./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor305565654
<...>
[ 10.412902][ T30] audit: type=1400 audit(1695263281.512:64): avc: denied { rlimitinh } for pid=220 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 10.415714][ T30] audit: type=1400 audit(1695263281.512:65): avc: denied { siginh } for pid=220 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 11.627016][ T224] sftp-server (224) used greatest stack depth: 22096 bytes left
Warning: Permanently added '10.128.0.72' (ED25519) to the list of known hosts.
execve("./syz-executor305565654", ["./syz-executor305565654"], 0x7ffc9fd1e1f0 /* 10 vars */) = 0
brk(NULL) = 0x555555cf6000
brk(0x555555cf6d00) = 0x555555cf6d00
arch_prctl(ARCH_SET_FS, 0x555555cf6380) = 0
set_tid_address(0x555555cf6650) = 290
set_robust_list(0x555555cf6660, 24) = 0
rseq(0x555555cf6ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor305565654", 4096) = 27
getrandom("\x74\x81\x11\xe7\x2e\xbb\xea\x23", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555555cf6d00
brk(0x555555d17d00) = 0x555555d17d00
brk(0x555555d18000) = 0x555555d18000
mprotect(0x7f5579b99000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
mkdir("./syzkaller.RVVDx9", 0700) = 0
chmod("./syzkaller.RVVDx9", 0777) = 0
chdir("./syzkaller.RVVDx9") = 0
mkdir("./0", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 291
./strace-static-x86_64: Process 291 attached
[pid 291] set_robust_list(0x555555cf6660, 24) = 0
[pid 291] chdir("./0") = 0
[pid 291] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 291] setpgid(0, 0) = 0
[pid 291] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 291] write(3, "1000", 4) = 4
[pid 291] close(3) = 0
[pid 291] symlink("/dev/binderfs", "./binderfs") = 0
[pid 291] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[ 18.649938][ T30] audit: type=1400 audit(1695263289.752:66): avc: denied { execmem } for pid=290 comm="syz-executor305" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 18.653019][ T30] audit: type=1400 audit(1695263289.762:67): avc: denied { integrity } for pid=290 comm="syz-executor305" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 18.656652][ T30] audit: type=1400 audit(1695263289.762:68): avc: denied { prog_load } for pid=291 comm="syz-executor305" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 18.659363][ T30] audit: type=1400 audit(1695263289.762:69): avc: denied { bpf } for pid=291 comm="syz-executor305" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[pid 291] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 291] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 291] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 291] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 291] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 291] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 291] write(6, "8", 1) = 1
[pid 291] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 18.783125][ T30] audit: type=1400 audit(1695263289.892:70): avc: denied { perfmon } for pid=291 comm="syz-executor305" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1
[ 18.804254][ T30] audit: type=1400 audit(1695263289.912:71): avc: denied { prog_run } for pid=291 comm="syz-executor305" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 18.808460][ T291] FAULT_INJECTION: forcing a failure.
[ 18.808460][ T291] name fail_page_alloc, interval 1, probability 0, space 0, times 1
[ 18.823333][ T30] audit: type=1400 audit(1695263289.912:72): avc: denied { map_create } for pid=291 comm="syz-executor305" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 18.836895][ T291] CPU: 0 PID: 291 Comm: syz-executor305 Not tainted 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 18.855962][ T30] audit: type=1400 audit(1695263289.912:73): avc: denied { map_read map_write } for pid=291 comm="syz-executor305" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1
[ 18.867201][ T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 18.867218][ T291] Call Trace:
[ 18.867224][ T291]
[ 18.867230][ T291] dump_stack_lvl+0x151/0x1b7
[ 18.867275][ T291] ? io_uring_drop_tctx_refs+0x190/0x190
[ 18.913131][ T291] dump_stack+0x15/0x17
[ 18.917115][ T291] should_fail+0x3c6/0x510
[ 18.921508][ T291] should_fail_alloc_page+0x5a/0x80
[ 18.926537][ T291] prepare_alloc_pages+0x15c/0x700
[ 18.931686][ T291] ? __alloc_pages_bulk+0xe60/0xe60
[ 18.936815][ T291] ? enqueue_task_fair+0xd61/0x29a0
[ 18.941925][ T291] __alloc_pages+0x138/0x5e0
[ 18.946363][ T291] ? prep_new_page+0x110/0x110
[ 18.950955][ T291] wp_page_copy+0x200/0x1b00
[ 18.955374][ T291] ? __kasan_check_write+0x14/0x20
[ 18.960407][ T291] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 18.966310][ T291] ? __pte_map_lock+0x442/0x620
[ 18.970995][ T291] do_wp_page+0x6fa/0xb60
[ 18.975162][ T291] handle_pte_fault+0x72e/0x2340
[ 18.979941][ T291] ? update_load_avg+0x43a/0x1150
[ 18.984796][ T291] ? fault_around_bytes_set+0xc0/0xc0
[ 18.990006][ T291] do_handle_mm_fault+0x1fed/0x2330
[ 18.995039][ T291] ? numa_migrate_prep+0xe0/0xe0
[ 18.999823][ T291] ? __kasan_check_write+0x14/0x20
[ 19.005068][ T291] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 19.009982][ T291] ? _raw_spin_lock_irqsave+0x210/0x210
[ 19.015353][ T291] ? _raw_spin_unlock_irq+0x4e/0x70
[ 19.020388][ T291] ? down_read_trylock+0x1f9/0x300
[ 19.025429][ T291] ? __init_rwsem+0x1c0/0x1c0
[ 19.029930][ T291] ? vmacache_update+0xb7/0x120
[ 19.034623][ T291] ? __find_vma+0x136/0x150
[ 19.038958][ T291] exc_page_fault+0x3b5/0x830
[ 19.043473][ T291] asm_exc_page_fault+0x27/0x30
[ 19.048167][ T291] RIP: 0033:0x7f5579afc4f0
[ 19.052507][ T291] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 19.072386][ T291] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[pid 291] exit_group(0) = ?
[pid 291] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=291, si_uid=0, si_status=0, si_utime=0, si_stime=15} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 293
./strace-static-x86_64: Process 293 attached
[pid 293] set_robust_list(0x555555cf6660, 24) = 0
[pid 293] chdir("./1") = 0
[pid 293] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 293] setpgid(0, 0) = 0
[pid 293] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 293] write(3, "1000", 4) = 4
[pid 293] close(3) = 0
[pid 293] symlink("/dev/binderfs", "./binderfs") = 0
[pid 293] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 293] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 293] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 293] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 293] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 293] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 293] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 293] write(6, "8", 1) = 1
[pid 293] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 19.078301][ T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 19.086100][ T291] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[ 19.093903][ T291] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 19.102673][ T291] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 19.110683][ T291] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 19.118488][ T291]
[ 19.121537][ T291] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 19.140636][ T293] FAULT_INJECTION: forcing a failure.
[ 19.140636][ T293] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 19.153710][ T293] CPU: 1 PID: 293 Comm: syz-executor305 Not tainted 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 19.163723][ T293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 19.173618][ T293] Call Trace:
[ 19.176741][ T293]
[ 19.179522][ T293] dump_stack_lvl+0x151/0x1b7
[ 19.184035][ T293] ? io_uring_drop_tctx_refs+0x190/0x190
[ 19.189514][ T293] dump_stack+0x15/0x17
[ 19.193493][ T293] should_fail+0x3c6/0x510
[ 19.197746][ T293] should_fail_alloc_page+0x5a/0x80
[ 19.202809][ T293] prepare_alloc_pages+0x15c/0x700
[ 19.207734][ T293] ? active_load_balance_cpu_stop+0xc50/0xc50
[ 19.213632][ T293] ? __alloc_pages_bulk+0xe60/0xe60
[ 19.218662][ T293] ? enqueue_task_fair+0x1f1d/0x29a0
[ 19.223790][ T293] __alloc_pages+0x138/0x5e0
[ 19.228225][ T293] ? prep_new_page+0x110/0x110
[ 19.232815][ T293] wp_page_copy+0x200/0x1b00
[ 19.237247][ T293] ? __kasan_check_write+0x14/0x20
[ 19.242202][ T293] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 19.248018][ T293] ? __pte_map_lock+0x442/0x620
[ 19.252691][ T293] do_wp_page+0x6fa/0xb60
[ 19.257643][ T293] handle_pte_fault+0x72e/0x2340
[ 19.262410][ T293] ? update_load_avg+0x43a/0x1150
[ 19.267276][ T293] ? fault_around_bytes_set+0xc0/0xc0
[ 19.272515][ T293] do_handle_mm_fault+0x1fed/0x2330
[ 19.277517][ T293] ? numa_migrate_prep+0xe0/0xe0
[ 19.282309][ T293] ? __kasan_check_write+0x14/0x20
[ 19.287246][ T293] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 19.292273][ T293] ? _raw_spin_lock_irqsave+0x210/0x210
[ 19.297847][ T293] ? _raw_spin_unlock_irq+0x4e/0x70
[ 19.302855][ T293] ? down_read_trylock+0x1f9/0x300
[ 19.307806][ T293] ? __init_rwsem+0x1c0/0x1c0
[ 19.312314][ T293] ? vmacache_update+0xb7/0x120
[ 19.317001][ T293] ? __find_vma+0x136/0x150
[ 19.321346][ T293] exc_page_fault+0x3b5/0x830
[ 19.326038][ T293] asm_exc_page_fault+0x27/0x30
[ 19.330714][ T293] RIP: 0033:0x7f5579afc4f0
[ 19.334975][ T293] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 19.354416][ T293] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 19.360313][ T293] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 19.368301][ T293] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[ 19.376115][ T293] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 19.384004][ T293] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[pid 293] exit_group(0) = ?
[pid 293] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=293, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 294
./strace-static-x86_64: Process 294 attached
[pid 294] set_robust_list(0x555555cf6660, 24) = 0
[pid 294] chdir("./2") = 0
[pid 294] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 294] setpgid(0, 0) = 0
[pid 294] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 294] write(3, "1000", 4) = 4
[pid 294] close(3) = 0
[pid 294] symlink("/dev/binderfs", "./binderfs") = 0
[pid 294] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 294] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 294] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 294] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 294] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 294] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 294] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 294] write(6, "8", 1) = 1
[ 19.391821][ T293] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 19.399636][ T293]
[ 19.402601][ T293] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 19.422149][ T294] FAULT_INJECTION: forcing a failure.
[ 19.422149][ T294] name failslab, interval 1, probability 0, space 0, times 1
[ 19.434684][ T294] CPU: 1 PID: 294 Comm: syz-executor305 Not tainted 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 19.444824][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 19.454836][ T294] Call Trace:
[ 19.457967][ T294]
[ 19.460735][ T294] dump_stack_lvl+0x151/0x1b7
[ 19.465253][ T294] ? io_uring_drop_tctx_refs+0x190/0x190
[ 19.470807][ T294] dump_stack+0x15/0x17
[ 19.474804][ T294] should_fail+0x3c6/0x510
[ 19.479146][ T294] __should_failslab+0xa4/0xe0
[ 19.483921][ T294] should_failslab+0x9/0x20
[ 19.488246][ T294] slab_pre_alloc_hook+0x37/0xd0
[ 19.493030][ T294] kmem_cache_alloc_trace+0x48/0x210
[ 19.498145][ T294] ? sk_psock_skb_ingress_self+0x60/0x330
[ 19.503697][ T294] ? migrate_disable+0x190/0x190
[ 19.508472][ T294] sk_psock_skb_ingress_self+0x60/0x330
[ 19.513855][ T294] sk_psock_verdict_recv+0x66d/0x840
[ 19.518972][ T294] unix_read_sock+0x132/0x370
[ 19.523490][ T294] ? sk_psock_skb_redirect+0x440/0x440
[ 19.529074][ T294] ? unix_stream_splice_actor+0x120/0x120
[ 19.534624][ T294] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 19.539903][ T294] ? unix_stream_splice_actor+0x120/0x120
[ 19.545545][ T294] sk_psock_verdict_data_ready+0x147/0x1a0
[ 19.551193][ T294] ? sk_psock_start_verdict+0xc0/0xc0
[ 19.556506][ T294] ? _raw_spin_lock+0xa4/0x1b0
[ 19.561115][ T294] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 19.566757][ T294] ? skb_queue_tail+0xfb/0x120
[ 19.571358][ T294] unix_dgram_sendmsg+0x15fa/0x2090
[ 19.576480][ T294] ? unix_dgram_poll+0x710/0x710
[ 19.581252][ T294] ? ttwu_queue_wakelist+0x316/0x510
[ 19.586371][ T294] ? security_socket_sendmsg+0x82/0xb0
[ 19.591675][ T294] ? unix_dgram_poll+0x710/0x710
[ 19.596443][ T294] ____sys_sendmsg+0x59e/0x8f0
[ 19.601051][ T294] ? __sys_sendmsg_sock+0x40/0x40
[ 19.605903][ T294] ? import_iovec+0xe5/0x120
[ 19.610355][ T294] ___sys_sendmsg+0x252/0x2e0
[ 19.614837][ T294] ? __sys_sendmsg+0x260/0x260
[ 19.619436][ T294] ? compat_start_thread+0x20/0x20
[ 19.624386][ T294] ? __kasan_check_read+0x11/0x20
[ 19.629243][ T294] ? __fdget+0x179/0x240
[ 19.633324][ T294] __sys_sendmmsg+0x2bf/0x530
[ 19.637853][ T294] ? __ia32_sys_sendmsg+0x90/0x90
[ 19.642699][ T294] ? __kasan_check_read+0x11/0x20
[ 19.647658][ T294] __x64_sys_sendmmsg+0xa0/0xb0
[ 19.652539][ T294] do_syscall_64+0x3d/0xb0
[ 19.657174][ T294] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 19.662982][ T294] RIP: 0033:0x7f5579b265a9
[ 19.667238][ T294] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 294] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 294] exit_group(0) = ?
