_setup_timer+0xd0/0xd0 [ 29.267120][ T372] futex_wake+0x1af/0xb60 [ 29.271283][ T372] ? futex_wake_mark+0x170/0x170 [ 29.276057][ T372] ? finish_task_switch+0x167/0x7b0 [ 29.281090][ T372] ? __schedule+0xca1/0x1540 [ 29.285602][ T372] ? __kasan_check_write+0x14/0x20 [ 29.290548][ T372] ? __kasan_check_write+0x14/0x20 [ 29.295519][ T372] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 29.300442][ T372] do_futex+0x501/0x9a0 [ 29.304435][ T372] ? __ia32_sys_get_robust_list+0x90/0x90 [ 29.309989][ T372] __se_sys_futex+0x35e/0x3c0 [ 29.314500][ T372] ? _raw_spin_unlock_irq+0x4d/0x70 [ 29.319542][ T372] ? __x64_sys_futex+0x100/0x100 [ 29.324317][ T372] ? fpregs_restore_userregs+0x130/0x290 [ 29.329778][ T372] __x64_sys_futex+0xe5/0x100 [ 29.334290][ T372] do_syscall_64+0x3d/0xb0 [ 29.338544][ T372] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 29.344272][ T372] RIP: 0033:0x7f1ef6aecf59 [ 29.348525][ T372] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 29.368527][ T372] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.376906][ T372] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 372] <... futex resumed>) = ? [pid 372] +++ exited with 0 +++ [pid 371] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=371, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./34", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./34/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./34/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./34/binderfs") = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./34/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./34/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./34") = 0 mkdir("./35", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 373 attached [pid 373] set_robust_list(0x555555a286a0, 24) = 0 [pid 297] <... clone resumed>, child_tidptr=0x555555a28690) = 373 [pid 373] chdir("./35") = 0 [pid 373] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 373] setpgid(0, 0) = 0 [pid 373] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 373] write(3, "1000", 4) = 4 [pid 373] close(3) = 0 [pid 373] symlink("/dev/binderfs", "./binderfs") = 0 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 373] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 373] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 373] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 373] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 373] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 373] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 374 attached => {parent_tid=[374]}, 88) = 374 [pid 373] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 374] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 374] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 373] <... futex resumed>) = 0 [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 373] <... futex resumed>) = 0 [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 373] <... futex resumed>) = 0 [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 373] <... futex resumed>) = 0 [pid 374] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 374] <... bpf resumed>) = 0 [pid 373] <... futex resumed>) = 0 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] <... futex resumed>) = 0 [pid 373] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 374] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 374] <... bind resumed>) = 0 [pid 373] <... futex resumed>) = 0 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 373] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] <... futex resumed>) = 1 [pid 373] <... futex resumed>) = 0 [pid 374] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 373] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 374] <... openat resumed>) = 6 [pid 374] write(6, "8", 1) = 1 [pid 374] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 374] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 373] <... futex resumed>) = 0 [pid 373] exit_group(0) = ? [pid 374] +++ exited with 0 +++ [pid 373] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=373, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./35", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./35/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./35/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./35/binderfs") = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./35/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./35/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./35") = 0 mkdir("./36", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 375 attached , child_tidptr=0x555555a28690) = 375 [pid 375] set_robust_list(0x555555a286a0, 24) = 0 [pid 375] chdir("./36") = 0 [pid 375] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 375] setpgid(0, 0) = 0 [pid 375] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 375] write(3, "1000", 4) = 4 [pid 375] close(3) = 0 [pid 375] symlink("/dev/binderfs", "./binderfs") = 0 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 375] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 375] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 375] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 375] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 375] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 375] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 376 attached [pid 376] set_robust_list(0x7f1ef6aad9a0, 24 [pid 375] <... clone3 resumed> => {parent_tid=[376]}, 88) = 376 [pid 376] <... set_robust_list resumed>) = 0 [pid 376] rt_sigprocmask(SIG_SETMASK, [], [pid 375] rt_sigprocmask(SIG_SETMASK, [], [pid 376] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 375] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 376] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] <... socket resumed>) = 3 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 375] <... futex resumed>) = 0 [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 375] <... futex resumed>) = 0 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] <... bpf resumed>) = 4 [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 375] <... futex resumed>) = 0 [pid 376] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] <... bpf resumed>) = 5 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 375] <... futex resumed>) = 0 [pid 376] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] <... bpf resumed>) = 0 [pid 375] <... futex resumed>) = 0 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 375] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 375] <... futex resumed>) = 0 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] <... bpf resumed>) = 0 [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 375] <... futex resumed>) = 0 [pid 376] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] <... bind resumed>) = 0 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 375] <... futex resumed>) = 0 [pid 375] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 375] <... futex resumed>) = 0 [pid 376] <... openat resumed>) = 6 [pid 375] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 376] write(6, "8", 1) = 1 [ 29.384704][ T372] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 29.392612][ T372] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 29.400428][ T372] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 29.408403][ T372] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 29.416212][ T372] [pid 376] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 376] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 375] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 375] exit_group(0) = ? [ 29.453353][ T376] FAULT_INJECTION: forcing a failure. [ 29.453353][ T376] name fail_futex, interval 1, probability 0, space 0, times 0 [ 29.466943][ T376] CPU: 1 PID: 376 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 29.478317][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 29.488297][ T376] Call Trace: [ 29.491421][ T376] [ 29.494206][ T376] dump_stack_lvl+0x151/0x1b7 [ 29.498712][ T376] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 29.504018][ T376] dump_stack+0x15/0x17 [ 29.508043][ T376] should_fail_ex+0x3d0/0x520 [ 29.512512][ T376] should_fail+0xb/0x10 [ 29.516502][ T376] get_futex_key+0x177/0xc90 [ 29.521220][ T376] ? futex_setup_timer+0xd0/0xd0 [ 29.525966][ T376] futex_wake+0x1af/0xb60 [ 29.530132][ T376] ? futex_wake_mark+0x170/0x170 [ 29.534916][ T376] ? finish_task_switch+0x167/0x7b0 [ 29.539958][ T376] ? __schedule+0xca1/0x1540 [ 29.544364][ T376] ? __kasan_check_write+0x14/0x20 [ 29.549312][ T376] ? __kasan_check_write+0x14/0x20 [ 29.554257][ T376] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 29.559813][ T376] do_futex+0x501/0x9a0 [ 29.563805][ T376] ? __ia32_sys_get_robust_list+0x90/0x90 [ 29.569361][ T376] __se_sys_futex+0x35e/0x3c0 [ 29.573871][ T376] ? _raw_spin_unlock_irq+0x4d/0x70 [ 29.578906][ T376] ? __x64_sys_futex+0x100/0x100 [ 29.583685][ T376] ? fpregs_restore_userregs+0x130/0x290 [ 29.589151][ T376] __x64_sys_futex+0xe5/0x100 [ 29.593662][ T376] do_syscall_64+0x3d/0xb0 [ 29.597922][ T376] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 29.603652][ T376] RIP: 0033:0x7f1ef6aecf59 [ 29.607894][ T376] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 29.627601][ T376] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.635841][ T376] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 29.643655][ T376] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 376] <... futex resumed>) = ? [pid 376] +++ exited with 0 +++ [pid 375] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=375, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./36", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./36/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./36/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./36/binderfs") = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./36/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./36/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./36") = 0 mkdir("./37", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 378 ./strace-static-x86_64: Process 378 attached [pid 378] set_robust_list(0x555555a286a0, 24) = 0 [pid 378] chdir("./37") = 0 [pid 378] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 378] setpgid(0, 0) = 0 [pid 378] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 378] write(3, "1000", 4) = 4 [pid 378] close(3) = 0 [pid 378] symlink("/dev/binderfs", "./binderfs") = 0 [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 378] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 378] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 378] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 378] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 378] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 378] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[379]}, 88) = 379 ./strace-static-x86_64: Process 379 attached [pid 379] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 379] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 379] <... futex resumed>) = 0 [pid 379] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 379] <... futex resumed>) = 0 [pid 379] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 379] <... bpf resumed>) = 4 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] <... futex resumed>) = 0 [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 379] <... futex resumed>) = 0 [pid 379] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 379] <... futex resumed>) = 0 [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 379] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 378] <... futex resumed>) = 0 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 379] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 378] <... futex resumed>) = 0 [pid 379] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 379] <... bpf resumed>) = 0 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 378] <... futex resumed>) = 0 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 379] <... futex resumed>) = 0 [pid 379] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 378] <... futex resumed>) = 0 [pid 378] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 379] <... futex resumed>) = 1 [pid 378] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 379] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 379] write(6, "8", 1) = 1 [pid 379] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 379] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 378] <... futex resumed>) = 0 [pid 379] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 378] exit_group(0 [pid 379] <... futex resumed>) = ? [pid 378] <... exit_group resumed>) = ? [pid 379] +++ exited with 0 +++ [pid 378] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=378, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./37", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [ 29.651463][ T376] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 29.659277][ T376] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 29.667086][ T376] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 29.674909][ T376] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./37/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./37/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./37/binderfs") = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./37/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./37/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./37") = 0 mkdir("./38", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 380 attached , child_tidptr=0x555555a28690) = 380 [pid 380] set_robust_list(0x555555a286a0, 24) = 0 [pid 380] chdir("./38") = 0 [pid 380] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 380] setpgid(0, 0) = 0 [pid 380] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 380] write(3, "1000", 4) = 4 [pid 380] close(3) = 0 [pid 380] symlink("/dev/binderfs", "./binderfs") = 0 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 380] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 380] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 380] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 380] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 380] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 380] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 381 attached [pid 381] set_robust_list(0x7f1ef6aad9a0, 24 [pid 380] <... clone3 resumed> => {parent_tid=[381]}, 88) = 381 [pid 381] <... set_robust_list resumed>) = 0 [pid 381] rt_sigprocmask(SIG_SETMASK, [], [pid 380] rt_sigprocmask(SIG_SETMASK, [], [pid 381] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 381] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 380] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 381] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 380] <... futex resumed>) = 0 [pid 381] <... socket resumed>) = 3 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 380] <... futex resumed>) = 0 [pid 381] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 380] <... futex resumed>) = 0 [pid 381] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] <... bpf resumed>) = 4 [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 380] <... futex resumed>) = 0 [pid 381] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... bpf resumed>) = 5 [pid 380] <... futex resumed>) = 0 [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] <... futex resumed>) = 0 [pid 380] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 381] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... bpf resumed>) = 0 [pid 380] <... futex resumed>) = 0 [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] <... futex resumed>) = 0 [pid 380] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 381] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... bpf resumed>) = 0 [pid 380] <... futex resumed>) = 0 [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] <... futex resumed>) = 0 [pid 380] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 381] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... bind resumed>) = 0 [pid 380] <... futex resumed>) = 0 [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] <... futex resumed>) = 0 [pid 380] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 381] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 380] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... openat resumed>) = 6 [pid 380] <... futex resumed>) = 0 [pid 381] write(6, "8", 1 [pid 380] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 381] <... write resumed>) = 1 [pid 381] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 381] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 380] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 380] exit_group(0) = ? [ 29.730100][ T381] FAULT_INJECTION: forcing a failure. [ 29.730100][ T381] name fail_futex, interval 1, probability 0, space 0, times 0 [ 29.743158][ T381] CPU: 1 PID: 381 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 29.754528][ T381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 29.764536][ T381] Call Trace: [ 29.767657][ T381] [ 29.770436][ T381] dump_stack_lvl+0x151/0x1b7 [ 29.774948][ T381] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 29.780241][ T381] ? newidle_balance+0x8bd/0x1090 [ 29.785104][ T381] dump_stack+0x15/0x17 [ 29.789201][ T381] should_fail_ex+0x3d0/0x520 [ 29.793712][ T381] should_fail+0xb/0x10 [ 29.797708][ T381] get_futex_key+0x177/0xc90 [ 29.802234][ T381] ? futex_setup_timer+0xd0/0xd0 [ 29.807002][ T381] futex_wake+0x1af/0xb60 [ 29.811167][ T381] ? futex_wake_mark+0x170/0x170 [ 29.815936][ T381] ? finish_task_switch+0x167/0x7b0 [ 29.820977][ T381] ? __schedule+0xca1/0x1540 [ 29.825398][ T381] ? __kasan_check_write+0x14/0x20 [ 29.830343][ T381] ? __kasan_check_write+0x14/0x20 [ 29.835306][ T381] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 29.840251][ T381] do_futex+0x501/0x9a0 [ 29.844231][ T381] ? __ia32_sys_get_robust_list+0x90/0x90 [ 29.849793][ T381] __se_sys_futex+0x35e/0x3c0 [ 29.854298][ T381] ? _raw_spin_unlock_irq+0x4d/0x70 [ 29.859343][ T381] ? __x64_sys_futex+0x100/0x100 [ 29.864119][ T381] ? fpregs_restore_userregs+0x130/0x290 [ 29.869577][ T381] __x64_sys_futex+0xe5/0x100 [ 29.874090][ T381] do_syscall_64+0x3d/0xb0 [ 29.878342][ T381] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 29.884069][ T381] RIP: 0033:0x7f1ef6aecf59 [ 29.888321][ T381] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 29.907765][ T381] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.916008][ T381] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 381] <... futex resumed>) = ? [pid 381] +++ exited with 0 +++ [pid 380] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=380, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./38/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./38/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./38/binderfs") = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./38/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./38/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./38") = 0 mkdir("./39", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 382 ./strace-static-x86_64: Process 382 attached [pid 382] set_robust_list(0x555555a286a0, 24) = 0 [pid 382] chdir("./39") = 0 [pid 382] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 382] setpgid(0, 0) = 0 [pid 382] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 382] write(3, "1000", 4) = 4 [pid 382] close(3) = 0 [pid 382] symlink("/dev/binderfs", "./binderfs") = 0 [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 382] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 382] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 382] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 382] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 382] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 382] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 383 attached => {parent_tid=[383]}, 88) = 383 [pid 383] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 383] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 383] <... futex resumed>) = 0 [pid 383] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 383] <... futex resumed>) = 0 [pid 382] <... futex resumed>) = 1 [pid 383] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 383] <... bpf resumed>) = 4 [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] <... futex resumed>) = 0 [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 383] <... futex resumed>) = 0 [pid 382] <... futex resumed>) = 1 [pid 383] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 383] <... futex resumed>) = 0 [pid 382] <... futex resumed>) = 1 [pid 383] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 383] <... futex resumed>) = 0 [pid 382] <... futex resumed>) = 1 [pid 383] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 383] <... futex resumed>) = 0 [pid 382] <... futex resumed>) = 1 [pid 383] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 383] <... bind resumed>) = 0 [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 382] <... futex resumed>) = 0 [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 383] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 382] <... futex resumed>) = 0 [pid 383] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 382] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 383] <... openat resumed>) = 6 [pid 383] write(6, "8", 1) = 1 [pid 383] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 29.923823][ T381] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 29.931632][ T381] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 29.939441][ T381] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 29.947252][ T381] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 29.955068][ T381] [ 29.982438][ T383] FAULT_INJECTION: forcing a failure. [ 29.982438][ T383] name fail_futex, interval 1, probability 0, space 0, times 0 [ 29.995336][ T383] CPU: 0 PID: 383 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 30.006780][ T383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 30.016667][ T383] Call Trace: [ 30.019793][ T383] [ 30.022573][ T383] dump_stack_lvl+0x151/0x1b7 [ 30.027084][ T383] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 30.032379][ T383] dump_stack+0x15/0x17 [ 30.036377][ T383] should_fail_ex+0x3d0/0x520 [ 30.040885][ T383] should_fail+0xb/0x10 [ 30.044878][ T383] get_futex_key+0x177/0xc90 [ 30.049302][ T383] ? futex_setup_timer+0xd0/0xd0 [ 30.054079][ T383] futex_wake+0x1af/0xb60 [ 30.058239][ T383] ? futex_wake_mark+0x170/0x170 [ 30.063011][ T383] ? finish_task_switch+0x167/0x7b0 [ 30.068052][ T383] ? __schedule+0xca1/0x1540 [ 30.072474][ T383] ? __kasan_check_write+0x14/0x20 [ 30.077421][ T383] ? __kasan_check_write+0x14/0x20 [ 30.082369][ T383] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 30.087316][ T383] do_futex+0x501/0x9a0 [ 30.091307][ T383] ? __ia32_sys_get_robust_list+0x90/0x90 [ 30.096865][ T383] __se_sys_futex+0x35e/0x3c0 [ 30.101377][ T383] ? _raw_spin_unlock_irq+0x4d/0x70 [ 30.106410][ T383] ? __x64_sys_futex+0x100/0x100 [ 30.111185][ T383] ? fpregs_restore_userregs+0x130/0x290 [ 30.116650][ T383] __x64_sys_futex+0xe5/0x100 [ 30.121163][ T383] do_syscall_64+0x3d/0xb0 [ 30.125419][ T383] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 30.131146][ T383] RIP: 0033:0x7f1ef6aecf59 [ 30.135400][ T383] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 30.154929][ T383] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 30.163172][ T383] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 30.170989][ T383] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 383] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 382] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 383] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 382] exit_group(0 [pid 383] <... futex resumed>) = ? [pid 382] <... exit_group resumed>) = ? [pid 383] +++ exited with 0 +++ [pid 382] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=382, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./39", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./39/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./39/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./39/binderfs") = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./39/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./39/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./39") = 0 mkdir("./40", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 384 ./strace-static-x86_64: Process 384 attached [pid 384] set_robust_list(0x555555a286a0, 24) = 0 [pid 384] chdir("./40") = 0 [pid 384] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 384] setpgid(0, 0) = 0 [pid 384] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 384] write(3, "1000", 4) = 4 [pid 384] close(3) = 0 [pid 384] symlink("/dev/binderfs", "./binderfs") = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 384] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 384] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 384] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 384] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 384] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[385]}, 88) = 385 [pid 384] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 385 attached [pid 385] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 385] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 385] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 384] <... futex resumed>) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 385] <... futex resumed>) = 1 [pid 385] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 384] <... futex resumed>) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 385] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 384] <... futex resumed>) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 385] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 384] <... futex resumed>) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 385] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 384] <... futex resumed>) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 385] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 384] <... futex resumed>) = 0 [pid 384] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 384] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 385] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 385] write(6, "8", 1) = 1 [pid 385] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 385] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 384] <... futex resumed>) = 0 [pid 384] exit_group(0 [pid 385] ????( [pid 384] <... exit_group resumed>) = ? [pid 385] <... ???? resumed>) = ? [pid 385] +++ exited with 0 +++ [pid 384] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=384, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./40", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./40/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./40/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./40/binderfs") = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./40/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./40/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./40") = 0 mkdir("./41", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 386 ./strace-static-x86_64: Process 386 attached [pid 386] set_robust_list(0x555555a286a0, 24) = 0 [pid 386] chdir("./41") = 0 [pid 386] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 386] setpgid(0, 0) = 0 [pid 386] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 386] write(3, "1000", 4) = 4 [pid 386] close(3) = 0 [pid 386] symlink("/dev/binderfs", "./binderfs") = 0 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 386] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 386] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 386] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 386] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 386] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[387]}, 88) = 387 [pid 386] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 387 attached NULL, 8) = 0 [pid 387] set_robust_list(0x7f1ef6aad9a0, 24 [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 387] <... set_robust_list resumed>) = 0 [pid 386] <... futex resumed>) = 0 [pid 387] rt_sigprocmask(SIG_SETMASK, [], [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 387] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 387] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... bpf resumed>) = 4 [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 386] <... futex resumed>) = 0 [pid 387] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 387] <... bpf resumed>) = 5 [pid 386] <... futex resumed>) = 0 [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... futex resumed>) = 0 [pid 386] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 387] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 387] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 386] <... futex resumed>) = 0 [pid 387] <... bpf resumed>) = 0 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 387] <... futex resumed>) = 0 [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 387] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 386] <... futex resumed>) = 0 [pid 387] <... bpf resumed>) = 0 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 387] <... futex resumed>) = 0 [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 387] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... bind resumed>) = 0 [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 386] <... futex resumed>) = 0 [pid 387] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 386] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 387] <... openat resumed>) = 6 [pid 386] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] write(6, "8", 1) = 1 [ 30.178793][ T383] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 30.186605][ T383] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 30.194429][ T383] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 30.203545][ T383] [pid 387] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 30.244475][ T387] FAULT_INJECTION: forcing a failure. [ 30.244475][ T387] name fail_futex, interval 1, probability 0, space 0, times 0 [ 30.257212][ T387] CPU: 1 PID: 387 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 30.268584][ T387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 30.278485][ T387] Call Trace: [ 30.281601][ T387] [ 30.284382][ T387] dump_stack_lvl+0x151/0x1b7 [ 30.288899][ T387] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 30.294197][ T387] dump_stack+0x15/0x17 [ 30.298181][ T387] should_fail_ex+0x3d0/0x520 [ 30.302705][ T387] should_fail+0xb/0x10 [ 30.306686][ T387] get_futex_key+0x177/0xc90 [ 30.311115][ T387] ? futex_setup_timer+0xd0/0xd0 [ 30.315889][ T387] futex_wake+0x1af/0xb60 [ 30.320053][ T387] ? futex_wake_mark+0x170/0x170 [ 30.324824][ T387] ? finish_task_switch+0x167/0x7b0 [ 30.329863][ T387] ? __schedule+0xca1/0x1540 [ 30.334286][ T387] ? __kasan_check_write+0x14/0x20 [ 30.339238][ T387] ? __kasan_check_write+0x14/0x20 [ 30.344179][ T387] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 30.349126][ T387] do_futex+0x501/0x9a0 [ 30.353470][ T387] ? __ia32_sys_get_robust_list+0x90/0x90 [ 30.359028][ T387] __se_sys_futex+0x35e/0x3c0 [ 30.363533][ T387] ? _raw_spin_unlock_irq+0x4d/0x70 [ 30.368568][ T387] ? __x64_sys_futex+0x100/0x100 [ 30.373346][ T387] ? fpregs_restore_userregs+0x130/0x290 [ 30.378813][ T387] __x64_sys_futex+0xe5/0x100 [ 30.383326][ T387] do_syscall_64+0x3d/0xb0 [ 30.387576][ T387] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 30.393306][ T387] RIP: 0033:0x7f1ef6aecf59 [ 30.397555][ T387] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 30.417002][ T387] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 30.425242][ T387] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 30.433070][ T387] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 387] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 387] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 386] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 386] exit_group(0 [pid 387] <... futex resumed>) = ? [pid 386] <... exit_group resumed>) = ? [pid 387] +++ exited with 0 +++ [pid 386] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=386, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./41", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./41/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./41/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./41/binderfs") = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./41/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./41/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./41") = 0 mkdir("./42", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 388 ./strace-static-x86_64: Process 388 attached [pid 388] set_robust_list(0x555555a286a0, 24) = 0 [pid 388] chdir("./42") = 0 [pid 388] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 388] setpgid(0, 0) = 0 [pid 388] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 388] write(3, "1000", 4) = 4 [pid 388] close(3) = 0 [pid 388] symlink("/dev/binderfs", "./binderfs") = 0 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 388] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 388] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 388] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 388] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 388] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 388] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[389]}, 88) = 389 [pid 388] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 389 attached [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 389] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 389] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 388] <... futex resumed>) = 0 [pid 389] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 389] <... bpf resumed>) = 4 [pid 388] <... futex resumed>) = 0 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] <... futex resumed>) = 0 [pid 388] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 389] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 389] <... bpf resumed>) = 5 [pid 388] <... futex resumed>) = 0 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] <... futex resumed>) = 0 [pid 388] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 389] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 389] <... bpf resumed>) = 0 [pid 388] <... futex resumed>) = 0 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] <... futex resumed>) = 0 [pid 388] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 389] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 389] <... bpf resumed>) = 0 [pid 388] <... futex resumed>) = 0 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] <... futex resumed>) = 0 [pid 388] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 389] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 389] <... bind resumed>) = 0 [pid 388] <... futex resumed>) = 0 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] <... futex resumed>) = 0 [pid 388] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 389] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 388] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 388] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 389] <... openat resumed>) = 6 [pid 389] write(6, "8", 1) = 1 [pid 389] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 389] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 388] <... futex resumed>) = 0 [pid 389] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 388] exit_group(0) = ? [ 30.440867][ T387] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 30.448767][ T387] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 30.456577][ T387] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 30.464394][ T387] [ 30.483420][ T389] FAULT_INJECTION: forcing a failure. [ 30.483420][ T389] name fail_futex, interval 1, probability 0, space 0, times 0 [ 30.496231][ T389] CPU: 1 PID: 389 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 30.507598][ T389] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 30.517494][ T389] Call Trace: [ 30.520614][ T389] [ 30.523391][ T389] dump_stack_lvl+0x151/0x1b7 [ 30.527905][ T389] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 30.534546][ T389] ? __kasan_check_write+0x14/0x20 [ 30.539481][ T389] ? _raw_spin_lock_irqsave+0xf9/0x210 [ 30.544775][ T389] dump_stack+0x15/0x17 [ 30.548771][ T389] should_fail_ex+0x3d0/0x520 [ 30.553284][ T389] should_fail+0xb/0x10 [ 30.557276][ T389] get_futex_key+0x177/0xc90 [ 30.561702][ T389] ? futex_setup_timer+0xd0/0xd0 [ 30.566472][ T389] ? __this_cpu_preempt_check+0x13/0x20 [ 30.571969][ T389] futex_wait_setup+0xc3/0x330 [ 30.576574][ T389] ? futex_wait_multiple+0x8e0/0x8e0 [ 30.581691][ T389] ? __switch_to+0x62c/0x1190 [ 30.586204][ T389] ? futex_wait+0xf3/0x7e0 [ 30.590461][ T389] ? futex_setup_timer+0xb0/0xd0 [ 30.595230][ T389] futex_wait+0x1b9/0x7e0 [ 30.599396][ T389] ? __sched_clock_gtod_offset+0x100/0x100 [ 30.605038][ T389] ? futex_wait_setup+0x330/0x330 [ 30.609903][ T389] ? __kasan_check_write+0x14/0x20 [ 30.614845][ T389] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 30.619795][ T389] do_futex+0x55a/0x9a0 [ 30.623798][ T389] ? __ia32_sys_get_robust_list+0x90/0x90 [ 30.629345][ T389] __se_sys_futex+0x35e/0x3c0 [ 30.633857][ T389] ? _raw_spin_unlock_irq+0x4d/0x70 [ 30.638890][ T389] ? __x64_sys_futex+0x100/0x100 [ 30.643663][ T389] ? fpregs_restore_userregs+0x130/0x290 [ 30.649134][ T389] __x64_sys_futex+0xe5/0x100 [ 30.653642][ T389] do_syscall_64+0x3d/0xb0 [ 30.657895][ T389] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 30.663625][ T389] RIP: 0033:0x7f1ef6aecf59 [ 30.667873][ T389] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 30.687325][ T389] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [pid 389] <... futex resumed>) = ? [pid 389] +++ exited with 0 +++ [pid 388] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=388, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./42", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./42/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./42/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./42/binderfs") = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./42/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./42/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./42") = 0 mkdir("./43", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 391 ./strace-static-x86_64: Process 391 attached [pid 391] set_robust_list(0x555555a286a0, 24) = 0 [pid 391] chdir("./43") = 0 [pid 391] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 391] setpgid(0, 0) = 0 [pid 391] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 391] write(3, "1000", 4) = 4 [pid 391] close(3) = 0 [pid 391] symlink("/dev/binderfs", "./binderfs") = 0 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 391] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 391] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 391] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 391] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 391] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 392 attached => {parent_tid=[392]}, 88) = 392 [pid 391] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 392] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 392] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 392] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... bpf resumed>) = 4 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] <... futex resumed>) = 0 [pid 392] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... bpf resumed>) = 5 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] <... futex resumed>) = 0 [pid 392] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 392] <... futex resumed>) = 0 [pid 391] <... futex resumed>) = 1 [pid 392] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... bpf resumed>) = 0 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] <... futex resumed>) = 0 [pid 392] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 392] <... bpf resumed>) = 0 [pid 391] <... futex resumed>) = 0 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... futex resumed>) = 0 [pid 391] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 392] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... bind resumed>) = 0 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 392] write(6, "8", 1) = 1 [pid 392] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 392] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 392] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 391] <... futex resumed>) = 0 [ 30.695562][ T389] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 30.703375][ T389] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 30.711192][ T389] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 30.718997][ T389] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 30.726815][ T389] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 30.734624][ T389] [pid 391] exit_group(0) = ? [ 30.760635][ T392] FAULT_INJECTION: forcing a failure. [ 30.760635][ T392] name fail_futex, interval 1, probability 0, space 0, times 0 [ 30.773406][ T392] CPU: 1 PID: 392 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 30.784772][ T392] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 30.794671][ T392] Call Trace: [ 30.797793][ T392] [ 30.800568][ T392] dump_stack_lvl+0x151/0x1b7 [ 30.805084][ T392] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 30.810400][ T392] dump_stack+0x15/0x17 [ 30.814372][ T392] should_fail_ex+0x3d0/0x520 [ 30.819009][ T392] should_fail+0xb/0x10 [ 30.822993][ T392] get_futex_key+0x177/0xc90 [ 30.827428][ T392] ? futex_setup_timer+0xd0/0xd0 [ 30.832196][ T392] ? __this_cpu_preempt_check+0x13/0x20 [ 30.837573][ T392] futex_wait_setup+0xc3/0x330 [ 30.842181][ T392] ? futex_wait_multiple+0x8e0/0x8e0 [ 30.847292][ T392] ? __switch_to+0x62c/0x1190 [ 30.851812][ T392] ? futex_wait+0xf3/0x7e0 [ 30.856155][ T392] ? futex_setup_timer+0xb0/0xd0 [ 30.860926][ T392] futex_wait+0x1b9/0x7e0 [ 30.865085][ T392] ? __sched_clock_gtod_offset+0x100/0x100 [ 30.870729][ T392] ? futex_wait_setup+0x330/0x330 [ 30.875595][ T392] ? __kasan_check_write+0x14/0x20 [ 30.880776][ T392] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 30.885755][ T392] do_futex+0x55a/0x9a0 [ 30.889736][ T392] ? __ia32_sys_get_robust_list+0x90/0x90 [ 30.895293][ T392] __se_sys_futex+0x35e/0x3c0 [ 30.899805][ T392] ? _raw_spin_unlock_irq+0x4d/0x70 [ 30.904840][ T392] ? __x64_sys_futex+0x100/0x100 [ 30.909613][ T392] ? fpregs_restore_userregs+0x130/0x290 [ 30.915082][ T392] __x64_sys_futex+0xe5/0x100 [ 30.919611][ T392] do_syscall_64+0x3d/0xb0 [ 30.923848][ T392] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 30.929672][ T392] RIP: 0033:0x7f1ef6aecf59 [ 30.933921][ T392] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 30.953355][ T392] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [pid 392] <... futex resumed>) = ? [pid 392] +++ exited with 0 +++ [pid 391] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=391, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./43", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./43/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./43/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./43/binderfs") = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./43/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./43/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./43") = 0 mkdir("./44", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 393 ./strace-static-x86_64: Process 393 attached [pid 393] set_robust_list(0x555555a286a0, 24) = 0 [pid 393] chdir("./44") = 0 [pid 393] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 393] setpgid(0, 0) = 0 [pid 393] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 393] write(3, "1000", 4) = 4 [pid 393] close(3) = 0 [pid 393] symlink("/dev/binderfs", "./binderfs") = 0 [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 393] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 393] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 393] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 393] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 393] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 393] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 394 attached [pid 394] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 394] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] <... clone3 resumed> => {parent_tid=[394]}, 88) = 394 [pid 393] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] <... futex resumed>) = 0 [pid 394] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] <... futex resumed>) = 0 [pid 394] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 394] <... bpf resumed>) = 4 [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] <... futex resumed>) = 0 [pid 394] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 394] <... bpf resumed>) = 5 [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 394] <... futex resumed>) = 0 [pid 393] <... futex resumed>) = 1 [pid 394] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] <... futex resumed>) = 0 [pid 394] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] <... futex resumed>) = 0 [pid 394] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 393] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 394] <... futex resumed>) = 0 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] <... futex resumed>) = 0 [pid 393] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 394] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 394] write(6, "8", 1) = 1 [pid 394] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 394] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 394] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 393] <... futex