[ 19.686851][ T294] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 19.695099][ T294] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 19.702909][ T294] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 19.710721][ T294] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 19.718933][ T294] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 19.726986][ T294] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 19.734977][ T294]
[ 19.738714][ T20] ==================================================================
[ 19.746728][ T20] BUG: KASAN: use-after-free in consume_skb+0x3c/0x250
[ 19.753666][ T20] Read of size 4 at addr ffff88811dfd2aec by task kworker/0:1/20
[ 19.761241][ T20]
[ 19.763401][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Not tainted 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 19.773200][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 19.783230][ T20] Workqueue: events bpf_map_free_deferred
[ 19.788739][ T20] Call Trace:
[ 19.791865][ T20]
[ 19.794640][ T20] dump_stack_lvl+0x151/0x1b7
[ 19.799151][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 19.804702][ T20] ? panic+0x751/0x751
[ 19.808610][ T20] print_address_description+0x87/0x3b0
[ 19.813998][ T20] kasan_report+0x179/0x1c0
[ 19.818523][ T20] ? consume_skb+0x3c/0x250
[ 19.823308][ T20] ? consume_skb+0x3c/0x250
[ 19.827625][ T20] kasan_check_range+0x293/0x2a0
[ 19.834937][ T20] __kasan_check_read+0x11/0x20
[ 19.841686][ T20] consume_skb+0x3c/0x250
[ 19.846589][ T20] __sk_msg_free+0x2dd/0x370
[ 19.850982][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 19.856832][ T20] sk_psock_stop+0x44c/0x4d0
[ 19.861356][ T20] sk_psock_drop+0x219/0x310
[ 19.865959][ T20] sock_map_unref+0x48f/0x4d0
[ 19.870471][ T20] sock_map_free+0x137/0x2b0
[ 19.874885][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 19.880007][ T20] process_one_work+0x6bb/0xc10
[ 19.884790][ T20] worker_thread+0xad5/0x12a0
[ 19.889392][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 19.894227][ T20] kthread+0x421/0x510
[ 19.898275][ T20] ? worker_clr_flags+0x180/0x180
[ 19.903483][ T20] ? kthread_blkcg+0xd0/0xd0
[ 19.908951][ T20] ret_from_fork+0x1f/0x30
[ 19.913198][ T20]
[ 19.916058][ T20]
[ 19.918344][ T20] Allocated by task 294:
[ 19.922499][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 19.927204][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 19.932254][ T20] kmem_cache_alloc+0xf5/0x200
[ 19.937543][ T20] skb_clone+0x1d1/0x360
[ 19.941787][ T20] sk_psock_verdict_recv+0x53/0x840
[ 19.946986][ T20] unix_read_sock+0x132/0x370
[ 19.951851][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 19.957507][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 19.962571][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 19.967817][ T20] ___sys_sendmsg+0x252/0x2e0
[ 19.972486][ T20] __sys_sendmmsg+0x2bf/0x530
[ 19.977018][ T20] __x64_sys_sendmmsg+0xa0/0xb0
[ 19.981714][ T20] do_syscall_64+0x3d/0xb0
[ 19.985957][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 19.992049][ T20]
[ 19.994207][ T20] Freed by task 20:
[ 19.998032][ T20] kasan_set_track+0x4b/0x70
[ 20.002534][ T20] kasan_set_free_info+0x23/0x40
[ 20.007308][ T20] ____kasan_slab_free+0x126/0x160
[ 20.012871][ T20] __kasan_slab_free+0x11/0x20
[ 20.017469][ T20] slab_free_freelist_hook+0xbd/0x190
[ 20.022763][ T20] kmem_cache_free+0x116/0x2e0
[ 20.028346][ T20] kfree_skbmem+0x104/0x170
[ 20.032678][ T20] kfree_skb+0xc2/0x360
[ 20.036714][ T20] sk_psock_backlog+0xc21/0xd90
[ 20.041418][ T20] process_one_work+0x6bb/0xc10
[ 20.046191][ T20] worker_thread+0xad5/0x12a0
[ 20.050715][ T20] kthread+0x421/0x510
[ 20.054696][ T20] ret_from_fork+0x1f/0x30
[ 20.058952][ T20]
[ 20.061136][ T20] The buggy address belongs to the object at ffff88811dfd2a00
[ 20.061136][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 20.077982][ T20] The buggy address is located 236 bytes inside of
[ 20.077982][ T20] 248-byte region [ffff88811dfd2a00, ffff88811dfd2af8)
[ 20.091617][ T20] The buggy address belongs to the page:
[ 20.097265][ T20] page:ffffea000477f480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11dfd2
[ 20.107754][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 20.113466][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 20.121884][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 20.130377][ T20] page dumped because: kasan: bad access detected
[ 20.136633][ T20] page_owner tracks the page as allocated
[ 20.142180][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 285, ts 19420335507, free_ts 19418229689
[ 20.157990][ T20] post_alloc_hook+0x1a3/0x1b0
[ 20.162582][ T20] prep_new_page+0x1b/0x110
[ 20.166924][ T20] get_page_from_freelist+0x3550/0x35d0
[ 20.172321][ T20] __alloc_pages+0x206/0x5e0
[ 20.176724][ T20] new_slab+0x9a/0x4e0
[ 20.180717][ T20] ___slab_alloc+0x39e/0x830
[ 20.185227][ T20] __slab_alloc+0x4a/0x90
[ 20.189421][ T20] kmem_cache_alloc+0x134/0x200
[ 20.194082][ T20] skb_clone+0x1d1/0x360
[ 20.198161][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 20.203021][ T20] dev_hard_start_xmit+0x149/0x620
[ 20.207968][ T20] sch_direct_xmit+0x298/0x9b0
[ 20.212567][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 20.217430][ T20] dev_queue_xmit+0x17/0x20
[ 20.221781][ T20] ip_finish_output2+0xb9f/0xf60
[ 20.226543][ T20] __ip_finish_output+0x162/0x360
[ 20.231404][ T20] page last free stack trace:
[ 20.236091][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 20.241398][ T20] free_unref_page+0xe6/0x730
[ 20.245898][ T20] __free_pages+0x61/0xf0
[ 20.250171][ T20] __vunmap+0x7bc/0x8f0
[ 20.254159][ T20] vfree+0x7f/0xb0
[ 20.257791][ T20] bpf_patch_insn_data+0x7f0/0xde0
[ 20.262821][ T20] bpf_check+0x6653/0x12bf0
[ 20.267166][ T20] bpf_prog_load+0x12ac/0x1b50
[ 20.271761][ T20] __sys_bpf+0x4bc/0x760
[ 20.275840][ T20] __x64_sys_bpf+0x7c/0x90
[ 20.281309][ T20] do_syscall_64+0x3d/0xb0
[ 20.285660][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 20.291416][ T20]
[ 20.293549][ T20] Memory state around the buggy address:
[ 20.299038][ T20] ffff88811dfd2980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 20.306923][ T20] ffff88811dfd2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 20.314816][ T20] >ffff88811dfd2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 20.322718][ T20] ^
[ 20.330009][ T20] ffff88811dfd2b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 20.337907][ T20] ffff88811dfd2b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 20.345982][ T20] ==================================================================
[ 20.353960][ T20] Disabling lock debugging due to kernel taint
[ 20.360100][ T20] ==================================================================
[ 20.367944][ T20] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 20.376183][ T20]
[ 20.378352][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 20.389462][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 20.399453][ T20] Workqueue: events bpf_map_free_deferred
[ 20.405084][ T20] Call Trace:
[ 20.408391][ T20]
[ 20.411163][ T20] dump_stack_lvl+0x151/0x1b7
[ 20.415674][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 20.421153][ T20] ? panic+0x751/0x751
[ 20.425122][ T20] ? irqentry_exit+0x30/0x40
[ 20.430086][ T20] ? kmem_cache_free+0x116/0x2e0
[ 20.435202][ T20] print_address_description+0x87/0x3b0
[ 20.440589][ T20] ? asm_common_interrupt+0x27/0x40
[ 20.446160][ T20] ? kmem_cache_free+0x116/0x2e0
[ 20.450948][ T20] ? kmem_cache_free+0x116/0x2e0
[ 20.455686][ T20] kasan_report_invalid_free+0x6b/0xa0
[ 20.460988][ T20] ____kasan_slab_free+0x13e/0x160
[ 20.465926][ T20] __kasan_slab_free+0x11/0x20
[ 20.470524][ T20] slab_free_freelist_hook+0xbd/0x190
[ 20.475744][ T20] ? kfree_skbmem+0x104/0x170
[ 20.480246][ T20] kmem_cache_free+0x116/0x2e0
[ 20.484857][ T20] kfree_skbmem+0x104/0x170
[ 20.489189][ T20] consume_skb+0xb4/0x250
[ 20.493355][ T20] __sk_msg_free+0x2dd/0x370
[ 20.497786][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 20.503605][ T20] sk_psock_stop+0x44c/0x4d0
[ 20.508109][ T20] sk_psock_drop+0x219/0x310
[ 20.512533][ T20] sock_map_unref+0x48f/0x4d0
[ 20.517072][ T20] sock_map_free+0x137/0x2b0
[ 20.521481][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 20.526695][ T20] process_one_work+0x6bb/0xc10
[ 20.531371][ T20] worker_thread+0xad5/0x12a0
[ 20.536072][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 20.540755][ T20] kthread+0x421/0x510
[ 20.544663][ T20] ? worker_clr_flags+0x180/0x180
[ 20.549516][ T20] ? kthread_blkcg+0xd0/0xd0
[ 20.554069][ T20] ret_from_fork+0x1f/0x30
[ 20.558648][ T20]
[ 20.561503][ T20]
[ 20.563762][ T20] Allocated by task 294:
[ 20.567927][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 20.572703][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 20.577904][ T20] kmem_cache_alloc+0xf5/0x200
[ 20.582625][ T20] skb_clone+0x1d1/0x360
[ 20.587227][ T20] sk_psock_verdict_recv+0x53/0x840
[ 20.593629][ T20] unix_read_sock+0x132/0x370
[ 20.598583][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 20.604380][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 20.609672][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 20.614266][ T20] ___sys_sendmsg+0x252/0x2e0
[ 20.618873][ T20] __sys_sendmmsg+0x2bf/0x530
[ 20.624367][ T20] __x64_sys_sendmmsg+0xa0/0xb0
[ 20.629187][ T20] do_syscall_64+0x3d/0xb0
[ 20.633383][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 20.639217][ T20]
[ 20.641365][ T20] Freed by task 20:
[ 20.645014][ T20] kasan_set_track+0x4b/0x70
[ 20.649525][ T20] kasan_set_free_info+0x23/0x40
[ 20.654479][ T20] ____kasan_slab_free+0x126/0x160
[ 20.659886][ T20] __kasan_slab_free+0x11/0x20
[ 20.664841][ T20] slab_free_freelist_hook+0xbd/0x190
[ 20.670433][ T20] kmem_cache_free+0x116/0x2e0
[ 20.675026][ T20] kfree_skbmem+0x104/0x170
[ 20.679360][ T20] kfree_skb+0xc2/0x360
[ 20.683606][ T20] sk_psock_backlog+0xc21/0xd90
[ 20.688297][ T20] process_one_work+0x6bb/0xc10
[ 20.692977][ T20] worker_thread+0xad5/0x12a0
[ 20.697601][ T20] kthread+0x421/0x510
[ 20.701655][ T20] ret_from_fork+0x1f/0x30
[ 20.705910][ T20]
[ 20.708171][ T20] The buggy address belongs to the object at ffff88811dfd2a00
[ 20.708171][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 20.722609][ T20] The buggy address is located 0 bytes inside of
[ 20.722609][ T20] 248-byte region [ffff88811dfd2a00, ffff88811dfd2af8)
[ 20.735514][ T20] The buggy address belongs to the page:
[ 20.741155][ T20] page:ffffea000477f480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11dfd2
[ 20.751389][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 20.756874][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 20.765990][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 20.774892][ T20] page dumped because: kasan: bad access detected
[ 20.781461][ T20] page_owner tracks the page as allocated
[ 20.787007][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 285, ts 19420335507, free_ts 19418229689
[ 20.804015][ T20] post_alloc_hook+0x1a3/0x1b0
[ 20.809058][ T20] prep_new_page+0x1b/0x110
[ 20.813501][ T20] get_page_from_freelist+0x3550/0x35d0
[ 20.819165][ T20] __alloc_pages+0x206/0x5e0
[ 20.824268][ T20] new_slab+0x9a/0x4e0
[ 20.828765][ T20] ___slab_alloc+0x39e/0x830
[ 20.833178][ T20] __slab_alloc+0x4a/0x90
[ 20.837444][ T20] kmem_cache_alloc+0x134/0x200
[ 20.842266][ T20] skb_clone+0x1d1/0x360
[ 20.846371][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 20.851500][ T20] dev_hard_start_xmit+0x149/0x620
[ 20.856438][ T20] sch_direct_xmit+0x298/0x9b0
[ 20.861208][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 20.866074][ T20] dev_queue_xmit+0x17/0x20
[ 20.870406][ T20] ip_finish_output2+0xb9f/0xf60
[ 20.875181][ T20] __ip_finish_output+0x162/0x360
[ 20.880054][ T20] page last free stack trace:
[ 20.884556][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 20.890374][ T20] free_unref_page+0xe6/0x730
[ 20.894881][ T20] __free_pages+0x61/0xf0
[ 20.899090][ T20] __vunmap+0x7bc/0x8f0
[ 20.903128][ T20] vfree+0x7f/0xb0
[ 20.906685][ T20] bpf_patch_insn_data+0x7f0/0xde0
[ 20.911644][ T20] bpf_check+0x6653/0x12bf0
[ 20.915984][ T20] bpf_prog_load+0x12ac/0x1b50
[ 20.920582][ T20] __sys_bpf+0x4bc/0x760
[ 20.925011][ T20] __x64_sys_bpf+0x7c/0x90
[ 20.929450][ T20] do_syscall_64+0x3d/0xb0
[ 20.934035][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 20.939765][ T20]
[ 20.941939][ T20] Memory state around the buggy address:
[ 20.947422][ T20] ffff88811dfd2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 20.955594][ T20] ffff88811dfd2980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 20.963552][ T20] >ffff88811dfd2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 20.971911][ T20] ^
[ 20.975832][ T20] ffff88811dfd2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 20.983983][ T20] ffff88811dfd2b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[pid 294] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=294, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/binderfs") = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 296 attached
, child_tidptr=0x555555cf6650) = 296
[pid 296] set_robust_list(0x555555cf6660, 24) = 0
[pid 296] chdir("./3") = 0
[pid 296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 296] setpgid(0, 0) = 0
[pid 296] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 296] write(3, "1000", 4) = 4
[pid 296] close(3) = 0
[pid 296] symlink("/dev/binderfs", "./binderfs") = 0
[pid 296] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 296] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 296] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 296] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 296] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 296] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 296] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 296] write(6, "8", 1) = 1
[pid 296] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 20.991866][ T20] ==================================================================
[ 21.020119][ T296] FAULT_INJECTION: forcing a failure.
[ 21.020119][ T296] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 21.033390][ T296] CPU: 1 PID: 296 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 21.044775][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 21.054695][ T296] Call Trace:
[ 21.057871][ T296]
[ 21.060653][ T296] dump_stack_lvl+0x151/0x1b7
[ 21.065253][ T296] ? io_uring_drop_tctx_refs+0x190/0x190
[ 21.070965][ T296] dump_stack+0x15/0x17
[ 21.075393][ T296] should_fail+0x3c6/0x510
[ 21.079792][ T296] should_fail_alloc_page+0x5a/0x80
[ 21.084992][ T296] prepare_alloc_pages+0x15c/0x700
[ 21.089965][ T296] ? __alloc_pages_bulk+0xe60/0xe60
[ 21.095178][ T296] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 21.100617][ T296] __alloc_pages+0x138/0x5e0
[ 21.105049][ T296] ? prep_new_page+0x110/0x110
[ 21.109647][ T296] ? kvm_sched_clock_read+0x18/0x40
[ 21.114679][ T296] wp_page_copy+0x200/0x1b00
[ 21.119104][ T296] ? __kasan_check_write+0x14/0x20
[ 21.124051][ T296] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 21.129871][ T296] ? ttwu_queue_wakelist+0x316/0x510
[ 21.135167][ T296] ? __pte_map_lock+0x442/0x620
[ 21.139842][ T296] do_wp_page+0x6fa/0xb60
[ 21.144112][ T296] handle_pte_fault+0x72e/0x2340
[ 21.148872][ T296] ? fault_around_bytes_set+0xc0/0xc0
[ 21.154089][ T296] do_handle_mm_fault+0x1fed/0x2330
[ 21.159116][ T296] ? numa_migrate_prep+0xe0/0xe0
[ 21.163889][ T296] ? __kasan_check_write+0x14/0x20
[ 21.168857][ T296] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 21.174404][ T296] ? _raw_spin_lock_irqsave+0x210/0x210
[ 21.182467][ T296] ? _raw_spin_unlock_irq+0x4e/0x70
[ 21.188927][ T296] ? down_read_trylock+0x1f9/0x300
[ 21.194580][ T296] ? __init_rwsem+0x1c0/0x1c0
[ 21.200191][ T296] ? vmacache_update+0xb7/0x120
[ 21.205580][ T296] ? __find_vma+0x136/0x150
[ 21.210107][ T296] exc_page_fault+0x3b5/0x830
[ 21.215016][ T296] asm_exc_page_fault+0x27/0x30
[ 21.220478][ T296] RIP: 0033:0x7f5579afc4f0
[ 21.225360][ T296] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 21.246661][ T296] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 21.252787][ T296] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[pid 296] exit_group(0) = ?
[pid 296] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=296, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/binderfs") = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 297 attached
, child_tidptr=0x555555cf6650) = 297
[pid 297] set_robust_list(0x555555cf6660, 24) = 0
[pid 297] chdir("./4") = 0
[pid 297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 297] setpgid(0, 0) = 0
[pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 297] write(3, "1000", 4) = 4
[pid 297] close(3) = 0
[pid 297] symlink("/dev/binderfs", "./binderfs") = 0
[pid 297] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 297] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 297] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 297] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 297] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 297] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 297] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 297] write(6, "8", 1) = 1
[ 21.262960][ T296] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[ 21.271924][ T296] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 21.280194][ T296] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 21.288027][ T296] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 21.295787][ T296]
[ 21.299297][ T296] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 21.322178][ T297] FAULT_INJECTION: forcing a failure.
[ 21.322178][ T297] name failslab, interval 1, probability 0, space 0, times 0
[ 21.336085][ T297] CPU: 1 PID: 297 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 21.347558][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 21.357765][ T297] Call Trace:
[ 21.360885][ T297]
[ 21.363664][ T297] dump_stack_lvl+0x151/0x1b7
[ 21.368427][ T297] ? io_uring_drop_tctx_refs+0x190/0x190
[ 21.374086][ T297] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 21.380575][ T297] ? __skb_try_recv_datagram+0x495/0x6a0
[ 21.387295][ T297] dump_stack+0x15/0x17
[ 21.392125][ T297] should_fail+0x3c6/0x510
[ 21.396632][ T297] __should_failslab+0xa4/0xe0
[ 21.401842][ T297] ? skb_clone+0x1d1/0x360
[ 21.408543][ T297] should_failslab+0x9/0x20
[ 21.413493][ T297] slab_pre_alloc_hook+0x37/0xd0
[ 21.418887][ T297] ? skb_clone+0x1d1/0x360
[ 21.423511][ T297] kmem_cache_alloc+0x44/0x200
[ 21.428210][ T297] skb_clone+0x1d1/0x360
[ 21.432299][ T297] sk_psock_verdict_recv+0x53/0x840
[ 21.437314][ T297] ? avc_has_perm_noaudit+0x430/0x430
[ 21.442814][ T297] ? mntput_no_expire+0xfc/0x6b0
[ 21.447765][ T297] ? lockref_put_return+0x1b7/0x210
[ 21.453375][ T297] unix_read_sock+0x132/0x370
[ 21.458811][ T297] ? sk_psock_skb_redirect+0x440/0x440
[ 21.466325][ T297] ? unix_stream_splice_actor+0x120/0x120
[ 21.471958][ T297] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 21.478285][ T297] ? unix_stream_splice_actor+0x120/0x120
[ 21.484033][ T297] sk_psock_verdict_data_ready+0x147/0x1a0
[ 21.490232][ T297] ? sk_psock_start_verdict+0xc0/0xc0
[ 21.496026][ T297] ? _raw_spin_lock+0xa4/0x1b0
[ 21.500904][ T297] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 21.507211][ T297] ? skb_queue_tail+0xfb/0x120
[ 21.512138][ T297] unix_dgram_sendmsg+0x15fa/0x2090
[ 21.517230][ T297] ? unix_dgram_poll+0x710/0x710
[ 21.522045][ T297] ? ttwu_queue_wakelist+0x316/0x510
[ 21.527281][ T297] ? security_socket_sendmsg+0x82/0xb0
[ 21.532766][ T297] ? unix_dgram_poll+0x710/0x710
[ 21.538026][ T297] ____sys_sendmsg+0x59e/0x8f0
[ 21.542907][ T297] ? __sys_sendmsg_sock+0x40/0x40
[ 21.548460][ T297] ? import_iovec+0xe5/0x120
[ 21.552974][ T297] ___sys_sendmsg+0x252/0x2e0
[ 21.558748][ T297] ? __sys_sendmsg+0x260/0x260
[ 21.564168][ T297] ? compat_start_thread+0x20/0x20
[ 21.569688][ T297] ? __kasan_check_read+0x11/0x20
[ 21.575033][ T297] ? __fdget+0x179/0x240
[ 21.579316][ T297] __sys_sendmmsg+0x2bf/0x530
[ 21.583835][ T297] ? __ia32_sys_sendmsg+0x90/0x90
[ 21.589970][ T297] ? __kasan_check_read+0x11/0x20
[ 21.594900][ T297] __x64_sys_sendmmsg+0xa0/0xb0
[ 21.599532][ T297] do_syscall_64+0x3d/0xb0
[ 21.603868][ T297] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 21.609595][ T297] RIP: 0033:0x7f5579b265a9
[ 21.613846][ T297] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 21.635017][ T297] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 21.643701][ T297] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 21.652358][ T297] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 21.660403][ T297] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[pid 297] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 297] exit_group(0) = ?
[pid 297] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/binderfs") = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./4") = 0
mkdir("./5", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 298
./strace-static-x86_64: Process 298 attached
[pid 298] set_robust_list(0x555555cf6660, 24) = 0
[pid 298] chdir("./5") = 0
[pid 298] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 298] setpgid(0, 0) = 0
[pid 298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 298] write(3, "1000", 4) = 4
[pid 298] close(3) = 0
[pid 298] symlink("/dev/binderfs", "./binderfs") = 0
[pid 298] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 298] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 298] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 298] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 298] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 298] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 298] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 298] write(6, "8", 1) = 1
[pid 298] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 21.668695][ T297] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 21.676746][ T297] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 21.684809][ T297]
[ 21.702735][ T298] FAULT_INJECTION: forcing a failure.
[ 21.702735][ T298] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 21.719199][ T298] CPU: 1 PID: 298 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 21.730997][ T298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 21.740883][ T298] Call Trace:
[ 21.744004][ T298]
[ 21.746798][ T298] dump_stack_lvl+0x151/0x1b7
[ 21.751306][ T298] ? io_uring_drop_tctx_refs+0x190/0x190
[ 21.756882][ T298] dump_stack+0x15/0x17
[ 21.761027][ T298] should_fail+0x3c6/0x510
[ 21.765358][ T298] should_fail_alloc_page+0x5a/0x80
[ 21.770476][ T298] prepare_alloc_pages+0x15c/0x700
[ 21.775626][ T298] ? __alloc_pages_bulk+0xe60/0xe60
[ 21.780751][ T298] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 21.786039][ T298] __alloc_pages+0x138/0x5e0
[ 21.790621][ T298] ? prep_new_page+0x110/0x110
[ 21.795703][ T298] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 21.801348][ T298] ? scm_destroy+0x83/0x90
[ 21.806140][ T298] ? unix_dgram_sendmsg+0x160a/0x2090
[ 21.811599][ T298] wp_page_copy+0x200/0x1b00
[ 21.816603][ T298] ? __kasan_check_write+0x14/0x20
[ 21.822770][ T298] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 21.829620][ T298] ? ttwu_queue_wakelist+0x316/0x510
[ 21.835018][ T298] ? __pte_map_lock+0x442/0x620
[ 21.839795][ T298] do_wp_page+0x6fa/0xb60
[ 21.843936][ T298] handle_pte_fault+0x72e/0x2340
[ 21.849587][ T298] ? fault_around_bytes_set+0xc0/0xc0
[ 21.854779][ T298] do_handle_mm_fault+0x1fed/0x2330
[ 21.860610][ T298] ? numa_migrate_prep+0xe0/0xe0
[ 21.865738][ T298] ? __kasan_check_write+0x14/0x20
[ 21.870782][ T298] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 21.876125][ T298] ? _raw_spin_lock_irqsave+0x210/0x210
[ 21.881589][ T298] ? _raw_spin_unlock_irq+0x4e/0x70
[ 21.886635][ T298] ? down_read_trylock+0x1f9/0x300
[ 21.892304][ T298] ? __init_rwsem+0x1c0/0x1c0
[ 21.897083][ T298] ? vmacache_update+0xb7/0x120
[ 21.902095][ T298] ? __find_vma+0x136/0x150
[ 21.906444][ T298] exc_page_fault+0x3b5/0x830
[ 21.911287][ T298] asm_exc_page_fault+0x27/0x30
[ 21.916077][ T298] RIP: 0033:0x7f5579afc4f0
[ 21.920568][ T298] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 21.941614][ T298] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 21.947677][ T298] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 21.955567][ T298] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[ 21.963494][ T298] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[pid 298] exit_group(0) = ?
[pid 298] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./5/binderfs") = 0
umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./5/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./5") = 0
mkdir("./6", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 300
./strace-static-x86_64: Process 300 attached
[pid 300] set_robust_list(0x555555cf6660, 24) = 0
[pid 300] chdir("./6") = 0
[pid 300] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 300] setpgid(0, 0) = 0
[pid 300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 300] write(3, "1000", 4) = 4
[pid 300] close(3) = 0
[pid 300] symlink("/dev/binderfs", "./binderfs") = 0
[pid 300] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 300] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 300] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 300] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 300] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 300] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 300] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 300] write(6, "8", 1) = 1
[ 21.971546][ T298] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 21.979349][ T298] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 21.987356][ T298]
[ 21.990471][ T298] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 22.011392][ T300] FAULT_INJECTION: forcing a failure.