resumed>) = 0 [pid 393] exit_group(0) = ? [ 30.961610][ T392] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 30.969412][ T392] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 30.977221][ T392] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 30.985035][ T392] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 30.992843][ T392] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 31.000668][ T392] [ 31.025518][ T394] FAULT_INJECTION: forcing a failure. [ 31.025518][ T394] name fail_futex, interval 1, probability 0, space 0, times 0 [ 31.038191][ T394] CPU: 1 PID: 394 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 31.049490][ T394] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 31.059419][ T394] Call Trace: [ 31.062515][ T394] [ 31.065289][ T394] dump_stack_lvl+0x151/0x1b7 [ 31.069800][ T394] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 31.075094][ T394] dump_stack+0x15/0x17 [ 31.079087][ T394] should_fail_ex+0x3d0/0x520 [ 31.083600][ T394] should_fail+0xb/0x10 [ 31.087598][ T394] get_futex_key+0x177/0xc90 [ 31.092020][ T394] ? futex_setup_timer+0xd0/0xd0 [ 31.096791][ T394] ? __this_cpu_preempt_check+0x13/0x20 [ 31.102173][ T394] futex_wait_setup+0xc3/0x330 [ 31.106777][ T394] ? futex_wait_multiple+0x8e0/0x8e0 [ 31.111892][ T394] ? __switch_to+0x62c/0x1190 [ 31.116407][ T394] ? futex_wait+0xf3/0x7e0 [ 31.120663][ T394] ? futex_setup_timer+0xb0/0xd0 [ 31.125434][ T394] futex_wait+0x1b9/0x7e0 [ 31.129598][ T394] ? __sched_clock_gtod_offset+0x100/0x100 [ 31.135240][ T394] ? futex_wait_setup+0x330/0x330 [ 31.140110][ T394] ? __kasan_check_write+0x14/0x20 [ 31.145045][ T394] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 31.149993][ T394] do_futex+0x55a/0x9a0 [ 31.153988][ T394] ? __ia32_sys_get_robust_list+0x90/0x90 [ 31.159544][ T394] __se_sys_futex+0x35e/0x3c0 [ 31.164071][ T394] ? _raw_spin_unlock_irq+0x4d/0x70 [ 31.169090][ T394] ? __x64_sys_futex+0x100/0x100 [ 31.173874][ T394] ? fpregs_restore_userregs+0x130/0x290 [ 31.179331][ T394] __x64_sys_futex+0xe5/0x100 [ 31.183843][ T394] do_syscall_64+0x3d/0xb0 [ 31.188096][ T394] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 31.193825][ T394] RIP: 0033:0x7f1ef6aecf59 [ 31.198079][ T394] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 31.217529][ T394] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [pid 394] <... futex resumed>) = ? [pid 394] +++ exited with 0 +++ [pid 393] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=393, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./44", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./44/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./44/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./44/binderfs") = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./44/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./44/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./44") = 0 mkdir("./45", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 395 ./strace-static-x86_64: Process 395 attached [pid 395] set_robust_list(0x555555a286a0, 24) = 0 [pid 395] chdir("./45") = 0 [pid 395] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 395] setpgid(0, 0) = 0 [pid 395] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 395] write(3, "1000", 4) = 4 [pid 395] close(3) = 0 [pid 395] symlink("/dev/binderfs", "./binderfs") = 0 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 395] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 395] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 395] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 395] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 395] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 395] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 396 attached [pid 396] set_robust_list(0x7f1ef6aad9a0, 24 [pid 395] <... clone3 resumed> => {parent_tid=[396]}, 88) = 396 [pid 396] <... set_robust_list resumed>) = 0 [pid 395] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 396] rt_sigprocmask(SIG_SETMASK, [], [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 396] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 395] <... futex resumed>) = 0 [pid 396] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] <... socket resumed>) = 3 [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 395] <... futex resumed>) = 0 [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 396] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] <... bpf resumed>) = 4 [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 395] <... futex resumed>) = 0 [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 396] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] <... bpf resumed>) = 5 [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 395] <... futex resumed>) = 0 [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 396] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 395] <... futex resumed>) = 0 [pid 396] <... bpf resumed>) = 0 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 395] <... futex resumed>) = 0 [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 396] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 395] <... futex resumed>) = 0 [pid 396] <... bpf resumed>) = 0 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 395] <... futex resumed>) = 0 [pid 396] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 396] <... bind resumed>) = 0 [pid 395] <... futex resumed>) = 0 [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] <... futex resumed>) = 0 [pid 395] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 396] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 395] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 396] <... openat resumed>) = 6 [pid 395] <... futex resumed>) = 0 [pid 396] write(6, "8", 1 [pid 395] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 396] <... write resumed>) = 1 [pid 396] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 396] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 395] <... futex resumed>) = 0 [pid 396] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 395] exit_group(0 [pid 396] <... futex resumed>) = ? [pid 395] <... exit_group resumed>) = ? [pid 396] +++ exited with 0 +++ [pid 395] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=395, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./45", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./45/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./45/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./45/binderfs") = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./45/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./45/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./45") = 0 mkdir("./46", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 397 attached , child_tidptr=0x555555a28690) = 397 [pid 397] set_robust_list(0x555555a286a0, 24) = 0 [pid 397] chdir("./46") = 0 [pid 397] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 397] setpgid(0, 0) = 0 [pid 397] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 397] write(3, "1000", 4) = 4 [pid 397] close(3) = 0 [pid 397] symlink("/dev/binderfs", "./binderfs") = 0 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 397] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 397] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 397] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 397] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 397] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 397] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[398]}, 88) = 398 [pid 397] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 398 attached [pid 398] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 398] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 398] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 398] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 398] <... bpf resumed>) = 4 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 31.225767][ T394] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 31.233577][ T394] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 31.241386][ T394] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 31.249199][ T394] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 31.257007][ T394] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 31.264827][ T394] [pid 398] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 398] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 398] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 398] <... bpf resumed>) = 0 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 398] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 397] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 397] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 398] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 398] write(6, "8", 1) = 1 [pid 398] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 398] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] <... futex resumed>) = 0 [pid 398] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 397] exit_group(0) = ? [ 31.314023][ T398] FAULT_INJECTION: forcing a failure. [ 31.314023][ T398] name fail_futex, interval 1, probability 0, space 0, times 0 [ 31.327090][ T398] CPU: 0 PID: 398 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 31.338587][ T398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 31.348564][ T398] Call Trace: [ 31.351688][ T398] [ 31.354469][ T398] dump_stack_lvl+0x151/0x1b7 [ 31.358978][ T398] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 31.364274][ T398] dump_stack+0x15/0x17 [ 31.368266][ T398] should_fail_ex+0x3d0/0x520 [ 31.372783][ T398] should_fail+0xb/0x10 [ 31.376771][ T398] get_futex_key+0x177/0xc90 [ 31.381198][ T398] ? futex_setup_timer+0xd0/0xd0 [ 31.385972][ T398] ? __this_cpu_preempt_check+0x13/0x20 [ 31.391355][ T398] futex_wait_setup+0xc3/0x330 [ 31.395953][ T398] ? futex_wait_multiple+0x8e0/0x8e0 [ 31.401074][ T398] ? __switch_to+0x62c/0x1190 [ 31.405590][ T398] ? futex_wait+0xf3/0x7e0 [ 31.409839][ T398] ? futex_setup_timer+0xb0/0xd0 [ 31.414614][ T398] futex_wait+0x1b9/0x7e0 [ 31.418792][ T398] ? __sched_clock_gtod_offset+0x100/0x100 [ 31.425464][ T398] ? futex_wait_setup+0x330/0x330 [ 31.430343][ T398] ? __kasan_check_write+0x14/0x20 [ 31.435272][ T398] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 31.440224][ T398] do_futex+0x55a/0x9a0 [ 31.444211][ T398] ? __ia32_sys_get_robust_list+0x90/0x90 [ 31.449869][ T398] __se_sys_futex+0x35e/0x3c0 [ 31.454373][ T398] ? _raw_spin_unlock_irq+0x4d/0x70 [ 31.459413][ T398] ? __x64_sys_futex+0x100/0x100 [ 31.464191][ T398] ? fpregs_restore_userregs+0x130/0x290 [ 31.469658][ T398] __x64_sys_futex+0xe5/0x100 [ 31.474169][ T398] do_syscall_64+0x3d/0xb0 [ 31.478418][ T398] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 31.484146][ T398] RIP: 0033:0x7f1ef6aecf59 [ 31.488401][ T398] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [pid 398] <... futex resumed>) = ? [pid 398] +++ exited with 0 +++ [pid 397] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=397, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./46", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./46/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./46/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./46/binderfs") = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./46/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./46/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./46") = 0 mkdir("./47", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 399 ./strace-static-x86_64: Process 399 attached [pid 399] set_robust_list(0x555555a286a0, 24) = 0 [pid 399] chdir("./47") = 0 [pid 399] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 399] setpgid(0, 0) = 0 [pid 399] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 399] write(3, "1000", 4) = 4 [pid 399] close(3) = 0 [pid 399] symlink("/dev/binderfs", "./binderfs") = 0 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 399] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 399] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 399] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 399] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 399] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 399] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[400]}, 88) = 400 [pid 399] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 400 attached [pid 400] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 400] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 400] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 399] <... futex resumed>) = 0 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 400] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 399] <... futex resumed>) = 0 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] <... futex resumed>) = 0 [pid 400] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 399] <... futex resumed>) = 0 [pid 400] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 400] <... bpf resumed>) = 0 [pid 399] <... futex resumed>) = 0 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] <... futex resumed>) = 0 [pid 399] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 400] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 400] <... bpf resumed>) = 0 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] <... futex resumed>) = 0 [pid 399] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 400] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] <... bind resumed>) = 0 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 399] <... futex resumed>) = 0 [pid 399] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 400] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 399] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] <... openat resumed>) = 6 [pid 400] write(6, "8", 1) = 1 [pid 400] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 400] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 399] <... futex resumed>) = 0 [pid 400] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 399] exit_group(0 [pid 400] <... futex resumed>) = ? [pid 399] <... exit_group resumed>) = ? [pid 400] +++ exited with 0 +++ [pid 399] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=399, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./47", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./47/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./47/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./47/binderfs") = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./47/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./47/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./47") = 0 mkdir("./48", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 401 attached , child_tidptr=0x555555a28690) = 401 [pid 401] set_robust_list(0x555555a286a0, 24) = 0 [pid 401] chdir("./48") = 0 [pid 401] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 401] setpgid(0, 0) = 0 [pid 401] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 401] write(3, "1000", 4) = 4 [pid 401] close(3) = 0 [pid 401] symlink("/dev/binderfs", "./binderfs") = 0 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 401] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 401] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 401] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 401] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 401] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[402]}, 88) = 402 ./strace-static-x86_64: Process 402 attached [pid 401] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 402] set_robust_list(0x7f1ef6aad9a0, 24 [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] <... set_robust_list resumed>) = 0 [pid 401] <... futex resumed>) = 0 [pid 402] rt_sigprocmask(SIG_SETMASK, [], [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 402] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 402] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 402] <... bpf resumed>) = 4 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 401] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 402] <... futex resumed>) = 0 [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 401] <... futex resumed>) = 0 [pid 402] <... bpf resumed>) = 5 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 401] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 402] <... futex resumed>) = 0 [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 401] <... futex resumed>) = 0 [pid 402] <... bpf resumed>) = 0 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 401] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 402] <... futex resumed>) = 0 [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 401] <... futex resumed>) = 0 [pid 402] <... bpf resumed>) = 0 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 401] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 402] <... futex resumed>) = 0 [ 31.508151][ T398] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.516386][ T398] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 31.524193][ T398] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 31.532008][ T398] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 31.539819][ T398] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 31.547628][ T398] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 31.555446][ T398] [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 401] <... futex resumed>) = 0 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] <... bind resumed>) = 0 [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 402] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 401] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 401] <... futex resumed>) = 0 [pid 402] <... openat resumed>) = 6 [pid 401] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] write(6, "8", 1) = 1 [pid 402] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 31.598174][ T402] FAULT_INJECTION: forcing a failure. [ 31.598174][ T402] name fail_futex, interval 1, probability 0, space 0, times 0 [ 31.610943][ T402] CPU: 1 PID: 402 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 31.622235][ T402] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 31.632120][ T402] Call Trace: [ 31.635244][ T402] [ 31.638022][ T402] dump_stack_lvl+0x151/0x1b7 [ 31.642539][ T402] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 31.647833][ T402] ? newidle_balance+0x887/0x1090 [ 31.652689][ T402] dump_stack+0x15/0x17 [ 31.656687][ T402] should_fail_ex+0x3d0/0x520 [ 31.661198][ T402] should_fail+0xb/0x10 [ 31.665190][ T402] get_futex_key+0x177/0xc90 [ 31.669621][ T402] ? futex_setup_timer+0xd0/0xd0 [ 31.674392][ T402] futex_wake+0x1af/0xb60 [ 31.678556][ T402] ? futex_wake_mark+0x170/0x170 [ 31.683329][ T402] ? finish_task_switch+0x207/0x7b0 [ 31.688363][ T402] ? __schedule+0xca1/0x1540 [ 31.692788][ T402] ? __kasan_check_write+0x14/0x20 [ 31.697735][ T402] ? __kasan_check_write+0x14/0x20 [ 31.702683][ T402] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 31.707778][ T402] do_futex+0x501/0x9a0 [ 31.711774][ T402] ? __ia32_sys_get_robust_list+0x90/0x90 [ 31.717325][ T402] __se_sys_futex+0x35e/0x3c0 [ 31.721836][ T402] ? _raw_spin_unlock_irq+0x4d/0x70 [ 31.726867][ T402] ? __x64_sys_futex+0x100/0x100 [ 31.731654][ T402] ? fpregs_restore_userregs+0x130/0x290 [ 31.737113][ T402] __x64_sys_futex+0xe5/0x100 [ 31.741621][ T402] do_syscall_64+0x3d/0xb0 [ 31.745877][ T402] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 31.751602][ T402] RIP: 0033:0x7f1ef6aecf59 [ 31.755857][ T402] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 31.775301][ T402] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.783542][ T402] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 402] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 401] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 402] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 401] exit_group(0) = ? [pid 402] <... futex resumed>) = ? [pid 402] +++ exited with 0 +++ [pid 401] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=401, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./48", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./48/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./48/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./48/binderfs") = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./48/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./48/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./48") = 0 mkdir("./49", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 404 ./strace-static-x86_64: Process 404 attached [pid 404] set_robust_list(0x555555a286a0, 24) = 0 [pid 404] chdir("./49") = 0 [pid 404] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 404] setpgid(0, 0) = 0 [pid 404] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 404] write(3, "1000", 4) = 4 [pid 404] close(3) = 0 [pid 404] symlink("/dev/binderfs", "./binderfs") = 0 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 404] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 404] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 404] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 404] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 404] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 404] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 405 attached => {parent_tid=[405]}, 88) = 405 [pid 405] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 405] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 405] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 404] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... futex resumed>) = 0 [pid 405] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 404] <... futex resumed>) = 0 [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 405] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 404] <... futex resumed>) = 0 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... bpf resumed>) = 4 [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 404] <... futex resumed>) = 0 [pid 405] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 405] <... bpf resumed>) = 5 [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... futex resumed>) = 0 [pid 404] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 405] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 405] <... bpf resumed>) = 0 [pid 404] <... futex resumed>) = 0 [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... futex resumed>) = 0 [pid 404] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 405] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 404] <... futex resumed>) = 0 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... bpf resumed>) = 0 [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 404] <... futex resumed>) = 0 [pid 405] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 405] <... bind resumed>) = 0 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 404] <... futex resumed>) = 0 [pid 404] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 405] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 