[ 22.011392][ T300] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 22.024719][ T300] CPU: 1 PID: 300 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 22.036796][ T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 22.046906][ T300] Call Trace:
[ 22.050005][ T300]
[ 22.052861][ T300] dump_stack_lvl+0x151/0x1b7
[ 22.057641][ T300] ? io_uring_drop_tctx_refs+0x190/0x190
[ 22.063458][ T300] ? kmem_cache_free+0x116/0x2e0
[ 22.068553][ T300] ? kasan_set_track+0x5d/0x70
[ 22.074887][ T300] ? kasan_set_track+0x4b/0x70
[ 22.079567][ T300] ? kasan_set_free_info+0x23/0x40
[ 22.084635][ T300] ? ____kasan_slab_free+0x126/0x160
[ 22.090363][ T300] dump_stack+0x15/0x17
[ 22.094874][ T300] should_fail+0x3c6/0x510
[ 22.100084][ T300] should_fail_alloc_page+0x5a/0x80
[ 22.105726][ T300] prepare_alloc_pages+0x15c/0x700
[ 22.111453][ T300] ? __alloc_pages_bulk+0xe60/0xe60
[ 22.116565][ T300] __alloc_pages+0x138/0x5e0
[ 22.121297][ T300] ? prep_new_page+0x110/0x110
[ 22.125882][ T300] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 22.131408][ T300] ? memset+0x35/0x40
[ 22.135224][ T300] ? __skb_try_recv_from_queue+0x2b6/0x750
[ 22.141135][ T300] new_slab+0x9a/0x4e0
[ 22.146390][ T300] ___slab_alloc+0x39e/0x830
[ 22.150758][ T300] ? skb_clone+0x1d1/0x360
[ 22.155022][ T300] ? skb_clone+0x1d1/0x360
[ 22.159520][ T300] __slab_alloc+0x4a/0x90
[ 22.164289][ T300] ? skb_clone+0x1d1/0x360
[ 22.168534][ T300] kmem_cache_alloc+0x134/0x200
[ 22.173339][ T300] skb_clone+0x1d1/0x360
[ 22.177574][ T300] sk_psock_verdict_recv+0x53/0x840
[ 22.182604][ T300] ? avc_has_perm_noaudit+0x430/0x430
[ 22.187803][ T300] ? mntput_no_expire+0xfc/0x6b0
[ 22.192579][ T300] ? lockref_put_return+0x1b7/0x210
[ 22.197841][ T300] unix_read_sock+0x132/0x370
[ 22.202694][ T300] ? sk_psock_skb_redirect+0x440/0x440
[ 22.208122][ T300] ? unix_stream_splice_actor+0x120/0x120
[ 22.213739][ T300] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 22.219531][ T300] ? unix_stream_splice_actor+0x120/0x120
[ 22.225828][ T300] sk_psock_verdict_data_ready+0x147/0x1a0
[ 22.231928][ T300] ? sk_psock_start_verdict+0xc0/0xc0
[ 22.237741][ T300] ? _raw_spin_lock+0xa4/0x1b0
[ 22.242339][ T300] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 22.249345][ T300] ? skb_queue_tail+0xfb/0x120
[ 22.256692][ T300] unix_dgram_sendmsg+0x15fa/0x2090
[ 22.262087][ T300] ? unix_dgram_poll+0x710/0x710
[ 22.267463][ T300] ? __kasan_check_write+0x14/0x20
[ 22.274872][ T300] ? security_socket_sendmsg+0x82/0xb0
[ 22.282729][ T300] ? unix_dgram_poll+0x710/0x710
[ 22.288130][ T300] ____sys_sendmsg+0x59e/0x8f0
[ 22.294362][ T300] ? __sys_sendmsg_sock+0x40/0x40
[ 22.300308][ T300] ? import_iovec+0xe5/0x120
[ 22.305411][ T300] ___sys_sendmsg+0x252/0x2e0
[ 22.310921][ T300] ? __sys_sendmsg+0x260/0x260
[ 22.316643][ T300] ? compat_start_thread+0x20/0x20
[ 22.322469][ T300] ? __kasan_check_read+0x11/0x20
[ 22.328355][ T300] ? __fdget+0x179/0x240
[ 22.332386][ T300] __sys_sendmmsg+0x2bf/0x530
[ 22.337104][ T300] ? __ia32_sys_sendmsg+0x90/0x90
[ 22.342242][ T300] ? __kasan_check_read+0x11/0x20
[ 22.347620][ T300] __x64_sys_sendmmsg+0xa0/0xb0
[ 22.352740][ T300] do_syscall_64+0x3d/0xb0
[ 22.357075][ T300] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 22.363279][ T300] RIP: 0033:0x7f5579b265a9
[ 22.368153][ T300] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 22.393097][ T300] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 22.402864][ T300] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 22.411426][ T300] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[pid 300] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 300] exit_group(0) = ?
[pid 300] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=300, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./6/binderfs") = 0
umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./6/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./6") = 0
mkdir("./7", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 301
./strace-static-x86_64: Process 301 attached
[pid 301] set_robust_list(0x555555cf6660, 24) = 0
[pid 301] chdir("./7") = 0
[pid 301] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 301] setpgid(0, 0) = 0
[pid 301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 301] write(3, "1000", 4) = 4
[pid 301] close(3) = 0
[pid 301] symlink("/dev/binderfs", "./binderfs") = 0
[pid 301] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 301] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 301] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 301] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 301] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 301] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 301] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 301] write(6, "8", 1) = 1
[pid 301] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 22.420424][ T300] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 22.431476][ T300] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 22.439777][ T300] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 22.449912][ T300]
[ 22.468775][ T301] FAULT_INJECTION: forcing a failure.
[ 22.468775][ T301] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 22.486738][ T301] CPU: 1 PID: 301 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 22.499061][ T301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 22.509524][ T301] Call Trace:
[ 22.514091][ T301]
[ 22.516921][ T301] dump_stack_lvl+0x151/0x1b7
[ 22.521563][ T301] ? io_uring_drop_tctx_refs+0x190/0x190
[ 22.527065][ T301] dump_stack+0x15/0x17
[ 22.531115][ T301] should_fail+0x3c6/0x510
[ 22.535892][ T301] should_fail_alloc_page+0x5a/0x80
[ 22.540904][ T301] prepare_alloc_pages+0x15c/0x700
[ 22.546703][ T301] ? __alloc_pages_bulk+0xe60/0xe60
[ 22.552364][ T301] ? enqueue_task_fair+0xd61/0x29a0
[ 22.557568][ T301] __alloc_pages+0x138/0x5e0
[ 22.562331][ T301] ? prep_new_page+0x110/0x110
[ 22.567289][ T301] wp_page_copy+0x200/0x1b00
[ 22.572449][ T301] ? __kasan_check_write+0x14/0x20
[ 22.577804][ T301] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 22.584001][ T301] ? __pte_map_lock+0x442/0x620
[ 22.589697][ T301] do_wp_page+0x6fa/0xb60
[ 22.594214][ T301] handle_pte_fault+0x72e/0x2340
[ 22.599203][ T301] ? update_load_avg+0x43a/0x1150
[ 22.605031][ T301] ? fault_around_bytes_set+0xc0/0xc0
[ 22.611715][ T301] do_handle_mm_fault+0x1fed/0x2330
[ 22.618378][ T301] ? numa_migrate_prep+0xe0/0xe0
[ 22.623337][ T301] ? __kasan_check_write+0x14/0x20
[ 22.629076][ T301] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 22.635064][ T301] ? _raw_spin_lock_irqsave+0x210/0x210
[ 22.641046][ T301] ? _raw_spin_unlock_irq+0x4e/0x70
[ 22.646160][ T301] ? down_read_trylock+0x1f9/0x300
[ 22.651508][ T301] ? __init_rwsem+0x1c0/0x1c0
[ 22.656008][ T301] ? vmacache_update+0xb7/0x120
[ 22.660782][ T301] ? __find_vma+0x136/0x150
[ 22.665226][ T301] exc_page_fault+0x3b5/0x830
[ 22.669949][ T301] asm_exc_page_fault+0x27/0x30
[ 22.675419][ T301] RIP: 0033:0x7f5579afc4f0
[ 22.680963][ T301] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 22.706568][ T301] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 22.712565][ T301] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 22.720936][ T301] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[pid 301] exit_group(0) = ?
[pid 301] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=301, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./7/binderfs") = 0
umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./7/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./7") = 0
mkdir("./8", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 302
./strace-static-x86_64: Process 302 attached
[pid 302] set_robust_list(0x555555cf6660, 24) = 0
[pid 302] chdir("./8") = 0
[pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 302] setpgid(0, 0) = 0
[pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 302] write(3, "1000", 4) = 4
[pid 302] close(3) = 0
[pid 302] symlink("/dev/binderfs", "./binderfs") = 0
[pid 302] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 302] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 302] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 302] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 302] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 302] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 302] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 302] write(6, "8", 1) = 1
[ 22.728752][ T301] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 22.736557][ T301] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 22.744397][ T301] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 22.753691][ T301]
[ 22.756807][ T301] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 22.780762][ T302] FAULT_INJECTION: forcing a failure.
[ 22.780762][ T302] name failslab, interval 1, probability 0, space 0, times 0
[ 22.793577][ T302] CPU: 1 PID: 302 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 22.806247][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 22.816583][ T302] Call Trace:
[ 22.819650][ T302]
[ 22.822499][ T302] dump_stack_lvl+0x151/0x1b7
[ 22.827071][ T302] ? io_uring_drop_tctx_refs+0x190/0x190
[ 22.832663][ T302] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 22.838556][ T302] ? __skb_try_recv_datagram+0x495/0x6a0
[ 22.844113][ T302] dump_stack+0x15/0x17
[ 22.848994][ T302] should_fail+0x3c6/0x510
[ 22.854217][ T302] __should_failslab+0xa4/0xe0
[ 22.858871][ T302] ? skb_clone+0x1d1/0x360
[ 22.863704][ T302] should_failslab+0x9/0x20
[ 22.868305][ T302] slab_pre_alloc_hook+0x37/0xd0
[ 22.873439][ T302] ? skb_clone+0x1d1/0x360
[ 22.877988][ T302] kmem_cache_alloc+0x44/0x200
[ 22.882575][ T302] skb_clone+0x1d1/0x360
[ 22.886907][ T302] sk_psock_verdict_recv+0x53/0x840
[ 22.891941][ T302] ? avc_has_perm_noaudit+0x430/0x430
[ 22.897242][ T302] ? mntput_no_expire+0xfc/0x6b0
[ 22.901994][ T302] ? lockref_put_return+0x1b7/0x210
[ 22.907035][ T302] unix_read_sock+0x132/0x370
[ 22.911543][ T302] ? sk_psock_skb_redirect+0x440/0x440
[ 22.916840][ T302] ? unix_stream_splice_actor+0x120/0x120
[ 22.922782][ T302] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 22.928078][ T302] ? unix_stream_splice_actor+0x120/0x120
[ 22.933669][ T302] sk_psock_verdict_data_ready+0x147/0x1a0
[ 22.939397][ T302] ? sk_psock_start_verdict+0xc0/0xc0
[ 22.944709][ T302] ? _raw_spin_lock+0xa4/0x1b0
[ 22.949757][ T302] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 22.955391][ T302] ? skb_queue_tail+0xfb/0x120
[ 22.960073][ T302] unix_dgram_sendmsg+0x15fa/0x2090
[ 22.965121][ T302] ? unix_dgram_poll+0x710/0x710
[ 22.970588][ T302] ? __kasan_check_write+0x14/0x20
[ 22.975978][ T302] ? security_socket_sendmsg+0x82/0xb0
[ 22.982389][ T302] ? unix_dgram_poll+0x710/0x710
[ 22.987700][ T302] ____sys_sendmsg+0x59e/0x8f0
[ 22.992684][ T302] ? __sys_sendmsg_sock+0x40/0x40
[ 22.997920][ T302] ? import_iovec+0xe5/0x120
[ 23.002503][ T302] ___sys_sendmsg+0x252/0x2e0
[ 23.007089][ T302] ? __sys_sendmsg+0x260/0x260
[ 23.011700][ T302] ? compat_start_thread+0x20/0x20
[ 23.016632][ T302] ? __kasan_check_read+0x11/0x20
[ 23.021513][ T302] ? __fdget+0x179/0x240
[ 23.025753][ T302] __sys_sendmmsg+0x2bf/0x530
[ 23.030267][ T302] ? __ia32_sys_sendmsg+0x90/0x90
[ 23.035129][ T302] ? __kasan_check_read+0x11/0x20
[ 23.039983][ T302] __x64_sys_sendmmsg+0xa0/0xb0
[ 23.045230][ T302] do_syscall_64+0x3d/0xb0
[ 23.049676][ T302] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 23.055551][ T302] RIP: 0033:0x7f5579b265a9
[ 23.059818][ T302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[pid 302] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 302] exit_group(0) = ?
[pid 302] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./8/binderfs") = 0
umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./8/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./8/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./8") = 0
mkdir("./9", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 304 attached
, child_tidptr=0x555555cf6650) = 304
[pid 304] set_robust_list(0x555555cf6660, 24) = 0
[pid 304] chdir("./9") = 0
[pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 304] setpgid(0, 0) = 0
[pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 304] write(3, "1000", 4) = 4
[pid 304] close(3) = 0
[pid 304] symlink("/dev/binderfs", "./binderfs") = 0
[pid 304] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 304] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 304] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 304] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 304] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 304] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 304] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 304] write(6, "8", 1) = 1
[ 23.079760][ T302] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 23.088487][ T302] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 23.096961][ T302] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 23.104844][ T302] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 23.113070][ T302] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 23.121273][ T302] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 23.129102][ T302]
[ 23.152055][ T304] FAULT_INJECTION: forcing a failure.
[ 23.152055][ T304] name failslab, interval 1, probability 0, space 0, times 0
[ 23.165049][ T304] CPU: 0 PID: 304 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 23.176771][ T304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 23.187261][ T304] Call Trace:
[ 23.190401][ T304]
[ 23.193160][ T304] dump_stack_lvl+0x151/0x1b7
[ 23.197670][ T304] ? io_uring_drop_tctx_refs+0x190/0x190
[ 23.203226][ T304] dump_stack+0x15/0x17
[ 23.207212][ T304] should_fail+0x3c6/0x510
[ 23.211605][ T304] __should_failslab+0xa4/0xe0
[ 23.216638][ T304] should_failslab+0x9/0x20
[ 23.221869][ T304] slab_pre_alloc_hook+0x37/0xd0
[ 23.226833][ T304] kmem_cache_alloc_trace+0x48/0x210
[ 23.232623][ T304] ? sk_psock_skb_ingress_self+0x60/0x330
[ 23.238306][ T304] ? migrate_disable+0x190/0x190
[ 23.243907][ T304] sk_psock_skb_ingress_self+0x60/0x330
[ 23.249410][ T304] sk_psock_verdict_recv+0x66d/0x840
[ 23.254912][ T304] unix_read_sock+0x132/0x370
[ 23.259469][ T304] ? sk_psock_skb_redirect+0x440/0x440
[ 23.264742][ T304] ? unix_stream_splice_actor+0x120/0x120
[ 23.270589][ T304] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 23.276175][ T304] ? unix_stream_splice_actor+0x120/0x120
[ 23.281836][ T304] sk_psock_verdict_data_ready+0x147/0x1a0
[ 23.287636][ T304] ? sk_psock_start_verdict+0xc0/0xc0
[ 23.292842][ T304] ? _raw_spin_lock+0xa4/0x1b0
[ 23.297622][ T304] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 23.303686][ T304] ? skb_queue_tail+0xfb/0x120
[ 23.308457][ T304] unix_dgram_sendmsg+0x15fa/0x2090
[ 23.313470][ T304] ? unix_dgram_poll+0x710/0x710
[ 23.318242][ T304] ? ttwu_queue_wakelist+0x316/0x510
[ 23.323443][ T304] ? security_socket_sendmsg+0x82/0xb0
[ 23.331033][ T304] ? unix_dgram_poll+0x710/0x710
[ 23.335849][ T304] ____sys_sendmsg+0x59e/0x8f0
[ 23.340655][ T304] ? __sys_sendmsg_sock+0x40/0x40
[ 23.345517][ T304] ? import_iovec+0xe5/0x120
[ 23.353362][ T304] ___sys_sendmsg+0x252/0x2e0
[ 23.357904][ T304] ? __sys_sendmsg+0x260/0x260
[ 23.363403][ T304] ? compat_start_thread+0x20/0x20
[ 23.368572][ T304] ? __kasan_check_read+0x11/0x20
[ 23.373765][ T304] ? __fdget+0x179/0x240
[ 23.378541][ T304] __sys_sendmmsg+0x2bf/0x530
[ 23.384066][ T304] ? __ia32_sys_sendmsg+0x90/0x90
[ 23.389917][ T304] ? __kasan_check_read+0x11/0x20
[ 23.395541][ T304] __x64_sys_sendmmsg+0xa0/0xb0
[ 23.400216][ T304] do_syscall_64+0x3d/0xb0
[ 23.404581][ T304] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 23.411098][ T304] RIP: 0033:0x7f5579b265a9
[ 23.415332][ T304] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 23.435032][ T304] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 23.443277][ T304] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[pid 304] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 304] exit_group(0) = ?
[ 23.451111][ T304] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 23.459328][ T304] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 23.467284][ T304] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 23.477650][ T304] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 23.488050][ T304]
[ 23.493581][ T39] ==================================================================
[pid 304] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=304, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./9/binderfs") = 0
umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./9/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./9/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./9") = 0
mkdir("./10", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 306
./strace-static-x86_64: Process 306 attached
[pid 306] set_robust_list(0x555555cf6660, 24) = 0
[pid 306] chdir("./10") = 0
[pid 306] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 306] setpgid(0, 0) = 0
[pid 306] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 306] write(3, "1000", 4) = 4
[pid 306] close(3) = 0
[ 23.503368][ T39] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 23.513095][ T39]
[ 23.515282][ T39] CPU: 1 PID: 39 Comm: kworker/1:1 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 23.527345][ T39] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 23.537889][ T39] Workqueue: events bpf_map_free_deferred
[ 23.544301][ T39] Call Trace:
[ 23.547979][ T39]
[pid 306] symlink("/dev/binderfs", "./binderfs") = 0
[pid 306] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[ 23.551146][ T39] dump_stack_lvl+0x151/0x1b7
[ 23.555935][ T39] ? io_uring_drop_tctx_refs+0x190/0x190
[ 23.561497][ T39] ? panic+0x751/0x751
[ 23.565387][ T39] ? kasan_set_free_info+0x23/0x40
[ 23.570431][ T39] ? ____kasan_slab_free+0x126/0x160
[ 23.576051][ T39] ? kmem_cache_free+0x116/0x2e0
[ 23.580987][ T39] print_address_description+0x87/0x3b0
[ 23.586534][ T39] ? worker_thread+0xad5/0x12a0
[ 23.592524][ T39] ? kthread+0x421/0x510
[ 23.596701][ T39] ? kmem_cache_free+0x116/0x2e0
[ 23.601468][ T39] ? kmem_cache_free+0x116/0x2e0
[ 23.606265][ T39] kasan_report_invalid_free+0x6b/0xa0
[ 23.612576][ T39] ____kasan_slab_free+0x13e/0x160
[ 23.618096][ T39] __kasan_slab_free+0x11/0x20
[ 23.622867][ T39] slab_free_freelist_hook+0xbd/0x190
[ 23.628244][ T39] ? kfree_skbmem+0x104/0x170
[ 23.633739][ T39] kmem_cache_free+0x116/0x2e0
[ 23.638367][ T39] kfree_skbmem+0x104/0x170
[ 23.642913][ T39] consume_skb+0xb4/0x250
[ 23.647043][ T39] __sk_msg_free+0x2dd/0x370
[ 23.651752][ T39] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 23.657583][ T39] sk_psock_stop+0x44c/0x4d0
[ 23.662184][ T39] sk_psock_drop+0x219/0x310
[ 23.667173][ T39] sock_map_unref+0x48f/0x4d0
[ 23.671857][ T39] sock_map_free+0x137/0x2b0
[ 23.676464][ T39] bpf_map_free_deferred+0x10d/0x1e0
[ 23.682268][ T39] process_one_work+0x6bb/0xc10
[ 23.687052][ T39] worker_thread+0xad5/0x12a0
[ 23.691553][ T39] ? _raw_spin_lock+0x1b0/0x1b0
[ 23.696243][ T39] kthread+0x421/0x510
[ 23.700147][ T39] ? worker_clr_flags+0x180/0x180
[ 23.705005][ T39] ? kthread_blkcg+0xd0/0xd0
[ 23.709442][ T39] ret_from_fork+0x1f/0x30
[ 23.713693][ T39]
[ 23.716558][ T39]
[ 23.718884][ T39] Allocated by task 304:
[ 23.723021][ T39] __kasan_slab_alloc+0xb1/0xe0
[ 23.727771][ T39] slab_post_alloc_hook+0x53/0x2c0
[ 23.732824][ T39] kmem_cache_alloc+0xf5/0x200
[ 23.738265][ T39] skb_clone+0x1d1/0x360
[ 23.742339][ T39] sk_psock_verdict_recv+0x53/0x840
[ 23.748119][ T39] unix_read_sock+0x132/0x370
[ 23.752717][ T39] sk_psock_verdict_data_ready+0x147/0x1a0
[ 23.758726][ T39] unix_dgram_sendmsg+0x15fa/0x2090
[ 23.763746][ T39] ____sys_sendmsg+0x59e/0x8f0
[ 23.768479][ T39] ___sys_sendmsg+0x252/0x2e0
[ 23.772980][ T39] __sys_sendmmsg+0x2bf/0x530
[ 23.777487][ T39] __x64_sys_sendmmsg+0xa0/0xb0
[ 23.782286][ T39] do_syscall_64+0x3d/0xb0
[ 23.786703][ T39] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 23.792430][ T39]
[ 23.794769][ T39] Freed by task 39:
[ 23.798944][ T39] kasan_set_track+0x4b/0x70
[ 23.803536][ T39] kasan_set_free_info+0x23/0x40
[ 23.808474][ T39] ____kasan_slab_free+0x126/0x160
[ 23.814387][ T39] __kasan_slab_free+0x11/0x20
[ 23.818996][ T39] slab_free_freelist_hook+0xbd/0x190
[ 23.825063][ T39] kmem_cache_free+0x116/0x2e0
[ 23.830003][ T39] kfree_skbmem+0x104/0x170
[ 23.834462][ T39] kfree_skb+0xc2/0x360
[ 23.838803][ T39] sk_psock_backlog+0xc21/0xd90
[ 23.843481][ T39] process_one_work+0x6bb/0xc10
[ 23.848612][ T39] worker_thread+0xad5/0x12a0
[ 23.853647][ T39] kthread+0x421/0x510
[ 23.857651][ T39] ret_from_fork+0x1f/0x30
[ 23.862337][ T39]
[ 23.865092][ T39] The buggy address belongs to the object at ffff88811dfc93c0
[ 23.865092][ T39] which belongs to the cache skbuff_head_cache of size 248
[ 23.881920][ T39] The buggy address is located 0 bytes inside of
[ 23.881920][ T39] 248-byte region [ffff88811dfc93c0, ffff88811dfc94b8)
[ 23.895478][ T39] The buggy address belongs to the page:
[ 23.901031][ T39] page:ffffea000477f240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11dfc9
[ 23.912226][ T39] flags: 0x4000000000000200(slab|zone=1)
[ 23.918242][ T39] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 23.927089][ T39] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 23.936721][ T39] page dumped because: kasan: bad access detected
[ 23.944074][ T39] page_owner tracks the page as allocated
[ 23.949796][ T39] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 0, ts 23150409729, free_ts 23134000794
[ 23.965759][ T39] post_alloc_hook+0x1a3/0x1b0
[ 23.970357][ T39] prep_new_page+0x1b/0x110
[ 23.974696][ T39] get_page_from_freelist+0x3550/0x35d0
[ 23.980786][ T39] __alloc_pages+0x206/0x5e0
[ 23.985454][ T39] new_slab+0x9a/0x4e0
[ 23.989367][ T39] ___slab_alloc+0x39e/0x830
[ 23.993879][ T39] __slab_alloc+0x4a/0x90
[ 23.998046][ T39] kmem_cache_alloc+0x134/0x200
[ 24.003334][ T39] skb_clone+0x1d1/0x360
[ 24.007678][ T39] dev_queue_xmit_nit+0x25b/0xa40
[ 24.013154][ T39] dev_hard_start_xmit+0x149/0x620
[ 24.018534][ T39] sch_direct_xmit+0x298/0x9b0
[ 24.023929][ T39] __dev_queue_xmit+0x161e/0x2e70
[ 24.028912][ T39] dev_queue_xmit+0x17/0x20
[ 24.033225][ T39] ip_finish_output2+0xb9f/0xf60
[ 24.038012][ T39] __ip_finish_output+0x162/0x360
[ 24.042853][ T39] page last free stack trace:
[ 24.047366][ T39] free_unref_page_prepare+0x7c8/0x7d0
[ 24.052837][ T39] free_unref_page_list+0x14b/0xa60
[ 24.057966][ T39] release_pages+0x1310/0x1370
[ 24.062811][ T39] free_pages_and_swap_cache+0x8a/0xa0
[ 24.068588][ T39] tlb_finish_mmu+0x177/0x320
[ 24.073352][ T39] exit_mmap+0x3ef/0x6f0
[ 24.078033][ T39] __mmput+0x95/0x310
[ 24.081955][ T39] mmput+0x5b/0x170
[ 24.086171][ T39] do_exit+0xbb4/0x2b60
[ 24.090859][ T39] do_group_exit+0x141/0x310
[ 24.095643][ T39] __x64_sys_exit_group+0x3f/0x40
[ 24.100695][ T39] do_syscall_64+0x3d/0xb0
[ 24.105050][ T39] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.111054][ T39]
[ 24.113210][ T39] Memory state around the buggy address:
[ 24.118681][ T39] ffff88811dfc9280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 24.126697][ T39] ffff88811dfc9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 24.135384][ T39] >ffff88811dfc9380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 24.143274][ T39] ^
[ 24.149267][ T39] ffff88811dfc9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 306] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 306] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 306] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 306] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 306] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 306] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 306] write(6, "8", 1) = 1
[ 24.157168][ T39] ffff88811dfc9480: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 24.165650][ T39] ==================================================================
[ 24.179660][ T306] FAULT_INJECTION: forcing a failure.
[ 24.179660][ T306] name failslab, interval 1, probability 0, space 0, times 0
[ 24.193250][ T306] CPU: 0 PID: 306 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 24.205876][ T306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 24.216143][ T306] Call Trace:
[ 24.219289][ T306]
[ 24.222358][ T306] dump_stack_lvl+0x151/0x1b7
[ 24.227062][ T306] ? io_uring_drop_tctx_refs+0x190/0x190
[ 24.233111][ T306] dump_stack+0x15/0x17
[ 24.237569][ T306] should_fail+0x3c6/0x510
[ 24.241883][ T306] __should_failslab+0xa4/0xe0
[ 24.246833][ T306] should_failslab+0x9/0x20
[ 24.251388][ T306] slab_pre_alloc_hook+0x37/0xd0
[ 24.256415][ T306] kmem_cache_alloc_trace+0x48/0x210
[ 24.261969][ T306] ? sk_psock_skb_ingress_self+0x60/0x330
[ 24.268717][ T306] ? migrate_disable+0x190/0x190
[ 24.274238][ T306] sk_psock_skb_ingress_self+0x60/0x330
[ 24.281212][ T306] sk_psock_verdict_recv+0x66d/0x840
[ 24.287038][ T306] unix_read_sock+0x132/0x370
[ 24.291690][ T306] ? sk_psock_skb_redirect+0x440/0x440
[ 24.297856][ T306] ? unix_stream_splice_actor+0x120/0x120
[ 24.303532][ T306] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 24.309027][ T306] ? unix_stream_splice_actor+0x120/0x120
[ 24.314915][ T306] sk_psock_verdict_data_ready+0x147/0x1a0
[ 24.320738][ T306] ? sk_psock_start_verdict+0xc0/0xc0
[ 24.326818][ T306] ? _raw_spin_lock+0xa4/0x1b0
[ 24.331590][ T306] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 24.338288][ T306] ? skb_queue_tail+0xfb/0x120
[ 24.343340][ T306] unix_dgram_sendmsg+0x15fa/0x2090
[ 24.348363][ T306] ? unix_dgram_poll+0x710/0x710
[ 24.353258][ T306] ? __kasan_check_read+0x11/0x20
[ 24.358179][ T306] ? security_socket_sendmsg+0x82/0xb0
[ 24.363832][ T306] ? unix_dgram_poll+0x710/0x710
[ 24.368944][ T306] ____sys_sendmsg+0x59e/0x8f0
[ 24.374419][ T306] ? __sys_sendmsg_sock+0x40/0x40
[ 24.381836][ T306] ? import_iovec+0xe5/0x120
[ 24.387050][ T306] ___sys_sendmsg+0x252/0x2e0
[ 24.392189][ T306] ? __sys_sendmsg+0x260/0x260
[ 24.397323][ T306] ? compat_start_thread+0x20/0x20
[ 24.402452][ T306] ? __kasan_check_read+0x11/0x20
[ 24.407676][ T306] ? __fdget+0x179/0x240
[ 24.412136][ T306] __sys_sendmmsg+0x2bf/0x530
[ 24.419864][ T306] ? __ia32_sys_sendmsg+0x90/0x90
[ 24.426204][ T306] ? __kasan_check_read+0x11/0x20
[ 24.431758][ T306] __x64_sys_sendmmsg+0xa0/0xb0
[ 24.437830][ T306] do_syscall_64+0x3d/0xb0
[ 24.442184][ T306] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.448381][ T306] RIP: 0033:0x7f5579b265a9
[ 24.453391][ T306] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 24.486547][ T306] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 24.497512][ T306] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[pid 306] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 306] exit_group(0) = ?