404] <... futex resumed>) = 0 [pid 404] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... openat resumed>) = 6 [pid 405] write(6, "8", 1) = 1 [pid 405] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 405] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 404] <... futex resumed>) = 0 [pid 405] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [ 31.791356][ T402] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 31.799184][ T402] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 31.806974][ T402] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 31.814787][ T402] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 31.822705][ T402] [pid 404] exit_group(0) = ? [ 31.850492][ T405] FAULT_INJECTION: forcing a failure. [ 31.850492][ T405] name fail_futex, interval 1, probability 0, space 0, times 0 [ 31.863618][ T405] CPU: 1 PID: 405 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 31.874890][ T405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 31.884784][ T405] Call Trace: [ 31.888602][ T405] [ 31.891379][ T405] dump_stack_lvl+0x151/0x1b7 [ 31.895904][ T405] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 31.901191][ T405] ? __kasan_check_write+0x14/0x20 [ 31.906133][ T405] ? _raw_spin_lock_irqsave+0xf9/0x210 [ 31.911439][ T405] dump_stack+0x15/0x17 [ 31.915528][ T405] should_fail_ex+0x3d0/0x520 [ 31.920040][ T405] should_fail+0xb/0x10 [ 31.924033][ T405] get_futex_key+0x177/0xc90 [ 31.928465][ T405] ? futex_setup_timer+0xd0/0xd0 [ 31.933236][ T405] futex_wait_setup+0xc3/0x330 [ 31.937838][ T405] ? futex_wait_multiple+0x8e0/0x8e0 [ 31.942953][ T405] ? __switch_to+0x62c/0x1190 [ 31.947468][ T405] ? futex_wait+0xf3/0x7e0 [ 31.951722][ T405] ? futex_setup_timer+0xb0/0xd0 [ 31.956493][ T405] futex_wait+0x1b9/0x7e0 [ 31.960663][ T405] ? __sched_clock_gtod_offset+0x100/0x100 [ 31.966301][ T405] ? futex_wait_setup+0x330/0x330 [ 31.971174][ T405] ? __kasan_check_write+0x14/0x20 [ 31.976108][ T405] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 31.981058][ T405] do_futex+0x55a/0x9a0 [ 31.985050][ T405] ? __ia32_sys_get_robust_list+0x90/0x90 [ 31.990608][ T405] __se_sys_futex+0x35e/0x3c0 [ 31.995124][ T405] ? _raw_spin_unlock_irq+0x4d/0x70 [ 32.000152][ T405] ? __x64_sys_futex+0x100/0x100 [ 32.004924][ T405] ? fpregs_restore_userregs+0x130/0x290 [ 32.010395][ T405] __x64_sys_futex+0xe5/0x100 [ 32.014908][ T405] do_syscall_64+0x3d/0xb0 [ 32.019159][ T405] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.024888][ T405] RIP: 0033:0x7f1ef6aecf59 [ 32.029142][ T405] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [pid 405] <... futex resumed>) = ? [pid 405] +++ exited with 0 +++ [pid 404] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=404, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 [ 32.048582][ T405] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 32.056825][ T405] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 32.064641][ T405] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 32.072447][ T405] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 32.080262][ T405] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 32.088072][ T405] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 32.095887][ T405] umount2("./49", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./49/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./49/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./49/binderfs") = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./49/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./49/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./49") = 0 mkdir("./50", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 406 ./strace-static-x86_64: Process 406 attached [pid 406] set_robust_list(0x555555a286a0, 24) = 0 [pid 406] chdir("./50") = 0 [pid 406] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 406] setpgid(0, 0) = 0 [pid 406] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 406] write(3, "1000", 4) = 4 [pid 406] close(3) = 0 [pid 406] symlink("/dev/binderfs", "./binderfs") = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 406] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 406] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 406] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 406] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 406] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[407]}, 88) = 407 [pid 406] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 407 attached [pid 407] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 407] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 407] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 407] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 407] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 407] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 406] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 0 [pid 407] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 407] write(6, "8", 1) = 1 [pid 407] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 407] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 407] <... futex resumed>) = 1 [pid 406] exit_group(0) = ? [pid 407] +++ exited with 0 +++ [pid 406] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=406, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./50", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./50/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./50/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./50/binderfs") = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./50/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./50/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./50") = 0 mkdir("./51", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 408 ./strace-static-x86_64: Process 408 attached [pid 408] set_robust_list(0x555555a286a0, 24) = 0 [pid 408] chdir("./51") = 0 [pid 408] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 408] setpgid(0, 0) = 0 [pid 408] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 408] write(3, "1000", 4) = 4 [pid 408] close(3) = 0 [pid 408] symlink("/dev/binderfs", "./binderfs") = 0 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 408] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 408] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 408] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 408] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 408] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 408] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[409]}, 88) = 409 [pid 408] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 409 attached [pid 409] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 409] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 409] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 409] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 408] <... futex resumed>) = 0 [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 409] <... futex resumed>) = 0 [pid 409] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 408] <... futex resumed>) = 0 [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 409] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 408] <... futex resumed>) = 0 [pid 409] <... bpf resumed>) = 5 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 408] <... futex resumed>) = 0 [pid 409] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 409] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 408] <... futex resumed>) = 0 [pid 409] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 409] <... bpf resumed>) = 0 [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 409] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 408] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 409] <... futex resumed>) = 0 [pid 409] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 408] <... futex resumed>) = 0 [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 409] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 409] <... bind resumed>) = 0 [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 408] <... futex resumed>) = 0 [pid 408] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 409] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 408] <... futex resumed>) = 0 [pid 409] <... openat resumed>) = 6 [pid 408] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 409] write(6, "8", 1) = 1 [pid 409] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 409] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 408] <... futex resumed>) = 0 [pid 409] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 408] exit_group(0 [pid 409] <... futex resumed>) = ? [pid 408] <... exit_group resumed>) = ? [pid 409] +++ exited with 0 +++ [pid 408] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=408, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./51", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./51/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./51/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./51/binderfs") = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./51/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./51/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./51") = 0 mkdir("./52", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 410 ./strace-static-x86_64: Process 410 attached [pid 410] set_robust_list(0x555555a286a0, 24) = 0 [pid 410] chdir("./52") = 0 [pid 410] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 410] setpgid(0, 0) = 0 [pid 410] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 410] write(3, "1000", 4) = 4 [pid 410] close(3) = 0 [pid 410] symlink("/dev/binderfs", "./binderfs") = 0 [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 410] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 410] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 410] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 410] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 410] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 410] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 411 attached [pid 411] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 411] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] <... clone3 resumed> => {parent_tid=[411]}, 88) = 411 [pid 410] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 411] <... futex resumed>) = 0 [pid 411] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 32.101673][ T28] audit: type=1400 audit(1694295490.469:73): avc: denied { remove_name } for pid=84 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 32.123859][ T28] audit: type=1400 audit(1694295490.469:74): avc: denied { rename } for pid=84 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] <... futex resumed>) = 1 [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 411] <... bpf resumed>) = 4 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] <... futex resumed>) = 0 [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 411] <... bpf resumed>) = 5 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] <... futex resumed>) = 0 [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 410] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 410] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 411] write(6, "8", 1) = 1 [pid 411] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 32.191672][ T411] FAULT_INJECTION: forcing a failure. [ 32.191672][ T411] name fail_futex, interval 1, probability 0, space 0, times 0 [ 32.204439][ T411] CPU: 0 PID: 411 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 32.215733][ T411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 32.225615][ T411] Call Trace: [ 32.228737][ T411] [ 32.231517][ T411] dump_stack_lvl+0x151/0x1b7 [ 32.236032][ T411] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [pid 411] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 410] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 410] exit_group(0) = ? [ 32.241334][ T411] dump_stack+0x15/0x17 [ 32.245321][ T411] should_fail_ex+0x3d0/0x520 [ 32.249830][ T411] should_fail+0xb/0x10 [ 32.253823][ T411] get_futex_key+0x177/0xc90 [ 32.258259][ T411] ? futex_setup_timer+0xd0/0xd0 [ 32.263029][ T411] futex_wake+0x1af/0xb60 [ 32.267198][ T411] ? futex_wake_mark+0x170/0x170 [ 32.271962][ T411] ? finish_task_switch+0x167/0x7b0 [ 32.276998][ T411] ? __schedule+0xca1/0x1540 [ 32.281424][ T411] ? __kasan_check_write+0x14/0x20 [ 32.286370][ T411] ? __kasan_check_write+0x14/0x20 [ 32.291316][ T411] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 32.296264][ T411] do_futex+0x501/0x9a0 [ 32.300256][ T411] ? __ia32_sys_get_robust_list+0x90/0x90 [ 32.305813][ T411] __se_sys_futex+0x35e/0x3c0 [ 32.310332][ T411] ? _raw_spin_unlock_irq+0x4d/0x70 [ 32.315357][ T411] ? __x64_sys_futex+0x100/0x100 [ 32.320135][ T411] ? fpregs_restore_userregs+0x130/0x290 [ 32.325610][ T411] __x64_sys_futex+0xe5/0x100 [ 32.330115][ T411] do_syscall_64+0x3d/0xb0 [ 32.334369][ T411] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.340092][ T411] RIP: 0033:0x7f1ef6aecf59 [ 32.344346][ T411] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 32.363902][ T411] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 32.372133][ T411] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 32.379945][ T411] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 411] <... futex resumed>) = ? [pid 411] +++ exited with 0 +++ [pid 410] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=410, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./52", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./52/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./52/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./52/binderfs") = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./52/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./52/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./52") = 0 mkdir("./53", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 412 ./strace-static-x86_64: Process 412 attached [pid 412] set_robust_list(0x555555a286a0, 24) = 0 [pid 412] chdir("./53") = 0 [pid 412] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 412] setpgid(0, 0) = 0 [pid 412] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 412] write(3, "1000", 4) = 4 [pid 412] close(3) = 0 [pid 412] symlink("/dev/binderfs", "./binderfs") = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 412] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 412] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 412] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 412] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 412] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 412] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 413 attached => {parent_tid=[413]}, 88) = 413 [pid 413] set_robust_list(0x7f1ef6aad9a0, 24 [pid 412] rt_sigprocmask(SIG_SETMASK, [], [pid 413] <... set_robust_list resumed>) = 0 [pid 412] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 413] rt_sigprocmask(SIG_SETMASK, [], [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 413] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 413] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 412] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 413] <... openat resumed>) = 6 [pid 412] <... futex resumed>) = 0 [pid 413] write(6, "8", 1 [pid 412] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 413] <... write resumed>) = 1 [pid 413] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 32.387758][ T411] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 32.395581][ T411] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 32.403382][ T411] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 32.411199][ T411] [ 32.447189][ T413] FAULT_INJECTION: forcing a failure. [ 32.447189][ T413] name fail_futex, interval 1, probability 0, space 0, times 0 [ 32.460000][ T413] CPU: 1 PID: 413 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 32.471416][ T413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 32.481311][ T413] Call Trace: [ 32.484431][ T413] [ 32.487207][ T413] dump_stack_lvl+0x151/0x1b7 [ 32.491726][ T413] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 32.497018][ T413] dump_stack+0x15/0x17 [ 32.501010][ T413] should_fail_ex+0x3d0/0x520 [ 32.505526][ T413] should_fail+0xb/0x10 [ 32.509514][ T413] get_futex_key+0x177/0xc90 [ 32.513951][ T413] ? futex_setup_timer+0xd0/0xd0 [ 32.518721][ T413] futex_wake+0x1af/0xb60 [ 32.522883][ T413] ? futex_wake_mark+0x170/0x170 [ 32.527653][ T413] ? finish_task_switch+0x167/0x7b0 [ 32.532687][ T413] ? __schedule+0xca1/0x1540 [ 32.537116][ T413] ? __kasan_check_write+0x14/0x20 [ 32.542061][ T413] ? __kasan_check_write+0x14/0x20 [ 32.547006][ T413] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 32.551964][ T413] do_futex+0x501/0x9a0 [ 32.555949][ T413] ? __ia32_sys_get_robust_list+0x90/0x90 [ 32.561512][ T413] __se_sys_futex+0x35e/0x3c0 [ 32.566014][ T413] ? _raw_spin_unlock_irq+0x4d/0x70 [ 32.571055][ T413] ? __x64_sys_futex+0x100/0x100 [ 32.575831][ T413] ? fpregs_restore_userregs+0x130/0x290 [ 32.581292][ T413] __x64_sys_futex+0xe5/0x100 [ 32.585807][ T413] do_syscall_64+0x3d/0xb0 [ 32.590065][ T413] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.595783][ T413] RIP: 0033:0x7f1ef6aecf59 [ 32.600038][ T413] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 32.619687][ T413] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 32.628025][ T413] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 32.635830][ T413] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 413] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 412] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 413] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 412] exit_group(0 [pid 413] <... futex resumed>) = ? [pid 412] <... exit_group resumed>) = ? [pid 413] +++ exited with 0 +++ [pid 412] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=412, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./53", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./53/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./53/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./53/binderfs") = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./53/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./53/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./53") = 0 mkdir("./54", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 414 ./strace-static-x86_64: Process 414 attached [pid 414] set_robust_list(0x555555a286a0, 24) = 0 [pid 414] chdir("./54") = 0 [pid 414] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 414] setpgid(0, 0) = 0 [pid 414] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 414] write(3, "1000", 4) = 4 [pid 414] close(3) = 0 [pid 414] symlink("/dev/binderfs", "./binderfs") = 0 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 414] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 414] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 414] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 414] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 414] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 414] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[415]}, 88) = 415 [pid 414] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 415 attached [pid 415] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 415] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 415] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 414] <... futex resumed>) = 0 [pid 415] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 415] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 414] <... futex resumed>) = 0 [pid 415] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 415] <... bpf resumed>) = 4 [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 414] <... futex resumed>) = 0 [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 415] <... futex resumed>) = 1 [pid 415] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 414] <... futex resumed>) = 0 [pid 415] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 415] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 414] <... futex resumed>) = 0 [pid 415] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 415] <... bpf resumed>) = 0 [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 414] <... futex resumed>) = 0 [pid 415] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 415] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 414] <... futex resumed>) = 0 [pid 415] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 415] <... bpf resumed>) = 0 [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 414] <... futex resumed>) = 0 [pid 415] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 415] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 414] <... futex resumed>) = 0 [pid 415] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 415] <... bind resumed>) = 0 [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 414] <... futex resumed>) = 0 [pid 415] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 414] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 415] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 414] <... futex resumed>) = 0 [pid 415] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 414] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 415] <... openat resumed>) = 6 [pid 415] write(6, "8", 1) = 1 [pid 415] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 32.643649][ T413] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 32.651453][ T413] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 32.659267][ T413] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 32.667091][ T413] [pid 415] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 414] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 414] exit_group(0) = ? [ 32.696120][ T415] FAULT_INJECTION: forcing a failure. [ 32.696120][ T415] name fail_futex, interval 1, probability 0, space 0, times 0 [ 32.708984][ T415] CPU: 0 PID: 415 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 32.720339][ T415] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 32.730235][ T415] Call Trace: [ 32.733359][ T415] [ 32.736133][ T415] dump_stack_lvl+0x151/0x1b7 [ 32.740649][ T415] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 32.745947][ T415] dump_stack+0x15/0x17 [ 32.749943][ T415] should_fail_ex+0x3d0/0x520 [ 32.754448][ T415] should_fail+0xb/0x10 [ 32.758441][ T415] get_futex_key+0x177/0xc90 [ 32.762867][ T415] ? futex_setup_timer+0xd0/0xd0 [ 32.767649][ T415] futex_wake+0x1af/0xb60 [ 32.771815][ T415] ? futex_wake_mark+0x170/0x170 [ 32.776580][ T415] ? finish_task_switch+0x167/0x7b0 [ 32.781615][ T415] ? __schedule+0xca1/0x1540 [ 32.786040][ T415] ? __kasan_check_write+0x14/0x20 [ 32.790998][ T415] ? __kasan_check_write+0x14/0x20 [ 32.795940][ T415] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 32.800879][ T415] do_futex+0x501/0x9a0 [ 32.804876][ T415] ? __ia32_sys_get_robust_list+0x90/0x90 [ 32.810432][ T415] __se_sys_futex+0x35e/0x3c0 [ 32.814955][ T415] ? _raw_spin_unlock_irq+0x4d/0x70 [ 32.819982][ T415] ? __x64_sys_futex+0x100/0x100 [ 32.824753][ T415] ? fpregs_restore_userregs+0x130/0x290 [ 32.830220][ T415] __x64_sys_futex+0xe5/0x100 [ 32.834737][ T415] do_syscall_64+0x3d/0xb0 [ 32.838999][ T415] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.844713][ T415] RIP: 0033:0x7f1ef6aecf59 [ 32.848973][ T415] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 32.868669][ T415] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 32.876909][ T415] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 32.884720][ T415] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 415] <... futex resumed>) = ? [pid 415] +++ exited with 0 +++ [pid 414] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=414, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./54", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./54/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./54/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./54/binderfs") = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./54/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./54/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./54") = 0 mkdir("./55", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 417 ./strace-static-x86_64: Process 417 attached [pid 417] set_robust_list(0x555555a286a0, 24) = 0 [pid 417] chdir("./55") = 0 [pid 417] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 417] setpgid(0, 0) = 0 [pid 417] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 417] write(3, "1000", 4) = 4 [pid 417] close(3) = 0 [pid 417] symlink("/dev/binderfs", "./binderfs") = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 417] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 417] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 417] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 417] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 417] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[418]}, 88) = 418 [pid 417] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 418 attached [pid 418] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 418] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 418] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 418] write(6, "8", 1) = 1 [pid 418] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 418] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] exit_group(0) = ? [pid 418] +++ exited with 0 +++ [pid 417] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=417, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./55", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./55/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./55/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./55/binderfs") = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./55/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./55/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./55") = 0 mkdir("./56", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 419 ./strace-static-x86_64: Process 419 attached [pid 419] set_robust_list(0x555555a286a0, 24) = 0 [pid 419] chdir("./56") = 0 [pid 419] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 419] setpgid(0, 0) = 0 [pid 419] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 419] write(3, "1000", 4) = 4 [pid 419] close(3) = 0 [pid 419] symlink("/dev/binderfs", "./binderfs") = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 419] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 419] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 419] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 419] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 419] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 420 attached => {parent_tid=[420]}, 88) = 420 [pid 419] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 420] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 420] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 420] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 420] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 420] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 420] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 420] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 420] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 419] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 32.892530][ T415] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 32.900342][ T415] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 32.908165][ T415] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 32.915978][ T415] [pid 420] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 420] write(6, "8", 1) = 1 [pid 420] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 420] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 419] <... futex resumed>) = 0 [pid 419] exit_group(0) = ? [pid 420] +++ exited with 0 +++ [pid 419] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=419, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./56", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./56/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./56/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./56/binderfs") = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./56/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./56/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./56") = 0 mkdir("./57", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 421 ./strace-static-x86_64: Process 421 attached [pid 421] set_robust_list(0x555555a286a0, 24) = 0 [pid 421] chdir("./57") = 0 [pid 421] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 421] setpgid(0, 0) = 0 [pid 421] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 421] write(3, "1000", 4) = 4 [pid 421] close(3) = 0 [pid 421] symlink("/dev/binderfs", "./binderfs") = 0 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 421] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 421] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 421] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 421] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 421] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 421] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[422]}, 88) = 422 ./strace-static-x86_64: Process 422 attached [pid 422] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 422] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 422] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 421] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... futex resumed>) = 0 [pid 421] <... futex resumed>) = 1 [pid 422] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] <... socket resumed>) = 3 [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 421] <... futex resumed>) = 0 [pid 422] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] <... bpf resumed>) = 4 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 421] <... futex resumed>) = 0 [pid 422] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... bpf resumed>) = 5 [pid 421] <... futex resumed>) = 0 [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] <... futex resumed>) = 0 [pid 421] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 422] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... bpf resumed>) = 0 [pid 421] <... futex resumed>) = 0 [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] <... futex resumed>) = 0 [pid 421] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 422] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... bpf resumed>) = 0 [pid 421] <... futex resumed>) = 0 [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] <... futex resumed>) = 0 [pid 421] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 422] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] <... bind resumed>) = 0 [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] <... futex resumed>) = 0 [pid 421] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 422] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 421] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... openat resumed>) = 6 [pid 421] <... futex resumed>) = 0 [pid 422] write(6, "8", 1 [pid 421] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 422] <... write resumed>) = 1 [pid 422] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 422] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 421] <... futex resumed>) = 0 [pid 422] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 421] exit_group(0 [pid 422] <... futex resumed>) = ? [pid 421] <... exit_group resumed>) = ? [pid 422] +++ exited with 0 +++ [pid 421] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=421, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./57", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./57/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./57/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./57/binderfs") = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./57/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./57/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./57") = 0 mkdir("./58", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 423 ./strace-static-x86_64: Process 423 attached [pid 423] set_robust_list(0x555555a286a0, 24) = 0 [pid 423] chdir("./58") = 0 [pid 423] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 423] setpgid(0, 0) = 0 [pid 423] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 423] write(3, "1000", 4) = 4 [pid 423] close(3) = 0 [pid 423] symlink("/dev/binderfs", "./binderfs") = 0 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 423] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 423] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 423] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 423] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 423] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 423] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 424 attached => {parent_tid=[424]}, 88) = 424 [pid 424] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 424] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 424] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 423] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 424] <... futex resumed>) = 0 [pid 423] <... futex resumed>) = 1 [pid 424] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 424] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 424] <... futex resumed>) = 0 [pid 424] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 424] <... bpf resumed>) = 4 [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 423] <... futex resumed>) = 0 [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 424] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 423] <... futex resumed>) = 0 [pid 424] <... bpf resumed>) = 5 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 423] <... futex resumed>) = 0 [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 424] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 423] <... futex resumed>) = 0 [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 424] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 423] <... futex resumed>) = 0 [pid 424] <... bpf resumed>) = 0 [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 424] <... futex resumed>) = 0 [pid 423] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 424] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 424] <... bind resumed>) = 0 [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 424] <... futex resumed>) = 0 [pid 423] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 423] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 424] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 423] <... futex resumed>) = 0 [pid 423] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 424] <... openat resumed>) = 6 [pid 424] write(6, "8", 1) = 1 [pid 424] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 424] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 423] <... futex resumed>) = 0 [pid 423] exit_group(0) = ? [pid 424] +++ exited with 0 +++ [pid 423] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=423, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./58", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./58/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./58/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./58/binderfs") = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./58/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./58/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./58") = 0 mkdir("./59", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 425 ./strace-static-x86_64: Process 425 attached [pid 425] set_robust_list(0x555555a286a0, 24) = 0 [pid 425] chdir("./59") = 0 [pid 425] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 425] setpgid(0, 0) = 0 [pid 425] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 425] write(3, "1000", 4) = 4 [pid 425] close(3) = 0 [pid 425] symlink("/dev/binderfs", "./binderfs") = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 425] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 425] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 425] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 425] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 425] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[426]}, 88) = 426 [pid 425] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 426 attached [pid 426] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 426] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 426] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 426] <... futex resumed>) = 1 [pid 426] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 426] <... futex resumed>) = 1 [pid 426] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 426] <... futex resumed>) = 1 [pid 426] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 426] <... futex resumed>) = 1 [pid 426] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 426] <... futex resumed>) = 1 [pid 426] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 425] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 426] <... futex resumed>) = 1 [pid 426] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 426] write(6, "8", 1) = 1 [pid 426] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 426] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 425] <... futex resumed>) = 0 [pid 425] exit_group(0) = ? [pid 426] <... futex resumed>) = ? [pid 426] +++ exited with 0 +++ [pid 425] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=425, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./59", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./59/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./59/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./59/binderfs") = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./59/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./59/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./59") = 0 mkdir("./60", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 427 attached , child_tidptr=0x555555a28690) = 427 [pid 427] set_robust_list(0x555555a286a0, 24) = 0 [pid 427] chdir("./60") = 0 [pid 427] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 427] setpgid(0, 0) = 0 [pid 427] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 427] write(3, "1000", 4) = 4 [pid 427] close(3) = 0 [pid 427] symlink("/dev/binderfs", "./binderfs") = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 427] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 427] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 427] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 427] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 427] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 428 attached => {parent_tid=[428]}, 88) = 428 [pid 427] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 428] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 428] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 428] write(6, "8", 1) = 1 [pid 428] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 428] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 427] exit_group(0) = ? [pid 428] +++ exited with 0 +++ [pid 427] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=427, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./60", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./60/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./60/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./60/binderfs") = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./60/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./60/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./60") = 0 mkdir("./61", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 429 ./strace-static-x86_64: Process 429 attached [pid 429] set_robust_list(0x555555a286a0, 24) = 0 [pid 429] chdir("./61") = 0 [pid 429] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 429] setpgid(0, 0) = 0 [pid 429] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 429] write(3, "1000", 4) = 4 [pid 429] close(3) = 0 [pid 429] symlink("/dev/binderfs", "./binderfs") = 0 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 429] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 429] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 429] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 429] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 429] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 429] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 430 attached => {parent_tid=[430]}, 88) = 430 [pid 430] set_robust_list(0x7f1ef6aad9a0, 24 [pid 429] rt_sigprocmask(SIG_SETMASK, [], [pid 430] <... set_robust_list resumed>) = 0 [pid 429] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 430] rt_sigprocmask(SIG_SETMASK, [], [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 430] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 429] <... futex resumed>) = 0 [pid 430] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] <... socket resumed>) = 3 [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 429] <... futex resumed>) = 0 [pid 430] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 430] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 429] <... futex resumed>) = 0 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 429] <... futex resumed>) = 0 [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 429] <... futex resumed>) = 0 [pid 430] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 430] <... bpf resumed>) = 0 [pid 429] <... futex resumed>) = 0 [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] <... futex resumed>) = 0 [pid 429] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 430] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 430] <... bpf resumed>) = 0 [pid 429] <... futex resumed>) = 0 [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] <... futex resumed>) = 0 [pid 429] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 430] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 430] <... bind resumed>) = 0 [pid 429] <... futex resumed>) = 0 [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] <... futex resumed>) = 0 [pid 429] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 430] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 429] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 430] <... openat resumed>) = 6 [pid 429] <... futex resumed>) = 0 [pid 430] write(6, "8", 1 [pid 429] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 430] <... write resumed>) = 1 [pid 430] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 33.060663][ T430] FAULT_INJECTION: forcing a failure. [ 33.060663][ T430] name fail_futex, interval 1, probability 0, space 0, times 0 [ 33.073427][ T430] CPU: 0 PID: 430 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 33.084780][ T430] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 33.094688][ T430] Call Trace: [ 33.097818][ T430] [ 33.100578][ T430] dump_stack_lvl+0x151/0x1b7 [ 33.105088][ T430] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 33.110388][ T430] dump_stack+0x15/0x17 [ 33.114373][ T430] should_fail_ex+0x3d0/0x520 [ 33.118885][ T430] should_fail+0xb/0x10 [ 33.122884][ T430] get_futex_key+0x177/0xc90 [ 33.127305][ T430] ? futex_setup_timer+0xd0/0xd0 [ 33.132079][ T430] futex_wake+0x1af/0xb60 [ 33.136244][ T430] ? futex_wake_mark+0x170/0x170 [ 33.141016][ T430] ? finish_task_switch+0x167/0x7b0 [ 33.146053][ T430] ? __schedule+0xca1/0x1540 [ 33.150483][ T430] ? __kasan_check_write+0x14/0x20 [ 33.155427][ T430] ? __kasan_check_write+0x14/0x20 [ 33.160373][ T430] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 33.165326][ T430] do_futex+0x501/0x9a0 [ 33.169315][ T430] ? __ia32_sys_get_robust_list+0x90/0x90 [ 33.174872][ T430] __se_sys_futex+0x35e/0x3c0 [ 33.179381][ T430] ? _raw_spin_unlock_irq+0x4d/0x70 [ 33.184432][ T430] ? __x64_sys_futex+0x100/0x100 [ 33.189189][ T430] ? fpregs_restore_userregs+0x130/0x290 [ 33.194659][ T430] __x64_sys_futex+0xe5/0x100 [ 33.199169][ T430] do_syscall_64+0x3d/0xb0 [ 33.203420][ T430] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 33.209164][ T430] RIP: 0033:0x7f1ef6aecf59 [ 33.213402][ T430] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 33.232844][ T430] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.241089][ T430] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 33.248912][ T430] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 430] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 429] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 430] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 429] exit_group(0 [pid 430] <... futex resumed>) = ? [pid 429] <... exit_group resumed>) = ? [pid 430] +++ exited with 0 +++ [pid 429] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=429, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./61", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./61/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./61/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./61/binderfs") = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./61/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./61/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./61") = 0 mkdir("./62", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 431 ./strace-static-x86_64: Process 431 attached [pid 431] set_robust_list(0x555555a286a0, 24) = 0 [pid 431] chdir("./62") = 0 [pid 431] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 431] setpgid(0, 0) = 0 [pid 431] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 431] write(3, "1000", 4) = 4 [pid 431] close(3) = 0 [pid 431] symlink("/dev/binderfs", "./binderfs") = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 431] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 431] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 431] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 431] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 431] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 432 attached => {parent_tid=[432]}, 88) = 432 [pid 431] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 432] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 432] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 431] <... futex resumed>) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 431] <... futex resumed>) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 431] <... futex resumed>) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 431] <... futex resumed>) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 431] <... futex resumed>) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 431] <... futex resumed>) = 0 [pid 431] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 431] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 432] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 432] write(6, "8", 1) = 1 [pid 432] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 33.256709][ T430] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 33.264522][ T430] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 33.272333][ T430] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 33.280159][ T430] [ 33.305343][ T432] FAULT_INJECTION: forcing a failure. [ 33.305343][ T432] name fail_futex, interval 1, probability 0, space 0, times 0 [ 33.318065][ T432] CPU: 1 PID: 432 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 33.329552][ T432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 33.339792][ T432] Call Trace: [ 33.343702][ T432] [ 33.346473][ T432] dump_stack_lvl+0x151/0x1b7 [ 33.350990][ T432] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 33.356281][ T432] dump_stack+0x15/0x17 [ 33.360271][ T432] should_fail_ex+0x3d0/0x520 [ 33.364791][ T432] should_fail+0xb/0x10 [ 33.368778][ T432] get_futex_key+0x177/0xc90 [ 33.373205][ T432] ? futex_setup_timer+0xd0/0xd0 [ 33.377985][ T432] futex_wake+0x1af/0xb60 [ 33.382152][ T432] ? futex_wake_mark+0x170/0x170 [ 33.386920][ T432] ? finish_task_switch+0x167/0x7b0 [ 33.391950][ T432] ? __schedule+0xca1/0x1540 [ 33.396376][ T432] ? __kasan_check_write+0x14/0x20 [ 33.401326][ T432] ? __kasan_check_write+0x14/0x20 [ 33.406275][ T432] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 33.411218][ T432] do_futex+0x501/0x9a0 [ 33.415211][ T432] ? __ia32_sys_get_robust_list+0x90/0x90 [ 33.420766][ T432] __se_sys_futex+0x35e/0x3c0 [ 33.425279][ T432] ? _raw_spin_unlock_irq+0x4d/0x70 [ 33.430317][ T432] ? __x64_sys_futex+0x100/0x100 [ 33.435098][ T432] ? fpregs_restore_userregs+0x130/0x290 [ 33.440562][ T432] __x64_sys_futex+0xe5/0x100 [ 33.445069][ T432] do_syscall_64+0x3d/0xb0 [ 33.449362][ T432] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 33.455163][ T432] RIP: 0033:0x7f1ef6aecf59 [ 33.459418][ T432] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 33.478863][ T432] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.487099][ T432] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 33.494916][ T432] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 432] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 431] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 432] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 431] exit_group(0 [pid 432] <... futex resumed>) = ? [pid 431] <... exit_group resumed>) = ? [pid 432] +++ exited with 0 +++ [pid 431] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=431, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- umount2("./62", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./62/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./62/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./62/binderfs") = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./62/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./62/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./62") = 0 mkdir("./63", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 433 ./strace-static-x86_64: Process 433 attached [pid 433] set_robust_list(0x555555a286a0, 24) = 0 [pid 433] chdir("./63") = 0 [pid 433] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 433] setpgid(0, 0) = 0 [pid 433] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 433] write(3, "1000", 4) = 4 [pid 433] close(3) = 0 [pid 433] symlink("/dev/binderfs", "./binderfs") = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 433] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 433] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 433] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 433] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 433] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[434]}, 88) = 434 [pid 433] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 434 attached [pid 434] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 434] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 434] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 433] <... futex resumed>) = 0 [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 434] <... futex resumed>) = 1 [pid 434] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 433] <... futex resumed>) = 0 [pid 434] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 434] <... bpf resumed>) = 5 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 433] <... futex resumed>) = 0 [pid 434] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 434] <... bpf resumed>) = 0 [pid 433] <... futex resumed>) = 0 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 434] <... futex resumed>) = 0 [pid 433] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 434] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 434] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 433] <... futex resumed>) = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 434] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 433] <... futex resumed>) = 0 [pid 434] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 434] <... bind resumed>) = 0 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 433] <... futex resumed>) = 0 [pid 434] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 433] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 434] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 434] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 434] write(6, "8", 1) = 1 [pid 434] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 434] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 433] <... futex resumed>) = 0 [pid 434] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 433] exit_group(0) = ? [pid 434] <... futex resumed>) = ? [pid 434] +++ exited with 0 +++ [pid 433] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=433, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./63", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./63/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./63/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./63/binderfs") = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./63/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./63/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./63") = 0 mkdir("./64", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 435 ./strace-static-x86_64: Process 435 attached [pid 435] set_robust_list(0x555555a286a0, 24) = 0 [pid 435] chdir("./64") = 0 [pid 435] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 435] setpgid(0, 0) = 0 [pid 435] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 435] write(3, "1000", 4) = 4 [pid 435] close(3) = 0 [pid 435] symlink("/dev/binderfs", "./binderfs") = 0 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 435] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 435] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 435] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 435] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 435] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 435] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 436 attached [pid 436] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 435] <... clone3 resumed> => {parent_tid=[436]}, 88) = 436 [pid 436] rt_sigprocmask(SIG_SETMASK, [], [pid 435] rt_sigprocmask(SIG_SETMASK, [], [pid 436] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 435] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 436] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 436] <... socket resumed>) = 3 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 435] <... futex resumed>) = 0 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 436] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 435] <... futex resumed>) = 0 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] <... bpf resumed>) = 4 [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 435] <... futex resumed>) = 0 [pid 436] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 436] <... bpf resumed>) = 5 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 435] <... futex resumed>) = 0 [pid 436] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 33.502720][ T432] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 33.510540][ T432] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 33.518568][ T432] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 33.526637][ T432] [pid 436] <... bpf resumed>) = 0 [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] <... futex resumed>) = 0 [pid 435] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 436] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 436] <... bpf resumed>) = 0 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 435] <... futex resumed>) = 0 [pid 436] <... futex resumed>) = 1 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 435] <... futex resumed>) = 0 [pid 435] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 435] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 436] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 436] write(6, "8", 1) = 1 [pid 436] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 33.571132][ T436] FAULT_INJECTION: forcing a failure. [ 33.571132][ T436] name fail_futex, interval 1, probability 0, space 0, times 0 [ 33.583798][ T436] CPU: 1 PID: 436 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 33.595099][ T436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 33.604993][ T436] Call Trace: [ 33.608113][ T436] [ 33.611013][ T436] dump_stack_lvl+0x151/0x1b7 [ 33.615495][ T436] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 33.620785][ T436] ? newidle_balance+0x887/0x1090 [ 33.625687][ T436] dump_stack+0x15/0x17 [ 33.629635][ T436] should_fail_ex+0x3d0/0x520 [ 33.634256][ T436] should_fail+0xb/0x10 [ 33.638356][ T436] get_futex_key+0x177/0xc90 [ 33.642781][ T436] ? futex_setup_timer+0xd0/0xd0 [ 33.647563][ T436] futex_wake+0x1af/0xb60 [ 33.651804][ T436] ? futex_wake_mark+0x170/0x170 [ 33.656595][ T436] ? finish_task_switch+0x207/0x7b0 [ 33.661625][ T436] ? __schedule+0xca1/0x1540 [ 33.666385][ T436] ? __kasan_check_write+0x14/0x20 [ 33.671345][ T436] ? __kasan_check_write+0x14/0x20 [ 33.676280][ T436] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 33.681229][ T436] do_futex+0x501/0x9a0 [ 33.685223][ T436] ? __ia32_sys_get_robust_list+0x90/0x90 [ 33.690776][ T436] __se_sys_futex+0x35e/0x3c0 [ 33.695291][ T436] ? _raw_spin_unlock_irq+0x4d/0x70 [ 33.700322][ T436] ? __x64_sys_futex+0x100/0x100 [ 33.705096][ T436] ? fpregs_restore_userregs+0x130/0x290 [ 33.710577][ T436] __x64_sys_futex+0xe5/0x100 [ 33.715086][ T436] do_syscall_64+0x3d/0xb0 [ 33.719440][ T436] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 33.725174][ T436] RIP: 0033:0x7f1ef6aecf59 [ 33.729695][ T436] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 33.749360][ T436] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.757613][ T436] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 436] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 435] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 436] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 435] exit_group(0 [pid 436] <... futex resumed>) = ? [pid 435] <... exit_group resumed>) = ? [pid 436] +++ exited with 0 +++ [pid 435] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=435, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./64", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./64/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./64/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./64/binderfs") = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./64/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./64/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./64") = 0 mkdir("./65", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 437 ./strace-static-x86_64: Process 437 attached [pid 437] set_robust_list(0x555555a286a0, 24) = 0 [pid 437] chdir("./65") = 0 [pid 437] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 437] setpgid(0, 0) = 0 [pid 437] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 437] write(3, "1000", 4) = 4 [pid 437] close(3) = 0 [pid 437] symlink("/dev/binderfs", "./binderfs") = 0 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 437] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 437] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 437] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 437] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 437] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 438 attached [pid 438] set_robust_list(0x7f1ef6aad9a0, 24 [pid 437] <... clone3 resumed> => {parent_tid=[438]}, 88) = 438 [pid 438] <... set_robust_list resumed>) = 0 [pid 437] rt_sigprocmask(SIG_SETMASK, [], [pid 438] rt_sigprocmask(SIG_SETMASK, [], [pid 437] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 438] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 438] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... socket resumed>) = 3 [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 438] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... bpf resumed>) = 4 [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] <... futex resumed>) = 0 [pid 438] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... bpf resumed>) = 5 [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] <... futex resumed>) = 0 [pid 438] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 438] <... bpf resumed>) = 0 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] <... futex resumed>) = 0 [pid 438] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 438] <... bpf resumed>) = 0 [pid 437] <... futex resumed>) = 0 [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... futex resumed>) = 0 [pid 437] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 438] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 438] <... bind resumed>) = 0 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] <... futex resumed>) = 0 [pid 438] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 437] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 438] <... openat resumed>) = 6 [pid 437] <... futex resumed>) = 0 [pid 438] write(6, "8", 1 [pid 437] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... write resumed>) = 1 [pid 438] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 33.765402][ T436] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 33.773211][ T436] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 33.781029][ T436] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 33.788836][ T436] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 33.796831][ T436] [ 33.822333][ T438] FAULT_INJECTION: forcing a failure. [ 33.822333][ T438] name fail_futex, interval 1, probability 0, space 0, times 0 [ 33.835238][ T438] CPU: 0 PID: 438 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 33.846817][ T438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 33.856710][ T438] Call Trace: [ 33.859833][ T438] [ 33.862612][ T438] dump_stack_lvl+0x151/0x1b7 [ 33.867123][ T438] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 33.872422][ T438] dump_stack+0x15/0x17 [ 33.876416][ T438] should_fail_ex+0x3d0/0x520 [ 33.880926][ T438] should_fail+0xb/0x10 [ 33.885088][ T438] get_futex_key+0x177/0xc90 [ 33.889537][ T438] ? futex_setup_timer+0xd0/0xd0 [ 33.894322][ T438] futex_wake+0x1af/0xb60 [ 33.898458][ T438] ? futex_wake_mark+0x170/0x170 [ 33.903334][ T438] ? finish_task_switch+0x167/0x7b0 [ 33.908358][ T438] ? __schedule+0xca1/0x1540 [ 33.912961][ T438] ? __kasan_check_write+0x14/0x20 [ 33.917906][ T438] ? __kasan_check_write+0x14/0x20 [ 33.922854][ T438] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 33.927800][ T438] do_futex+0x501/0x9a0 [ 33.931804][ T438] ? __ia32_sys_get_robust_list+0x90/0x90 [ 33.937350][ T438] __se_sys_futex+0x35e/0x3c0 [ 33.941870][ T438] ? _raw_spin_unlock_irq+0x4d/0x70 [ 33.946908][ T438] ? __x64_sys_futex+0x100/0x100 [ 33.951758][ T438] ? fpregs_restore_userregs+0x130/0x290 [ 33.957160][ T438] __x64_sys_futex+0xe5/0x100 [ 33.961649][ T438] do_syscall_64+0x3d/0xb0 [ 33.965905][ T438] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 33.971813][ T438] RIP: 0033:0x7f1ef6aecf59 [ 33.976069][ T438] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 33.995595][ T438] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 34.004098][ T438] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 34.012111][ T438] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 438] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 437] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 438] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 437] exit_group(0 [pid 438] <... futex resumed>) = ? [pid 437] <... exit_group resumed>) = ? [pid 438] +++ exited with 0 +++ [pid 437] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=437, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./65", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./65/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./65/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./65/binderfs") = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./65/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./65/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./65") = 0 mkdir("./66", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 440 ./strace-static-x86_64: Process 440 attached [pid 440] set_robust_list(0x555555a286a0, 24) = 0 [pid 440] chdir("./66") = 0 [pid 440] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 440] setpgid(0, 0) = 0 [pid 440] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 440] write(3, "1000", 4) = 4 [pid 440] close(3) = 0 [pid 440] symlink("/dev/binderfs", "./binderfs") = 0 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 440] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 440] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 440] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 440] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 440] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 440] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[441]}, 88) = 441 ./strace-static-x86_64: Process 441 attached [pid 440] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 441] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 441] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 440] <... futex resumed>) = 0 [pid 441] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 441] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 440] <... futex resumed>) = 0 [pid 441] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] <... bpf resumed>) = 4 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 440] <... futex resumed>) = 0 [pid 441] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 441] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 440] <... futex resumed>) = 0 [pid 441] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] <... bpf resumed>) = 5 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 440] <... futex resumed>) = 0 [pid 441] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 441] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 440] <... futex resumed>) = 0 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 440] <... futex resumed>) = 0 [pid 441] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 441] <... bpf resumed>) = 0 [pid 440] <... futex resumed>) = 0 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] <... futex resumed>) = 0 [pid 440] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 441] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 441] <... bind resumed>) = 0 [pid 440] <... futex resumed>) = 0 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] <... futex resumed>) = 0 [pid 440] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 441] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 440] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 441] <... openat resumed>) = 6 [pid 440] <... futex resumed>) = 0 [pid 441] write(6, "8", 1 [pid 440] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 441] <... write resumed>) = 1 [pid 441] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 441] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 440] <... futex resumed>) = 0 [pid 441] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 440] exit_group(0) = ? [pid 441] <... futex resumed>) = ? [pid 441] +++ exited with 0 +++ [pid 440] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=440, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- umount2("./66", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./66/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./66/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./66/binderfs") = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./66/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./66/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./66") = 0 mkdir("./67", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 442 attached , child_tidptr=0x555555a28690) = 442 [ 34.020356][ T438] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 34.028253][ T438] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 34.036065][ T438] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 34.043883][ T438] [pid 442] set_robust_list(0x555555a286a0, 24) = 0 [pid 442] chdir("./67") = 0 [pid 442] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 442] setpgid(0, 0) = 0 [pid 442] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 442] write(3, "1000", 4) = 4 [pid 442] close(3) = 0 [pid 442] symlink("/dev/binderfs", "./binderfs") = 0 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 442] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 442] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 442] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 442] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 442] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[443]}, 88) = 443 ./strace-static-x86_64: Process 443 attached [pid 442] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 443] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 443] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 443] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 442] <... futex resumed>) = 0 [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 443] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 443] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 443] <... bpf resumed>) = 0 [pid 442] <... futex resumed>) = 0 [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... futex resumed>) = 0 [pid 442] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 443] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 443] <... bpf resumed>) = 0 [pid 442] <... futex resumed>) = 0 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 443] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 443] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 442] <... futex resumed>) = 0 [pid 443] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... bind resumed>) = 0 [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 443] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 442] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 443] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 443] write(6, "8", 1) = 1 [pid 443] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 443] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 442] exit_group(0) = ? [pid 443] +++ exited with 0 +++ [pid 442] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=442, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./67", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./67/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./67/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./67/binderfs") = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./67/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./67/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./67") = 0 mkdir("./68", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 444 ./strace-static-x86_64: Process 444 attached [pid 444] set_robust_list(0x555555a286a0, 24) = 0 [pid 444] chdir("./68") = 0 [pid 444] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 444] setpgid(0, 0) = 0 [pid 444] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 444] write(3, "1000", 4) = 4 [pid 444] close(3) = 0 [pid 444] symlink("/dev/binderfs", "./binderfs") = 0 [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 444] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 444] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 444] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 444] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 444] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 444] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 445 attached => {parent_tid=[445]}, 88) = 445 [pid 445] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 445] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 445] <... futex resumed>) = 0 [pid 445] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 445] <... futex resumed>) = 0 [pid 445] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 445] <... bpf resumed>) = 4 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 444] <... futex resumed>) = 0 [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 445] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] <... futex resumed>) = 0 [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 445] <... futex resumed>) = 0 [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 445] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 444] <... futex resumed>) = 0 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 445] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 445] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 444] <... futex resumed>) = 0 [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 445] <... bpf resumed>) = 0 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 444] <... futex resumed>) = 0 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 445] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 444] <... futex resumed>) = 0 [pid 445] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 445] <... bind resumed>) = 0 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 444] <... futex resumed>) = 0 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 445] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 444] <... futex resumed>) = 0 [pid 445] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 444] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 445] <... openat resumed>) = 6 [pid 445] write(6, "8", 1) = 1 [pid 445] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 445] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 444] <... futex resumed>) = 0 [pid 445] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 444] exit_group(0) = ? [ 34.114096][ T445] FAULT_INJECTION: forcing a failure. [ 34.114096][ T445] name fail_futex, interval 1, probability 0, space 0, times 0 [ 34.127760][ T445] CPU: 1 PID: 445 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 34.139053][ T445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 34.148948][ T445] Call Trace: [ 34.152071][ T445] [ 34.155035][ T445] dump_stack_lvl+0x151/0x1b7 [ 34.159537][ T445] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 34.164851][ T445] dump_stack+0x15/0x17 [ 34.168997][ T445] should_fail_ex+0x3d0/0x520 [ 34.173519][ T445] should_fail+0xb/0x10 [ 34.177499][ T445] get_futex_key+0x177/0xc90 [ 34.181944][ T445] ? futex_setup_timer+0xd0/0xd0 [ 34.186704][ T445] ? __this_cpu_preempt_check+0x13/0x20 [ 34.192092][ T445] futex_wait_setup+0xc3/0x330 [ 34.196685][ T445] ? futex_wait_multiple+0x8e0/0x8e0 [ 34.201891][ T445] ? __switch_to+0x62c/0x1190 [ 34.206401][ T445] ? futex_wait+0xf3/0x7e0 [ 34.210658][ T445] ? futex_setup_timer+0xb0/0xd0 [ 34.215430][ T445] futex_wait+0x1b9/0x7e0 [ 34.219770][ T445] ? __sched_clock_gtod_offset+0x100/0x100 [ 34.225497][ T445] ? futex_wait_setup+0x330/0x330 [ 34.230363][ T445] ? __kasan_check_write+0x14/0x20 [ 34.235304][ T445] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 34.240269][ T445] do_futex+0x55a/0x9a0 [ 34.244244][ T445] ? __ia32_sys_get_robust_list+0x90/0x90 [ 34.249809][ T445] __se_sys_futex+0x35e/0x3c0 [ 34.254313][ T445] ? _raw_spin_unlock_irq+0x4d/0x70 [ 34.259349][ T445] ? __x64_sys_futex+0x100/0x100 [ 34.264123][ T445] ? fpregs_restore_userregs+0x130/0x290 [ 34.269588][ T445] __x64_sys_futex+0xe5/0x100 [ 34.274101][ T445] do_syscall_64+0x3d/0xb0 [ 34.278355][ T445] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.284081][ T445] RIP: 0033:0x7f1ef6aecf59 [ 34.288334][ T445] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [pid 445] <... futex resumed>) = ? [pid 445] +++ exited with 0 +++ [pid 444] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=444, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./68", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./68/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./68/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./68/binderfs") = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./68/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./68/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./68") = 0 mkdir("./69", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 446 ./strace-static-x86_64: Process 446 attached [pid 446] set_robust_list(0x555555a286a0, 24) = 0 [pid 446] chdir("./69") = 0 [pid 446] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 446] setpgid(0, 0) = 0 [pid 446] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 446] write(3, "1000", 4) = 4 [pid 446] close(3) = 0 [pid 446] symlink("/dev/binderfs", "./binderfs") = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 446] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 446] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 446] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 446] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 446] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 447 attached => {parent_tid=[447]}, 88) = 447 [pid 446] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 447] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 447] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 446] <... futex resumed>) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] <... futex resumed>) = 1 [pid 447] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 446] <... futex resumed>) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 446] <... futex resumed>) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] <... futex resumed>) = 1 [pid 447] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 446] <... futex resumed>) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] <... futex resumed>) = 1 [pid 447] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 446] <... futex resumed>) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] <... futex resumed>) = 1 [pid 447] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 446] <... futex resumed>) = 0 [pid 446] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 446] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 447] <... futex resumed>) = 1 [pid 447] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 447] write(6, "8", 1) = 1 [pid 447] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 34.307861][ T445] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 34.316108][ T445] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 34.323923][ T445] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1ef6b773e8 [ 34.332601][ T445] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 34.340592][ T445] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 34.348405][ T445] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 34.356227][ T445] [ 34.390858][ T447] FAULT_INJECTION: forcing a failure. [ 34.390858][ T447] name fail_futex, interval 1, probability 0, space 0, times 0 [ 34.403654][ T447] CPU: 1 PID: 447 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 34.414943][ T447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 34.424840][ T447] Call Trace: [ 34.427961][ T447] [ 34.430738][ T447] dump_stack_lvl+0x151/0x1b7 [ 34.435250][ T447] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 34.440547][ T447] dump_stack+0x15/0x17 [ 34.444538][ T447] should_fail_ex+0x3d0/0x520 [ 34.449057][ T447] should_fail+0xb/0x10 [ 34.453043][ T447] get_futex_key+0x177/0xc90 [ 34.457570][ T447] ? futex_setup_timer+0xd0/0xd0 [ 34.462360][ T447] futex_wake+0x1af/0xb60 [ 34.466524][ T447] ? futex_wake_mark+0x170/0x170 [ 34.471294][ T447] ? finish_task_switch+0x167/0x7b0 [ 34.476331][ T447] ? __schedule+0xca1/0x1540 [ 34.480759][ T447] ? __kasan_check_write+0x14/0x20 [ 34.485702][ T447] ? __kasan_check_write+0x14/0x20 [ 34.490652][ T447] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 34.495685][ T447] do_futex+0x501/0x9a0 [ 34.499682][ T447] ? __ia32_sys_get_robust_list+0x90/0x90 [ 34.505408][ T447] __se_sys_futex+0x35e/0x3c0 [ 34.509915][ T447] ? _raw_spin_unlock_irq+0x4d/0x70 [ 34.514952][ T447] ? __x64_sys_futex+0x100/0x100 [ 34.519726][ T447] ? fpregs_restore_userregs+0x130/0x290 [ 34.525209][ T447] __x64_sys_futex+0xe5/0x100 [ 34.529711][ T447] do_syscall_64+0x3d/0xb0 [ 34.533957][ T447] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.539686][ T447] RIP: 0033:0x7f1ef6aecf59 [ 34.543947][ T447] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 34.563382][ T447] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 34.571624][ T447] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 34.579438][ T447] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 447] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 446] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 447] <... futex resumed>) = -1 EFAULT (Bad address) [pid 446] exit_group(0) = ? [pid 447] +++ exited with 0 +++ [pid 446] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=446, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./69", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./69/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./69/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./69/binderfs") = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./69/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./69/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./69") = 0 mkdir("./70", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 448 ./strace-static-x86_64: Process 448 attached [pid 448] set_robust_list(0x555555a286a0, 24) = 0 [pid 448] chdir("./70") = 0 [pid 448] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 448] setpgid(0, 0) = 0 [pid 448] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 448] write(3, "1000", 4) = 4 [pid 448] close(3) = 0 [pid 448] symlink("/dev/binderfs", "./binderfs") = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 448] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 448] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 448] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 448] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 448] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[449]}, 88) = 449 [pid 448] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 449 attached [pid 449] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 449] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 449] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 448] <... futex resumed>) = 0 [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 449] <... futex resumed>) = 1 [pid 449] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 449] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 448] <... futex resumed>) = 0 [pid 449] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 449] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 449] <... bpf resumed>) = 5 [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 448] <... futex resumed>) = 0 [pid 449] <... futex resumed>) = 1 [pid 449] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 449] <... bpf resumed>) = 0 [pid 448] <... futex resumed>) = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 448] <... futex resumed>) = 0 [pid 449] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 449] <... bpf resumed>) = 0 [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 448] <... futex resumed>) = 0 [pid 449] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 449] <... bind resumed>) = 0 [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 448] <... futex resumed>) = 0 [pid 448] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 449] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 449] write(6, "8", 1) = 1 [pid 449] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 449] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 448] <... futex resumed>) = 0 [pid 448] exit_group(0) = ? [pid 449] <... futex resumed>) = ? [pid 449] +++ exited with 0 +++ [pid 448] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=448, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./70", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./70/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./70/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 34.587249][ T447] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 34.595059][ T447] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 34.602957][ T447] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 34.610781][ T447] unlink("./70/binderfs") = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./70/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./70/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./70") = 0 mkdir("./71", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 450 ./strace-static-x86_64: Process 450 attached [pid 450] set_robust_list(0x555555a286a0, 24) = 0 [pid 450] chdir("./71") = 0 [pid 450] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 450] setpgid(0, 0) = 0 [pid 450] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 450] write(3, "1000", 4) = 4 [pid 450] close(3) = 0 [pid 450] symlink("/dev/binderfs", "./binderfs") = 0 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 450] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 450] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 450] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 450] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 450] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 450] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 451 attached [pid 451] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 451] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 450] <... clone3 resumed> => {parent_tid=[451]}, 88) = 451 [pid 451] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 450] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 451] <... futex resumed>) = 0 [pid 451] socket(AF_UNIX, SOCK_DGRAM, 0 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] <... socket resumed>) = 3 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 450] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 451] <... futex resumed>) = 0 [pid 451] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 451] <... futex resumed>) = 0 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 450] <... futex resumed>) = 0 [pid 451] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] <... futex resumed>) = 0 [pid 451] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 450] <... futex resumed>) = 0 [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 451] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] <... bpf resumed>) = 0 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 450] <... futex resumed>) = 0 [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 450] <... futex resumed>) = 0 [pid 451] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 451] <... bind resumed>) = 0 [pid 450] <... futex resumed>) = 0 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] <... futex resumed>) = 0 [pid 450] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 451] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 450] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 451] <... openat resumed>) = 6 [pid 450] <... futex resumed>) = 0 [pid 451] write(6, "8", 1 [pid 450] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 451] <... write resumed>) = 1 [pid 451] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 34.675143][ T451] FAULT_INJECTION: forcing a failure. [ 34.675143][ T451] name fail_futex, interval 1, probability 0, space 0, times 0 [ 34.687925][ T451] CPU: 0 PID: 451 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 34.699302][ T451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 34.709198][ T451] Call Trace: [ 34.712322][ T451] [ 34.715105][ T451] dump_stack_lvl+0x151/0x1b7 [ 34.719618][ T451] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 34.724914][ T451] ? newidle_balance+0x8bd/0x1090 [ 34.729771][ T451] dump_stack+0x15/0x17 [ 34.733759][ T451] should_fail_ex+0x3d0/0x520 [ 34.738274][ T451] should_fail+0xb/0x10 [ 34.742266][ T451] get_futex_key+0x177/0xc90 [ 34.746691][ T451] ? futex_setup_timer+0xd0/0xd0 [ 34.751469][ T451] futex_wake+0x1af/0xb60 [ 34.755632][ T451] ? futex_wake_mark+0x170/0x170 [ 34.760402][ T451] ? finish_task_switch+0x167/0x7b0 [ 34.765531][ T451] ? __schedule+0xca1/0x1540 [ 34.769950][ T451] ? __kasan_check_write+0x14/0x20 [ 34.774905][ T451] ? __kasan_check_write+0x14/0x20 [ 34.779854][ T451] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 34.784806][ T451] do_futex+0x501/0x9a0 [ 34.788787][ T451] ? __ia32_sys_get_robust_list+0x90/0x90 [ 34.794352][ T451] __se_sys_futex+0x35e/0x3c0 [ 34.798855][ T451] ? _raw_spin_unlock_irq+0x4d/0x70 [ 34.803894][ T451] ? __x64_sys_futex+0x100/0x100 [ 34.808672][ T451] ? fpregs_restore_userregs+0x130/0x290 [ 34.814131][ T451] __x64_sys_futex+0xe5/0x100 [ 34.818645][ T451] do_syscall_64+0x3d/0xb0 [ 34.822898][ T451] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.828625][ T451] RIP: 0033:0x7f1ef6aecf59 [ 34.832884][ T451] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 34.852319][ T451] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 34.860566][ T451] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 451] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 450] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 451] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 450] exit_group(0 [pid 451] <... futex resumed>) = ? [pid 450] <... exit_group resumed>) = ? [pid 451] +++ exited with 0 +++ [pid 450] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=450, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./71", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./71/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./71/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./71/binderfs") = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./71/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./71/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./71") = 0 mkdir("./72", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 453 ./strace-static-x86_64: Process 453 attached [pid 453] set_robust_list(0x555555a286a0, 24) = 0 [pid 453] chdir("./72") = 0 [pid 453] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 453] setpgid(0, 0) = 0 [pid 453] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 453] write(3, "1000", 4) = 4 [pid 453] close(3) = 0 [pid 453] symlink("/dev/binderfs", "./binderfs") = 0 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 453] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 453] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 453] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 453] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 453] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 453] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 454 attached => {parent_tid=[454]}, 88) = 454 [pid 454] set_robust_list(0x7f1ef6aad9a0, 24 [pid 453] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] <... set_robust_list resumed>) = 0 [pid 454] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 454] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 454] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 453] <... futex resumed>) = 0 [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 454] <... futex resumed>) = 0 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 453] <... futex resumed>) = 0 [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 453] <... futex resumed>) = 0 [pid 454] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 454] <... bpf resumed>) = 0 [pid 453] <... futex resumed>) = 0 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] <... futex resumed>) = 0 [pid 453] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 454] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 454] <... bpf resumed>) = 0 [pid 453] <... futex resumed>) = 0 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] <... futex resumed>) = 0 [pid 453] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 454] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 454] <... bind resumed>) = 0 [pid 453] <... futex resumed>) = 0 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] <... futex resumed>) = 0 [pid 453] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 454] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 453] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 454] <... openat resumed>) = 6 [pid 453] <... futex resumed>) = 0 [pid 454] write(6, "8", 1 [pid 453] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 454] <... write resumed>) = 1 [pid 454] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [pid 454] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 453] <... futex resumed>) = 0 [pid 454] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 453] exit_group(0 [pid 454] <... futex resumed>) = ? [pid 453] <... exit_group resumed>) = ? [pid 454] +++ exited with 0 +++ [pid 453] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=453, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./72", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./72/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./72/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./72/binderfs") = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./72/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./72/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./72") = 0 mkdir("./73", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 455 ./strace-static-x86_64: Process 455 attached [pid 455] set_robust_list(0x555555a286a0, 24) = 0 [pid 455] chdir("./73") = 0 [pid 455] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 455] setpgid(0, 0) = 0 [pid 455] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 455] write(3, "1000", 4) = 4 [pid 455] close(3) = 0 [pid 455] symlink("/dev/binderfs", "./binderfs") = 0 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 455] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 455] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 455] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 455] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 455] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 455] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 456 attached => {parent_tid=[456]}, 88) = 456 [pid 456] set_robust_list(0x7f1ef6aad9a0, 24 [pid 455] rt_sigprocmask(SIG_SETMASK, [], [pid 456] <... set_robust_list resumed>) = 0 [pid 456] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 456] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 455] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 456] <... futex resumed>) = 0 [pid 456] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 456] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 456] <... futex resumed>) = 0 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 456] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 455] <... futex resumed>) = 0 [pid 456] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 456] <... bpf resumed>) = 5 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 455] <... futex resumed>) = 0 [pid 456] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 456] <... bpf resumed>) = 0 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 456] <... futex resumed>) = 0 [pid 455] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 456] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 456] <... bpf resumed>) = 0 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 456] <... futex resumed>) = 0 [pid 455] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 456] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 456] <... bind resumed>) = 0 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 456] <... futex resumed>) = 0 [pid 455] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 455] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 456] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 455] <... futex resumed>) = 0 [pid 456] <... openat resumed>) = 6 [pid 455] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 456] write(6, "8", 1) = 1 [pid 456] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 34.868373][ T451] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 34.876189][ T451] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 34.883995][ T451] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 34.891897][ T451] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 34.899715][ T451] [ 34.946176][ T456] FAULT_INJECTION: forcing a failure. [ 34.946176][ T456] name fail_futex, interval 1, probability 0, space 0, times 0 [ 34.959321][ T456] CPU: 0 PID: 456 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 34.970682][ T456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 34.980576][ T456] Call Trace: [ 34.983700][ T456] [ 34.986524][ T456] dump_stack_lvl+0x151/0x1b7 [ 34.990991][ T456] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 34.996287][ T456] ? newidle_balance+0x887/0x1090 [ 35.001149][ T456] dump_stack+0x15/0x17 [ 35.005139][ T456] should_fail_ex+0x3d0/0x520 [ 35.009659][ T456] should_fail+0xb/0x10 [ 35.013642][ T456] get_futex_key+0x177/0xc90 [ 35.018077][ T456] ? futex_setup_timer+0xd0/0xd0 [ 35.022864][ T456] futex_wake+0x1af/0xb60 [ 35.027011][ T456] ? futex_wake_mark+0x170/0x170 [ 35.031779][ T456] ? finish_task_switch+0x167/0x7b0 [ 35.036816][ T456] ? __schedule+0xca1/0x1540 [ 35.041250][ T456] ? __kasan_check_write+0x14/0x20 [ 35.046193][ T456] ? __kasan_check_write+0x14/0x20 [ 35.051136][ T456] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 35.056087][ T456] do_futex+0x501/0x9a0 [ 35.060080][ T456] ? __ia32_sys_get_robust_list+0x90/0x90 [ 35.065636][ T456] __se_sys_futex+0x35e/0x3c0 [ 35.070144][ T456] ? _raw_spin_unlock_irq+0x4d/0x70 [ 35.075181][ T456] ? __x64_sys_futex+0x100/0x100 [ 35.079955][ T456] ? fpregs_restore_userregs+0x130/0x290 [ 35.085420][ T456] __x64_sys_futex+0xe5/0x100 [ 35.089945][ T456] do_syscall_64+0x3d/0xb0 [ 35.094187][ T456] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 35.099915][ T456] RIP: 0033:0x7f1ef6aecf59 [ 35.104175][ T456] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 35.123612][ T456] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 35.131855][ T456] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [pid 456] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = -1 EFAULT (Bad address) [pid 455] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 456] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 455] exit_group(0 [pid 456] <... futex resumed>) = ? [pid 455] <... exit_group resumed>) = ? [pid 456] +++ exited with 0 +++ [pid 455] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=455, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- umount2("./73", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./73/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./73/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./73/binderfs") = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./73/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./73/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./73") = 0 mkdir("./74", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 457 ./strace-static-x86_64: Process 457 attached [pid 457] set_robust_list(0x555555a286a0, 24) = 0 [pid 457] chdir("./74") = 0 [pid 457] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 457] setpgid(0, 0) = 0 [pid 457] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 457] write(3, "1000", 4) = 4 [pid 457] close(3) = 0 [pid 457] symlink("/dev/binderfs", "./binderfs") = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 457] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 457] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 457] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 457] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 457] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 457] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 458 attached [pid 458] set_robust_list(0x7f1ef6aad9a0, 24 [pid 457] <... clone3 resumed> => {parent_tid=[458]}, 88) = 458 [pid 458] <... set_robust_list resumed>) = 0 [pid 457] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 458] rt_sigprocmask(SIG_SETMASK, [], [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 458] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 457] <... futex resumed>) = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 458] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 457] <... futex resumed>) = 0 [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 458] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 457] <... futex resumed>) = 0 [pid 458] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 458] <... bpf resumed>) = 5 [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 457] <... futex resumed>) = 0 [pid 458] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 458] <... bpf resumed>) = 0 [pid 457] <... futex resumed>) = 0 [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 458] <... futex resumed>) = 0 [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 458] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 457] <... futex resumed>) = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 458] <... bpf resumed>) = 0 [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 457] <... futex resumed>) = 0 [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 458] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 457] <... futex resumed>) = 0 [pid 457] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 457] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 458] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 458] write(6, "8", 1) = 1 [pid 458] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 35.139664][ T456] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 35.147789][ T456] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 35.155600][ T456] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 35.163412][ T456] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 35.171254][ T456] [pid 458] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 457] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 457] exit_group(0) = ? [ 35.203389][ T458] FAULT_INJECTION: forcing a failure. [ 35.203389][ T458] name fail_futex, interval 1, probability 0, space 0, times 0 [ 35.216090][ T458] CPU: 1 PID: 458 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 35.227490][ T458] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 35.237359][ T458] Call Trace: [ 35.240479][ T458] [ 35.243254][ T458] dump_stack_lvl+0x151/0x1b7 [ 35.247766][ T458] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 35.253062][ T458] ? newidle_balance+0x887/0x1090 [ 35.257917][ T458] dump_stack+0x15/0x17 [ 35.261910][ T458] should_fail_ex+0x3d0/0x520 [ 35.266428][ T458] should_fail+0xb/0x10 [ 35.270415][ T458] get_futex_key+0x177/0xc90 [ 35.274843][ T458] ? futex_setup_timer+0xd0/0xd0 [ 35.279616][ T458] futex_wake+0x1af/0xb60 [ 35.283782][ T458] ? futex_wake_mark+0x170/0x170 [ 35.288557][ T458] ? finish_task_switch+0x167/0x7b0 [ 35.293591][ T458] ? __schedule+0xca1/0x1540 [ 35.298104][ T458] ? __kasan_check_write+0x14/0x20 [ 35.303059][ T458] ? __kasan_check_write+0x14/0x20 [ 35.307996][ T458] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 35.312943][ T458] do_futex+0x501/0x9a0 [ 35.316936][ T458] ? __ia32_sys_get_robust_list+0x90/0x90 [ 35.322495][ T458] __se_sys_futex+0x35e/0x3c0 [ 35.327005][ T458] ? _raw_spin_unlock_irq+0x4d/0x70 [ 35.332039][ T458] ? __x64_sys_futex+0x100/0x100 [ 35.336813][ T458] ? fpregs_restore_userregs+0x130/0x290 [ 35.342280][ T458] __x64_sys_futex+0xe5/0x100 [ 35.346794][ T458] do_syscall_64+0x3d/0xb0 [ 35.351047][ T458] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 35.356801][ T458] RIP: 0033:0x7f1ef6aecf59 [ 35.361026][ T458] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 35.380471][ T458] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 35.388712][ T458] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 35.396525][ T458] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [pid 458] <... futex resumed>) = ? [pid 458] +++ exited with 0 +++ [pid 457] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=457, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./74", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./74/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./74/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./74/binderfs") = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./74/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./74/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./74") = 0 mkdir("./75", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 459 ./strace-static-x86_64: Process 459 attached [pid 459] set_robust_list(0x555555a286a0, 24) = 0 [pid 459] chdir("./75") = 0 [pid 459] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 459] setpgid(0, 0) = 0 [pid 459] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 459] write(3, "1000", 4) = 4 [pid 459] close(3) = 0 [pid 459] symlink("/dev/binderfs", "./binderfs") = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 459] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 459] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 459] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 459] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 459] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0} => {parent_tid=[460]}, 88) = 460 [pid 459] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 460 attached [pid 460] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 460] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 460] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] <... futex resumed>) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 460] <... futex resumed>) = 1 [pid 460] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4 [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] <... futex resumed>) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 460] <... futex resumed>) = 1 [pid 460] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5 [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] <... futex resumed>) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 460] <... futex resumed>) = 1 [pid 460] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0 [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] <... futex resumed>) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 460] <... futex resumed>) = 1 [pid 460] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0 [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] <... futex resumed>) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 460] <... futex resumed>) = 1 [pid 460] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0 [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 459] <... futex resumed>) = 0 [pid 459] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 460] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 [pid 460] write(6, "8", 1) = 1 [pid 460] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 35.404342][ T458] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [ 35.412149][ T458] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 35.419974][ T458] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 35.427777][ T458] [pid 460] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 35.451151][ T460] FAULT_INJECTION: forcing a failure. [ 35.451151][ T460] name fail_futex, interval 1, probability 0, space 0, times 0 [ 35.463889][ T460] CPU: 0 PID: 460 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 35.475244][ T460] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 35.485135][ T460] Call Trace: [ 35.488258][ T460] [ 35.491038][ T460] dump_stack_lvl+0x151/0x1b7 [ 35.495581][ T460] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 35.500859][ T460] dump_stack+0x15/0x17 [pid 459] exit_group(0) = ? [ 35.504846][ T460] should_fail_ex+0x3d0/0x520 [ 35.509363][ T460] should_fail+0xb/0x10 [ 35.513338][ T460] get_futex_key+0x177/0xc90 [ 35.517768][ T460] ? futex_setup_timer+0xd0/0xd0 [ 35.522541][ T460] futex_wake+0x1af/0xb60 [ 35.526706][ T460] ? futex_wake_mark+0x170/0x170 [ 35.531477][ T460] ? finish_task_switch+0x167/0x7b0 [ 35.536514][ T460] ? __schedule+0xca1/0x1540 [ 35.540940][ T460] ? __kasan_check_write+0x14/0x20 [ 35.545891][ T460] ? __kasan_check_write+0x14/0x20 [ 35.550920][ T460] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 35.555872][ T460] do_futex+0x501/0x9a0 [ 35.559865][ T460] ? __ia32_sys_get_robust_list+0x90/0x90 [ 35.565418][ T460] __se_sys_futex+0x35e/0x3c0 [ 35.569932][ T460] ? _raw_spin_unlock_irq+0x4d/0x70 [ 35.574963][ T460] ? __x64_sys_futex+0x100/0x100 [ 35.579737][ T460] ? fpregs_restore_userregs+0x130/0x290 [ 35.585204][ T460] __x64_sys_futex+0xe5/0x100 [ 35.589716][ T460] do_syscall_64+0x3d/0xb0 [ 35.593970][ T460] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 35.599699][ T460] RIP: 0033:0x7f1ef6aecf59 [ 35.603960][ T460] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 35.623573][ T460] RSP: 002b:00007f1ef6aad208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 35.631825][ T460] RAX: ffffffffffffffda RBX: 00007f1ef6b773e8 RCX: 00007f1ef6aecf59 [ 35.639623][ T460] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1ef6b773ec [ 35.647440][ T460] RBP: 00007f1ef6b773e0 R08: 0000000000000038 R09: 0000000000000038 [pid 460] <... futex resumed>) = ? [pid 460] +++ exited with 0 +++ [pid 459] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=459, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./75", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555a29730 /* 4 entries */, 32768) = 112 umount2("./75/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./75/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./75/binderfs") = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./75/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./75/file0") = 0 getdents64(3, 0x555555a29730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./75") = 0 mkdir("./76", 0777) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555a28690) = 461 ./strace-static-x86_64: Process 461 attached [pid 461] set_robust_list(0x555555a286a0, 24) = 0 [pid 461] chdir("./76") = 0 [pid 461] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 461] setpgid(0, 0) = 0 [pid 461] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 461] write(3, "1000", 4) = 4 [pid 461] close(3) = 0 [pid 461] symlink("/dev/binderfs", "./binderfs") = 0 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 461] rt_sigaction(SIGRT_1, {sa_handler=0x7f1ef6b133c0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1ef6b04540}, NULL, 8) = 0 [pid 461] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 461] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1ef6a8d000 [pid 461] mprotect(0x7f1ef6a8e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 461] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 461] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1ef6aad990, parent_tid=0x7f1ef6aad990, exit_signal=0, stack=0x7f1ef6a8d000, stack_size=0x20300, tls=0x7f1ef6aad6c0}./strace-static-x86_64: Process 462 attached [pid 462] set_robust_list(0x7f1ef6aad9a0, 24) = 0 [pid 462] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 462] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 461] <... clone3 resumed> => {parent_tid=[462]}, 88) = 462 [pid 461] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] <... futex resumed>) = 0 [pid 462] socket(AF_UNIX, SOCK_DGRAM, 0) = 3 [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 461] <... futex resumed>) = 0 [pid 462] futex(0x7f1ef6b773e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 462] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 461] <... futex resumed>) = 0 [pid 462] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] <... bpf resumed>) = 4 [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 461] <... futex resumed>) = 0 [pid 462] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 462] <... bpf resumed>) = 5 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 461] <... futex resumed>) = 0 [pid 462] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16 [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 462] <... bpf resumed>) = 0 [pid 461] <... futex resumed>) = 0 [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] <... futex resumed>) = 0 [pid 461] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 462] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32 [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 462] <... bpf resumed>) = 0 [pid 461] <... futex resumed>) = 0 [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] <... futex resumed>) = 0 [pid 461] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 462] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110 [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 462] <... bind resumed>) = 0 [pid 461] <... futex resumed>) = 0 [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] <... futex resumed>) = 0 [pid 461] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 461] futex(0x7f1ef6b773e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 462] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 461] <... futex resumed>) = 0 [pid 462] <... openat resumed>) = 6 [pid 461] futex(0x7f1ef6b773ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 462] write(6, "8", 1) = 1 [pid 462] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1 [ 35.655245][ T460] R10: 00007f1ef6aacfa7 R11: 0000000000000246 R12: 00007f1ef6b441cc [ 35.663056][ T460] R13: 00007f1ef6aad210 R14: 0000000000000001 R15: 00007f1ef6b4400a [ 35.670874][ T460] [pid 462] futex(0x7f1ef6b773ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 461] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 461] exit_group(0) = ? [ 35.697013][ T462] FAULT_INJECTION: forcing a failure. [ 35.697013][ T462] name fail_futex, interval 1, probability 0, space 0, times 0 [ 35.709735][ T462] CPU: 0 PID: 462 Comm: syz-executor742 Tainted: G B 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 35.721093][ T462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 35.730982][ T462] Call Trace: [ 35.734104][ T462] [ 35.736882][ T462] dump_stack_lvl+0x151/0x1b7 [ 35.741416][ T462] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 35.746701][ T462] dump_stack+0x15/0x17 [ 35.750684][ T462] should_fail_ex+0x3d0/0x520 [ 35.755197][ T462] should_fail+0xb/0x10 [ 35.759188][ T462] get_futex_key+0x177/0xc90 [ 35.763617][ T462] ? futex_setup_timer+0xd0/0xd0 [ 35.768391][ T462] futex_wake+0x1af/0xb60 [ 35.772560][ T462] ? futex_wake_mark+0x170/0x170 [ 35.777334][ T462] ? finish_task_switch+0x167/0x7b0 [ 35.782369][ T462] ? __schedule+0xca1/0x1540 [ 35.786789][ T462] ? __kasan_check_write+0x14/0x20 [ 35.791744][ T462] ? __kasan_check_write+0x14/0x20 [ 35.796682][ T462] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 35.801635][ T462] do_futex+0x501/0x9a0 [ 35.805628][ T462] ? __ia32_sys_get_robust_list+0x90/0x90 [ 35.811181][ T462] __se_sys_futex+0x35e/0x3c0 [ 35.815704][ T462] ? _raw_spin_unlock_irq+0x4d/0x70 [ 35.820738][ T462] ? __x64_sys_futex+0x100/0x100 [ 35.825498][ T462] ? fpregs_restore_userregs+0x130/0x290 [ 35.830967][ T462] __x64_sys_futex+0xe5/0x100 [ 35.835485][ T462] do_syscall_64+0x3d/0xb0 [ 35.839734][ T462] entry_SYSCALL_64_after_hwframe+0x63/0xcd