[ 24.507943][ T306] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 24.517725][ T306] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 24.528265][ T306] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 24.540173][ T306] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 24.549958][ T306]
[ 24.555820][ T39] ==================================================================
[ 24.566532][ T39] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 24.576363][ T39]
[ 24.578679][ T39] CPU: 1 PID: 39 Comm: kworker/1:1 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 24.591349][ T39] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 24.601554][ T39] Workqueue: events bpf_map_free_deferred
[ 24.607188][ T39] Call Trace:
[ 24.610311][ T39]
[ 24.613177][ T39] dump_stack_lvl+0x151/0x1b7
[ 24.617706][ T39] ? io_uring_drop_tctx_refs+0x190/0x190
[ 24.623698][ T39] ? panic+0x751/0x751
[ 24.627714][ T39] ? kasan_set_free_info+0x23/0x40
[ 24.632657][ T39] ? ____kasan_slab_free+0x126/0x160
[ 24.637749][ T39] ? kmem_cache_free+0x116/0x2e0
[ 24.642522][ T39] print_address_description+0x87/0x3b0
[ 24.648768][ T39] ? worker_thread+0xad5/0x12a0
[ 24.653970][ T39] ? kthread+0x421/0x510
[ 24.658050][ T39] ? kmem_cache_free+0x116/0x2e0
[ 24.662818][ T39] ? kmem_cache_free+0x116/0x2e0
[ 24.667914][ T39] kasan_report_invalid_free+0x6b/0xa0
[ 24.673782][ T39] ____kasan_slab_free+0x13e/0x160
[ 24.680141][ T39] __kasan_slab_free+0x11/0x20
[ 24.685425][ T39] slab_free_freelist_hook+0xbd/0x190
[ 24.692426][ T39] ? kfree_skbmem+0x104/0x170
[ 24.697592][ T39] kmem_cache_free+0x116/0x2e0
[ 24.704325][ T39] kfree_skbmem+0x104/0x170
[ 24.708927][ T39] consume_skb+0xb4/0x250
[ 24.713608][ T39] __sk_msg_free+0x2dd/0x370
[ 24.718132][ T39] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 24.725609][ T39] sk_psock_stop+0x44c/0x4d0
[ 24.730906][ T39] sk_psock_drop+0x219/0x310
[ 24.736987][ T39] sock_map_unref+0x48f/0x4d0
[ 24.743074][ T39] sock_map_free+0x137/0x2b0
[ 24.748177][ T39] bpf_map_free_deferred+0x10d/0x1e0
[ 24.753849][ T39] process_one_work+0x6bb/0xc10
[ 24.758717][ T39] worker_thread+0xad5/0x12a0
[ 24.763167][ T39] ? _raw_spin_lock+0x1b0/0x1b0
[ 24.767856][ T39] kthread+0x421/0x510
[ 24.771760][ T39] ? worker_clr_flags+0x180/0x180
[ 24.777591][ T39] ? kthread_blkcg+0xd0/0xd0
[ 24.782176][ T39] ret_from_fork+0x1f/0x30
[ 24.786957][ T39]
[ 24.790613][ T39]
[ 24.793571][ T39] Allocated by task 306:
[ 24.798546][ T39] __kasan_slab_alloc+0xb1/0xe0
[ 24.804636][ T39] slab_post_alloc_hook+0x53/0x2c0
[ 24.810564][ T39] kmem_cache_alloc+0xf5/0x200
[ 24.817575][ T39] skb_clone+0x1d1/0x360
[ 24.825242][ T39] sk_psock_verdict_recv+0x53/0x840
[ 24.831032][ T39] unix_read_sock+0x132/0x370
[ 24.836262][ T39] sk_psock_verdict_data_ready+0x147/0x1a0
[ 24.843567][ T39] unix_dgram_sendmsg+0x15fa/0x2090
[ 24.853287][ T39] ____sys_sendmsg+0x59e/0x8f0
[ 24.858942][ T39] ___sys_sendmsg+0x252/0x2e0
[ 24.864951][ T39] __sys_sendmmsg+0x2bf/0x530
[ 24.870063][ T39] __x64_sys_sendmmsg+0xa0/0xb0
[ 24.876210][ T39] do_syscall_64+0x3d/0xb0
[ 24.882105][ T39] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 24.888738][ T39]
[ 24.891374][ T39] Freed by task 20:
[ 24.895111][ T39] kasan_set_track+0x4b/0x70
[ 24.899618][ T39] kasan_set_free_info+0x23/0x40
[ 24.904589][ T39] ____kasan_slab_free+0x126/0x160
[ 24.909512][ T39] __kasan_slab_free+0x11/0x20
[ 24.915093][ T39] slab_free_freelist_hook+0xbd/0x190
[ 24.920786][ T39] kmem_cache_free+0x116/0x2e0
[ 24.925980][ T39] kfree_skbmem+0x104/0x170
[ 24.930673][ T39] kfree_skb+0xc2/0x360
[ 24.935073][ T39] sk_psock_backlog+0xc21/0xd90
[ 24.941821][ T39] process_one_work+0x6bb/0xc10
[ 24.947628][ T39] worker_thread+0xad5/0x12a0
[ 24.954078][ T39] kthread+0x421/0x510
[ 24.959381][ T39] ret_from_fork+0x1f/0x30
[ 24.964091][ T39]
[ 24.966656][ T39] The buggy address belongs to the object at ffff88811e731140
[ 24.966656][ T39] which belongs to the cache skbuff_head_cache of size 248
[ 24.983238][ T39] The buggy address is located 0 bytes inside of
[ 24.983238][ T39] 248-byte region [ffff88811e731140, ffff88811e731238)
[ 24.997217][ T39] The buggy address belongs to the page:
[ 25.003879][ T39] page:ffffea000479cc40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e731
[ 25.016494][ T39] flags: 0x4000000000000200(slab|zone=1)
[ 25.023541][ T39] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 25.033586][ T39] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 25.045772][ T39] page dumped because: kasan: bad access detected
[ 25.053126][ T39] page_owner tracks the page as allocated
[ 25.060154][ T39] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 306, ts 24179651728, free_ts 0
[ 25.080621][ T39] post_alloc_hook+0x1a3/0x1b0
[ 25.087217][ T39] prep_new_page+0x1b/0x110
[ 25.092302][ T39] get_page_from_freelist+0x3550/0x35d0
[ 25.098351][ T39] __alloc_pages+0x206/0x5e0
[ 25.103739][ T39] new_slab+0x9a/0x4e0
[ 25.108679][ T39] ___slab_alloc+0x39e/0x830
[ 25.113266][ T39] __slab_alloc+0x4a/0x90
[ 25.118213][ T39] kmem_cache_alloc+0x134/0x200
[ 25.123595][ T39] skb_clone+0x1d1/0x360
[ 25.127868][ T39] sk_psock_verdict_recv+0x53/0x840
[ 25.134033][ T39] unix_read_sock+0x132/0x370
[ 25.139992][ T39] sk_psock_verdict_data_ready+0x147/0x1a0
[ 25.146640][ T39] unix_dgram_sendmsg+0x15fa/0x2090
[ 25.152457][ T39] ____sys_sendmsg+0x59e/0x8f0
[ 25.157314][ T39] ___sys_sendmsg+0x252/0x2e0
[ 25.161813][ T39] __sys_sendmmsg+0x2bf/0x530
[ 25.166485][ T39] page_owner free stack trace missing
[ 25.171750][ T39]
[ 25.174466][ T39] Memory state around the buggy address:
[ 25.181082][ T39] ffff88811e731000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.189740][ T39] ffff88811e731080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 25.197687][ T39] >ffff88811e731100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 25.205667][ T39] ^
[pid 306] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=306, si_uid=0, si_status=0, si_utime=0, si_stime=61} ---
umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./10/binderfs") = 0
umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./10/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./10/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./10") = 0
mkdir("./11", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 309
./strace-static-x86_64: Process 309 attached
[pid 309] set_robust_list(0x555555cf6660, 24) = 0
[pid 309] chdir("./11") = 0
[pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 309] setpgid(0, 0) = 0
[pid 309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 309] write(3, "1000", 4) = 4
[pid 309] close(3) = 0
[pid 309] symlink("/dev/binderfs", "./binderfs") = 0
[pid 309] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 309] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 309] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 309] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 309] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 309] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 309] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 309] write(6, "8", 1) = 1
[ 25.212207][ T39] ffff88811e731180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.221539][ T39] ffff88811e731200: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 25.229952][ T39] ==================================================================
[ 25.251778][ T309] FAULT_INJECTION: forcing a failure.
[ 25.251778][ T309] name failslab, interval 1, probability 0, space 0, times 0
[ 25.266695][ T309] CPU: 0 PID: 309 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 25.279754][ T309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 25.290590][ T309] Call Trace:
[ 25.294196][ T309]
[ 25.297140][ T309] dump_stack_lvl+0x151/0x1b7
[ 25.303562][ T309] ? io_uring_drop_tctx_refs+0x190/0x190
[ 25.309473][ T309] dump_stack+0x15/0x17
[ 25.314411][ T309] should_fail+0x3c6/0x510
[ 25.319049][ T309] __should_failslab+0xa4/0xe0
[ 25.324646][ T309] should_failslab+0x9/0x20
[ 25.329149][ T309] slab_pre_alloc_hook+0x37/0xd0
[ 25.334459][ T309] kmem_cache_alloc_trace+0x48/0x210
[ 25.341633][ T309] ? sk_psock_skb_ingress_self+0x60/0x330
[ 25.347528][ T309] ? migrate_disable+0x190/0x190
[ 25.352917][ T309] sk_psock_skb_ingress_self+0x60/0x330
[ 25.358807][ T309] sk_psock_verdict_recv+0x66d/0x840
[ 25.364223][ T309] unix_read_sock+0x132/0x370
[ 25.369239][ T309] ? sk_psock_skb_redirect+0x440/0x440
[ 25.374783][ T309] ? unix_stream_splice_actor+0x120/0x120
[ 25.380668][ T309] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 25.387028][ T309] ? unix_stream_splice_actor+0x120/0x120
[ 25.392819][ T309] sk_psock_verdict_data_ready+0x147/0x1a0
[ 25.398700][ T309] ? sk_psock_start_verdict+0xc0/0xc0
[ 25.403965][ T309] ? _raw_spin_lock+0xa4/0x1b0
[ 25.408553][ T309] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 25.414488][ T309] ? skb_queue_tail+0xfb/0x120
[ 25.419123][ T309] unix_dgram_sendmsg+0x15fa/0x2090
[ 25.424331][ T309] ? unix_dgram_poll+0x710/0x710
[ 25.429192][ T309] ? security_socket_sendmsg+0x82/0xb0
[ 25.434603][ T309] ? unix_dgram_poll+0x710/0x710
[ 25.439520][ T309] ____sys_sendmsg+0x59e/0x8f0
[ 25.444326][ T309] ? __sys_sendmsg_sock+0x40/0x40
[ 25.449344][ T309] ? import_iovec+0xe5/0x120
[ 25.454048][ T309] ___sys_sendmsg+0x252/0x2e0
[ 25.458686][ T309] ? __sys_sendmsg+0x260/0x260
[ 25.463247][ T309] ? compat_start_thread+0x20/0x20
[ 25.468443][ T309] ? __kasan_check_read+0x11/0x20
[ 25.473953][ T309] ? __fdget+0x179/0x240
[ 25.478027][ T309] __sys_sendmmsg+0x2bf/0x530
[ 25.483802][ T309] ? __ia32_sys_sendmsg+0x90/0x90
[ 25.489201][ T309] ? __kasan_check_read+0x11/0x20
[ 25.494228][ T309] __x64_sys_sendmmsg+0xa0/0xb0
[ 25.499558][ T309] do_syscall_64+0x3d/0xb0
[ 25.505363][ T309] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 25.511602][ T309] RIP: 0033:0x7f5579b265a9
[ 25.515982][ T309] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 25.537287][ T309] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 25.546883][ T309] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 25.555007][ T309] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[pid 309] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 309] exit_group(0) = ?
[ 25.563789][ T309] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 25.573382][ T309] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 25.581145][ T309] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 25.589572][ T309]
[ 25.594536][ T309] ==================================================================
[ 25.596296][ T30] audit: type=1400 audit(1695263296.702:74): avc: denied { remove_name } for pid=82 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 25.602676][ T309] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 25.602703][ T309]
[ 25.602708][ T309] CPU: 0 PID: 309 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 25.602726][ T309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 25.626667][ T30] audit: type=1400 audit(1695263296.702:75): avc: denied { rename } for pid=82 comm="syslogd" name="messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 25.633514][ T309] Call Trace:
[ 25.633529][ T309]
[ 25.633537][ T309] dump_stack_lvl+0x151/0x1b7
[ 25.633563][ T309] ? io_uring_drop_tctx_refs+0x190/0x190
[ 25.633579][ T309] ? __wake_up_klogd+0xd5/0x110
[ 25.705429][ T309] ? panic+0x751/0x751
[ 25.709338][ T309] ? kmem_cache_free+0x116/0x2e0
[ 25.714363][ T309] print_address_description+0x87/0x3b0
[ 25.720434][ T309] ? kmem_cache_free+0x116/0x2e0
[ 25.725551][ T309] ? kmem_cache_free+0x116/0x2e0
[ 25.730385][ T309] kasan_report_invalid_free+0x6b/0xa0
[ 25.737030][ T309] ____kasan_slab_free+0x13e/0x160
[ 25.744345][ T309] __kasan_slab_free+0x11/0x20
[ 25.749688][ T309] slab_free_freelist_hook+0xbd/0x190
[ 25.755233][ T309] ? kfree_skbmem+0x104/0x170
[ 25.760375][ T309] kmem_cache_free+0x116/0x2e0
[ 25.765479][ T309] kfree_skbmem+0x104/0x170
[ 25.770582][ T309] consume_skb+0xb4/0x250
[ 25.775813][ T309] __sk_msg_free+0x2dd/0x370
[ 25.780734][ T309] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 25.786842][ T309] sk_psock_stop+0x44c/0x4d0
[ 25.792187][ T309] ? unix_peer_get+0xe0/0xe0
[ 25.797194][ T309] sock_map_close+0x2b9/0x4c0
[ 25.802063][ T309] ? sock_map_remove_links+0x570/0x570
[ 25.807607][ T309] ? rwsem_mark_wake+0x6b0/0x6b0
[ 25.812647][ T309] ? security_file_free+0xc6/0xe0
[ 25.818116][ T309] unix_release+0x82/0xc0
[ 25.822654][ T309] sock_close+0xdf/0x270
[ 25.828290][ T309] ? sock_mmap+0xa0/0xa0
[ 25.833932][ T309] __fput+0x3fe/0x910
[ 25.838576][ T309] ____fput+0x15/0x20
[ 25.842395][ T309] task_work_run+0x129/0x190
[ 25.847163][ T309] do_exit+0xc60/0x2b60
[ 25.851333][ T309] ? put_task_struct+0x80/0x80
[ 25.857714][ T309] ? ptrace_notify+0x24c/0x350
[ 25.863072][ T309] ? do_notify_parent+0xa30/0xa30
[ 25.869841][ T309] do_group_exit+0x141/0x310
[ 25.875259][ T309] __x64_sys_exit_group+0x3f/0x40
[ 25.884387][ T309] do_syscall_64+0x3d/0xb0
[ 25.891039][ T309] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 25.899746][ T309] RIP: 0033:0x7f5579b24509
[ 25.906485][ T309] Code: Unable to access opcode bytes at RIP 0x7f5579b244df.
[ 25.914411][ T309] RSP: 002b:00007fffca7ebfd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 25.925016][ T309] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5579b24509
[ 25.933194][ T309] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 25.941489][ T309] RBP: 00007f5579b9f370 R08: ffffffffffffffb8 R09: 00007fffca7fc198
[ 25.950503][ T309] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5579b9f370
[ 25.960040][ T309] R13: 0000000000000000 R14: 00007f5579b9fdc0 R15: 00007f5579af54f0
[ 25.967950][ T309]
[ 25.970797][ T309]
[ 25.972970][ T309] Allocated by task 309:
[ 25.977147][ T309] __kasan_slab_alloc+0xb1/0xe0
[ 25.981937][ T309] slab_post_alloc_hook+0x53/0x2c0
[ 25.987025][ T309] kmem_cache_alloc+0xf5/0x200
[ 25.991628][ T309] skb_clone+0x1d1/0x360
[ 25.995717][ T309] sk_psock_verdict_recv+0x53/0x840
[ 26.000743][ T309] unix_read_sock+0x132/0x370
[ 26.005253][ T309] sk_psock_verdict_data_ready+0x147/0x1a0
[ 26.010920][ T309] unix_dgram_sendmsg+0x15fa/0x2090
[ 26.016016][ T309] ____sys_sendmsg+0x59e/0x8f0
[ 26.020731][ T309] ___sys_sendmsg+0x252/0x2e0
[ 26.025226][ T309] __sys_sendmmsg+0x2bf/0x530
[ 26.030133][ T309] __x64_sys_sendmmsg+0xa0/0xb0
[ 26.034783][ T309] do_syscall_64+0x3d/0xb0
[ 26.039020][ T309] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 26.044842][ T309]
[ 26.047011][ T309] Freed by task 20:
[ 26.050680][ T309] kasan_set_track+0x4b/0x70
[ 26.055350][ T309] kasan_set_free_info+0x23/0x40
[ 26.060472][ T309] ____kasan_slab_free+0x126/0x160
[ 26.065378][ T309] __kasan_slab_free+0x11/0x20
[ 26.069976][ T309] slab_free_freelist_hook+0xbd/0x190
[ 26.075357][ T309] kmem_cache_free+0x116/0x2e0
[ 26.079982][ T309] kfree_skbmem+0x104/0x170
[ 26.084588][ T309] kfree_skb+0xc2/0x360
[ 26.088682][ T309] sk_psock_backlog+0xc21/0xd90
[ 26.093448][ T309] process_one_work+0x6bb/0xc10
[ 26.098117][ T309] worker_thread+0xad5/0x12a0
[ 26.102779][ T309] kthread+0x421/0x510
[ 26.106989][ T309] ret_from_fork+0x1f/0x30
[ 26.111354][ T309]
[ 26.113788][ T309] The buggy address belongs to the object at ffff88811e74bdc0
[ 26.113788][ T309] which belongs to the cache skbuff_head_cache of size 248
[ 26.128567][ T309] The buggy address is located 0 bytes inside of
[ 26.128567][ T309] 248-byte region [ffff88811e74bdc0, ffff88811e74beb8)
[ 26.142590][ T309] The buggy address belongs to the page:
[ 26.149753][ T309] page:ffffea000479d2c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e74b
[ 26.161879][ T309] flags: 0x4000000000000200(slab|zone=1)
[ 26.168032][ T309] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 26.177245][ T309] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 26.186085][ T309] page dumped because: kasan: bad access detected
[ 26.192427][ T309] page_owner tracks the page as allocated
[ 26.197962][ T309] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 309, ts 25250904347, free_ts 0
[ 26.214083][ T309] post_alloc_hook+0x1a3/0x1b0
[ 26.219286][ T309] prep_new_page+0x1b/0x110
[ 26.223629][ T309] get_page_from_freelist+0x3550/0x35d0
[ 26.230237][ T309] __alloc_pages+0x206/0x5e0
[ 26.235398][ T309] new_slab+0x9a/0x4e0
[ 26.239826][ T309] ___slab_alloc+0x39e/0x830
[ 26.245412][ T309] kmem_cache_alloc_bulk+0x104/0x360
[ 26.251232][ T309] napi_skb_cache_get+0x11f/0x1f0
[ 26.256210][ T309] __alloc_skb+0xd5/0x550
[ 26.260933][ T309] __napi_alloc_skb+0x167/0x2e0
[ 26.265842][ T309] page_to_skb+0x2a5/0xb40
[ 26.270404][ T309] receive_buf+0xed6/0x5720
[ 26.274700][ T309] virtnet_poll+0x628/0x1260
[ 26.279123][ T309] __napi_poll+0xc4/0x5a0
[ 26.283291][ T309] net_rx_action+0x47d/0xc50
[ 26.287803][ T309] __do_softirq+0x26d/0x5bf
[ 26.292925][ T309] page_owner free stack trace missing
[ 26.299180][ T309]
[ 26.301463][ T309] Memory state around the buggy address:
[ 26.308377][ T309] ffff88811e74bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[pid 309] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./11/binderfs") = 0
umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./11/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./11/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./11") = 0
mkdir("./12", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 311
./strace-static-x86_64: Process 311 attached
[pid 311] set_robust_list(0x555555cf6660, 24) = 0
[pid 311] chdir("./12") = 0
[pid 311] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 311] setpgid(0, 0) = 0
[pid 311] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 311] write(3, "1000", 4) = 4
[pid 311] close(3) = 0
[pid 311] symlink("/dev/binderfs", "./binderfs") = 0
[pid 311] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 311] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 311] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 311] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 311] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 311] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 311] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 311] write(6, "8", 1) = 1
[pid 311] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 26.316348][ T309] ffff88811e74bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 26.325935][ T309] >ffff88811e74bd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 26.334212][ T309] ^
[ 26.340380][ T309] ffff88811e74be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 26.348648][ T309] ffff88811e74be80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 26.356877][ T309] ==================================================================
[ 26.379317][ T311] FAULT_INJECTION: forcing a failure.
[ 26.379317][ T311] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 26.393000][ T311] CPU: 1 PID: 311 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 26.404535][ T311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 26.414648][ T311] Call Trace:
[ 26.417751][ T311]
[ 26.420527][ T311] dump_stack_lvl+0x151/0x1b7
[ 26.425074][ T311] ? io_uring_drop_tctx_refs+0x190/0x190
[ 26.431989][ T311] dump_stack+0x15/0x17
[ 26.437215][ T311] should_fail+0x3c6/0x510
[ 26.441472][ T311] should_fail_alloc_page+0x5a/0x80
[ 26.446743][ T311] prepare_alloc_pages+0x15c/0x700
[ 26.452137][ T311] ? __alloc_pages_bulk+0xe60/0xe60
[ 26.457948][ T311] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 26.463303][ T311] __alloc_pages+0x138/0x5e0
[ 26.468174][ T311] ? prep_new_page+0x110/0x110
[ 26.473755][ T311] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 26.480427][ T311] ? scm_destroy+0x83/0x90
[ 26.485000][ T311] ? unix_dgram_sendmsg+0x160a/0x2090
[ 26.490885][ T311] wp_page_copy+0x200/0x1b00
[ 26.495581][ T311] ? __kasan_check_write+0x14/0x20
[ 26.500600][ T311] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 26.507112][ T311] ? __pte_map_lock+0x442/0x620
[ 26.511785][ T311] do_wp_page+0x6fa/0xb60
[ 26.516497][ T311] handle_pte_fault+0x72e/0x2340
[ 26.521445][ T311] ? fault_around_bytes_set+0xc0/0xc0
[ 26.526716][ T311] do_handle_mm_fault+0x1fed/0x2330
[ 26.531774][ T311] ? numa_migrate_prep+0xe0/0xe0
[ 26.536602][ T311] ? __kasan_check_write+0x14/0x20
[ 26.541659][ T311] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 26.546599][ T311] ? _raw_spin_lock_irqsave+0x210/0x210
[ 26.552570][ T311] ? _raw_spin_unlock_irq+0x4e/0x70
[ 26.558716][ T311] ? down_read_trylock+0x1f9/0x300
[ 26.563655][ T311] ? __init_rwsem+0x1c0/0x1c0
[ 26.568691][ T311] ? vmacache_update+0xb7/0x120
[ 26.573383][ T311] ? __find_vma+0x136/0x150
[ 26.578511][ T311] exc_page_fault+0x3b5/0x830
[ 26.583017][ T311] asm_exc_page_fault+0x27/0x30
[ 26.588163][ T311] RIP: 0033:0x7f5579afc4f0
[ 26.592381][ T311] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 26.612084][ T311] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 26.618135][ T311] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[pid 311] exit_group(0) = ?
[pid 311] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=311, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./12/binderfs") = 0
umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./12/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./12/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./12") = 0
mkdir("./13", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 312 attached
, child_tidptr=0x555555cf6650) = 312
[pid 312] set_robust_list(0x555555cf6660, 24) = 0
[pid 312] chdir("./13") = 0
[pid 312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 312] setpgid(0, 0) = 0
[pid 312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 312] write(3, "1000", 4) = 4
[pid 312] close(3) = 0
[pid 312] symlink("/dev/binderfs", "./binderfs") = 0
[pid 312] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 312] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 312] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 312] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 312] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 312] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 312] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 312] write(6, "8", 1) = 1
[ 26.626840][ T311] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[ 26.634779][ T311] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 26.642741][ T311] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 26.650563][ T311] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 26.658634][ T311]
[ 26.661606][ T311] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 26.684444][ T312] FAULT_INJECTION: forcing a failure.
[ 26.684444][ T312] name failslab, interval 1, probability 0, space 0, times 0
[ 26.697897][ T312] CPU: 0 PID: 312 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 26.710757][ T312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 26.723131][ T312] Call Trace:
[ 26.726249][ T312]
[ 26.729243][ T312] dump_stack_lvl+0x151/0x1b7
[ 26.733967][ T312] ? io_uring_drop_tctx_refs+0x190/0x190
[ 26.739842][ T312] dump_stack+0x15/0x17
[ 26.744608][ T312] should_fail+0x3c6/0x510
[ 26.750647][ T312] __should_failslab+0xa4/0xe0
[ 26.756448][ T312] should_failslab+0x9/0x20
[ 26.762375][ T312] slab_pre_alloc_hook+0x37/0xd0
[ 26.767621][ T312] kmem_cache_alloc_trace+0x48/0x210
[ 26.773596][ T312] ? sk_psock_skb_ingress_self+0x60/0x330
[ 26.780989][ T312] ? migrate_disable+0x190/0x190
[ 26.787752][ T312] sk_psock_skb_ingress_self+0x60/0x330
[ 26.793430][ T312] sk_psock_verdict_recv+0x66d/0x840
[ 26.799140][ T312] unix_read_sock+0x132/0x370
[ 26.803875][ T312] ? sk_psock_skb_redirect+0x440/0x440
[ 26.809868][ T312] ? unix_stream_splice_actor+0x120/0x120
[ 26.815727][ T312] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 26.821269][ T312] ? unix_stream_splice_actor+0x120/0x120
[ 26.826835][ T312] sk_psock_verdict_data_ready+0x147/0x1a0
[ 26.832704][ T312] ? sk_psock_start_verdict+0xc0/0xc0
[ 26.837919][ T312] ? _raw_spin_lock+0xa4/0x1b0
[ 26.842487][ T312] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 26.848398][ T312] ? skb_queue_tail+0xfb/0x120
[ 26.853081][ T312] unix_dgram_sendmsg+0x15fa/0x2090
[ 26.858378][ T312] ? unix_dgram_poll+0x710/0x710
[ 26.863239][ T312] ? __kasan_check_read+0x11/0x20
[ 26.868271][ T312] ? security_socket_sendmsg+0x82/0xb0
[ 26.873754][ T312] ? unix_dgram_poll+0x710/0x710
[ 26.878592][ T312] ____sys_sendmsg+0x59e/0x8f0
[ 26.883279][ T312] ? __sys_sendmsg_sock+0x40/0x40
[ 26.888185][ T312] ? import_iovec+0xe5/0x120
[ 26.892667][ T312] ___sys_sendmsg+0x252/0x2e0
[ 26.897191][ T312] ? __sys_sendmsg+0x260/0x260
[ 26.901862][ T312] ? compat_start_thread+0x20/0x20
[ 26.907291][ T312] ? __kasan_check_read+0x11/0x20
[ 26.912223][ T312] ? __fdget+0x179/0x240
[ 26.916410][ T312] __sys_sendmmsg+0x2bf/0x530
[ 26.920911][ T312] ? __ia32_sys_sendmsg+0x90/0x90
[ 26.926256][ T312] ? __kasan_check_read+0x11/0x20
[ 26.931099][ T312] __x64_sys_sendmmsg+0xa0/0xb0
[ 26.935872][ T312] do_syscall_64+0x3d/0xb0
[ 26.940307][ T312] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 26.946392][ T312] RIP: 0033:0x7f5579b265a9
[ 26.950636][ T312] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 26.970070][ T312] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[pid 312] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 312] exit_group(0) = ?
[ 26.978313][ T312] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 26.986245][ T312] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 26.994059][ T312] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 27.001980][ T312] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 27.009802][ T312] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 27.017653][ T312]
[ 27.022058][ T39] ==================================================================
[ 27.030631][ T39] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 27.040320][ T39]
[ 27.042553][ T39] CPU: 1 PID: 39 Comm: kworker/1:1 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 27.053754][ T39] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 27.064344][ T39] Workqueue: events bpf_map_free_deferred
[ 27.069932][ T39] Call Trace:
[ 27.073017][ T39]
[ 27.075794][ T39] dump_stack_lvl+0x151/0x1b7
[ 27.080314][ T39] ? io_uring_drop_tctx_refs+0x190/0x190
[ 27.085802][ T39] ? panic+0x751/0x751
[ 27.089829][ T39] ? kasan_set_free_info+0x23/0x40
[ 27.094813][ T39] ? ____kasan_slab_free+0x126/0x160
[ 27.100106][ T39] ? kmem_cache_free+0x116/0x2e0
[ 27.105227][ T39] print_address_description+0x87/0x3b0
[ 27.111148][ T39] ? worker_thread+0xad5/0x12a0
[ 27.115926][ T39] ? kthread+0x421/0x510
[ 27.120236][ T39] ? kmem_cache_free+0x116/0x2e0
[ 27.125082][ T39] ? kmem_cache_free+0x116/0x2e0
[ 27.129866][ T39] kasan_report_invalid_free+0x6b/0xa0
[ 27.135374][ T39] ____kasan_slab_free+0x13e/0x160
[ 27.141235][ T39] __kasan_slab_free+0x11/0x20
[ 27.145918][ T39] slab_free_freelist_hook+0xbd/0x190
[ 27.151483][ T39] ? kfree_skbmem+0x104/0x170
[ 27.156670][ T39] kmem_cache_free+0x116/0x2e0
[ 27.161270][ T39] kfree_skbmem+0x104/0x170
[ 27.165614][ T39] consume_skb+0xb4/0x250
[ 27.169783][ T39] __sk_msg_free+0x2dd/0x370
[ 27.174295][ T39] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 27.180006][ T39] sk_psock_stop+0x44c/0x4d0
[ 27.184437][ T39] sk_psock_drop+0x219/0x310
[ 27.189090][ T39] sock_map_unref+0x48f/0x4d0
[ 27.193715][ T39] sock_map_free+0x137/0x2b0
[ 27.198131][ T39] bpf_map_free_deferred+0x10d/0x1e0
[ 27.203345][ T39] process_one_work+0x6bb/0xc10
[ 27.208223][ T39] worker_thread+0xad5/0x12a0
[ 27.212817][ T39] ? _raw_spin_lock+0x1b0/0x1b0
[ 27.217831][ T39] kthread+0x421/0x510
[ 27.221778][ T39] ? worker_clr_flags+0x180/0x180
[ 27.226922][ T39] ? kthread_blkcg+0xd0/0xd0
[ 27.231709][ T39] ret_from_fork+0x1f/0x30
[ 27.236418][ T39]
[ 27.239425][ T39]
[ 27.242376][ T39] Allocated by task 312:
[ 27.246479][ T39] __kasan_slab_alloc+0xb1/0xe0
[ 27.251280][ T39] slab_post_alloc_hook+0x53/0x2c0
[ 27.256881][ T39] kmem_cache_alloc+0xf5/0x200
[ 27.261610][ T39] skb_clone+0x1d1/0x360
[ 27.265691][ T39] sk_psock_verdict_recv+0x53/0x840
[ 27.271113][ T39] unix_read_sock+0x132/0x370
[ 27.275802][ T39] sk_psock_verdict_data_ready+0x147/0x1a0
[ 27.281647][ T39] unix_dgram_sendmsg+0x15fa/0x2090
[ 27.287002][ T39] ____sys_sendmsg+0x59e/0x8f0
[ 27.291602][ T39] ___sys_sendmsg+0x252/0x2e0
[ 27.296138][ T39] __sys_sendmmsg+0x2bf/0x530
[ 27.300746][ T39] __x64_sys_sendmmsg+0xa0/0xb0
[ 27.305510][ T39] do_syscall_64+0x3d/0xb0
[ 27.309762][ T39] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 27.315654][ T39]
[ 27.317822][ T39] Freed by task 39:
[ 27.321469][ T39] kasan_set_track+0x4b/0x70
[ 27.326075][ T39] kasan_set_free_info+0x23/0x40
[ 27.331014][ T39] ____kasan_slab_free+0x126/0x160
[ 27.336134][ T39] __kasan_slab_free+0x11/0x20
[ 27.340936][ T39] slab_free_freelist_hook+0xbd/0x190
[ 27.346130][ T39] kmem_cache_free+0x116/0x2e0
[ 27.350895][ T39] kfree_skbmem+0x104/0x170
[ 27.355233][ T39] kfree_skb+0xc2/0x360
[ 27.359224][ T39] sk_psock_backlog+0xc21/0xd90
[ 27.364109][ T39] process_one_work+0x6bb/0xc10
[ 27.369031][ T39] worker_thread+0xad5/0x12a0
[ 27.373544][ T39] kthread+0x421/0x510
[ 27.377452][ T39] ret_from_fork+0x1f/0x30
[ 27.381897][ T39]
[ 27.384087][ T39] The buggy address belongs to the object at ffff88811e75dc80
[ 27.384087][ T39] which belongs to the cache skbuff_head_cache of size 248
[ 27.398724][ T39] The buggy address is located 0 bytes inside of
[ 27.398724][ T39] 248-byte region [ffff88811e75dc80, ffff88811e75dd78)
[ 27.412433][ T39] The buggy address belongs to the page:
[ 27.417862][ T39] page:ffffea000479d740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e75d
[ 27.428403][ T39] flags: 0x4000000000000200(slab|zone=1)
[ 27.434314][ T39] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 27.442903][ T39] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 27.451486][ T39] page dumped because: kasan: bad access detected
[ 27.458570][ T39] page_owner tracks the page as allocated
[ 27.464104][ T39] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 312, ts 26684415480, free_ts 0
[ 27.479556][ T39] post_alloc_hook+0x1a3/0x1b0
[ 27.484772][ T39] prep_new_page+0x1b/0x110
[ 27.489383][ T39] get_page_from_freelist+0x3550/0x35d0
[ 27.495118][ T39] __alloc_pages+0x206/0x5e0
[ 27.499835][ T39] new_slab+0x9a/0x4e0
[ 27.504313][ T39] ___slab_alloc+0x39e/0x830
[ 27.508913][ T39] __slab_alloc+0x4a/0x90
[ 27.513170][ T39] kmem_cache_alloc+0x134/0x200
[ 27.518105][ T39] __alloc_skb+0xbe/0x550
[ 27.522622][ T39] alloc_skb_with_frags+0xa6/0x680
[ 27.528079][ T39] sock_alloc_send_pskb+0x915/0xa50
[ 27.533434][ T39] unix_dgram_sendmsg+0x6fd/0x2090
[ 27.538956][ T39] ____sys_sendmsg+0x59e/0x8f0
[ 27.543713][ T39] ___sys_sendmsg+0x252/0x2e0
[ 27.548593][ T39] __sys_sendmmsg+0x2bf/0x530
[ 27.553776][ T39] __x64_sys_sendmmsg+0xa0/0xb0
[ 27.558629][ T39] page_owner free stack trace missing
[ 27.563925][ T39]
[ 27.566077][ T39] Memory state around the buggy address:
[ 27.571547][ T39] ffff88811e75db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.579451][ T39] ffff88811e75dc00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[pid 312] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=312, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./13/binderfs") = 0
umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./13/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./13/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./13") = 0
mkdir("./14", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 314
./strace-static-x86_64: Process 314 attached
[pid 314] set_robust_list(0x555555cf6660, 24) = 0
[pid 314] chdir("./14") = 0
[pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 314] setpgid(0, 0) = 0
[pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 314] write(3, "1000", 4) = 4
[pid 314] close(3) = 0
[pid 314] symlink("/dev/binderfs", "./binderfs") = 0
[pid 314] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 314] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 314] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 314] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 314] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 314] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 314] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 314] write(6, "8", 1) = 1
[pid 314] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 27.587433][ T39] >ffff88811e75dc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.595322][ T39] ^
[ 27.599231][ T39] ffff88811e75dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 27.607318][ T39] ffff88811e75dd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 27.615199][ T39] ==================================================================
[ 27.640427][ T314] FAULT_INJECTION: forcing a failure.
[ 27.640427][ T314] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 27.655466][ T314] CPU: 0 PID: 314 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 27.669510][ T314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 27.680826][ T314] Call Trace:
[ 27.684006][ T314]
[ 27.687336][ T314] dump_stack_lvl+0x151/0x1b7
[ 27.692514][ T314] ? io_uring_drop_tctx_refs+0x190/0x190
[ 27.698983][ T314] dump_stack+0x15/0x17
[ 27.703113][ T314] should_fail+0x3c6/0x510
[ 27.707700][ T314] should_fail_alloc_page+0x5a/0x80
[ 27.712829][ T314] prepare_alloc_pages+0x15c/0x700
[ 27.720472][ T314] ? __alloc_pages_bulk+0xe60/0xe60
[ 27.726785][ T314] ? enqueue_task_fair+0xd61/0x29a0
[ 27.732142][ T314] __alloc_pages+0x138/0x5e0
[ 27.736723][ T314] ? prep_new_page+0x110/0x110
[ 27.741397][ T314] wp_page_copy+0x200/0x1b00
[ 27.746114][ T314] ? __kasan_check_write+0x14/0x20
[ 27.751030][ T314] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 27.756929][ T314] ? __pte_map_lock+0x442/0x620
[ 27.761665][ T314] do_wp_page+0x6fa/0xb60
[ 27.765789][ T314] handle_pte_fault+0x72e/0x2340
[ 27.770556][ T314] ? update_load_avg+0x43a/0x1150
[ 27.775426][ T314] ? fault_around_bytes_set+0xc0/0xc0
[ 27.780640][ T314] do_handle_mm_fault+0x1fed/0x2330
[ 27.785677][ T314] ? numa_migrate_prep+0xe0/0xe0
[ 27.790607][ T314] ? __kasan_check_write+0x14/0x20
[ 27.795834][ T314] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 27.801107][ T314] ? _raw_spin_lock_irqsave+0x210/0x210
[ 27.806489][ T314] ? _raw_spin_unlock_irq+0x4e/0x70
[ 27.811522][ T314] ? down_read_trylock+0x1f9/0x300
[ 27.816481][ T314] ? __init_rwsem+0x1c0/0x1c0
[ 27.821622][ T314] ? vmacache_update+0xb7/0x120
[ 27.826939][ T314] ? __find_vma+0x136/0x150
[ 27.831435][ T314] exc_page_fault+0x3b5/0x830
[ 27.836027][ T314] asm_exc_page_fault+0x27/0x30
[ 27.841031][ T314] RIP: 0033:0x7f5579afc4f0
[ 27.845433][ T314] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 27.865196][ T314] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 27.871353][ T314] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 27.879162][ T314] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[pid 314] exit_group(0) = ?
[pid 314] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./14/binderfs") = 0
umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./14/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./14/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./14") = 0
mkdir("./15", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 315 attached
[pid 315] set_robust_list(0x555555cf6660, 24
[pid 290] <... clone resumed>, child_tidptr=0x555555cf6650) = 315
[pid 315] <... set_robust_list resumed>) = 0
[pid 315] chdir("./15") = 0
[pid 315] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 315] setpgid(0, 0) = 0
[pid 315] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 315] write(3, "1000", 4) = 4
[pid 315] close(3) = 0
[pid 315] symlink("/dev/binderfs", "./binderfs") = 0
[pid 315] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 315] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 315] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 315] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 315] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 315] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 315] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 315] write(6, "8", 1) = 1
[ 27.887055][ T314] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 27.895829][ T314] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 27.904004][ T314] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 27.912003][ T314]
[ 27.915038][ T314] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 27.938652][ T315] FAULT_INJECTION: forcing a failure.
[ 27.938652][ T315] name failslab, interval 1, probability 0, space 0, times 0
[ 27.952552][ T315] CPU: 0 PID: 315 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 27.968523][ T315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 27.979169][ T315] Call Trace:
[ 27.982916][ T315]
[ 27.985676][ T315] dump_stack_lvl+0x151/0x1b7
[ 27.990386][ T315] ? io_uring_drop_tctx_refs+0x190/0x190
[ 27.995930][ T315] dump_stack+0x15/0x17
[ 27.999914][ T315] should_fail+0x3c6/0x510
[ 28.004368][ T315] __should_failslab+0xa4/0xe0
[ 28.009126][ T315] should_failslab+0x9/0x20
[ 28.013922][ T315] slab_pre_alloc_hook+0x37/0xd0
[ 28.018791][ T315] kmem_cache_alloc_trace+0x48/0x210
[ 28.024604][ T315] ? sk_psock_skb_ingress_self+0x60/0x330
[ 28.030329][ T315] ? migrate_disable+0x190/0x190
[ 28.035181][ T315] sk_psock_skb_ingress_self+0x60/0x330
[ 28.041097][ T315] sk_psock_verdict_recv+0x66d/0x840
[ 28.046569][ T315] unix_read_sock+0x132/0x370
[ 28.051334][ T315] ? sk_psock_skb_redirect+0x440/0x440
[ 28.056624][ T315] ? unix_stream_splice_actor+0x120/0x120
[ 28.063172][ T315] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 28.068965][ T315] ? unix_stream_splice_actor+0x120/0x120
[ 28.074719][ T315] sk_psock_verdict_data_ready+0x147/0x1a0
[ 28.081792][ T315] ? sk_psock_start_verdict+0xc0/0xc0
[ 28.088231][ T315] ? _raw_spin_lock+0xa4/0x1b0
[ 28.094504][ T315] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 28.100284][ T315] ? skb_queue_tail+0xfb/0x120
[ 28.105045][ T315] unix_dgram_sendmsg+0x15fa/0x2090
[ 28.110001][ T315] ? unix_dgram_poll+0x710/0x710
[ 28.115035][ T315] ? ttwu_queue_wakelist+0x316/0x510
[ 28.120343][ T315] ? security_socket_sendmsg+0x82/0xb0
[ 28.125722][ T315] ? unix_dgram_poll+0x710/0x710
[ 28.132239][ T315] ____sys_sendmsg+0x59e/0x8f0
[ 28.136944][ T315] ? __sys_sendmsg_sock+0x40/0x40
[ 28.141897][ T315] ? import_iovec+0xe5/0x120
[ 28.146321][ T315] ___sys_sendmsg+0x252/0x2e0
[ 28.150802][ T315] ? __sys_sendmsg+0x260/0x260
[ 28.155816][ T315] ? compat_start_thread+0x20/0x20
[ 28.160839][ T315] ? __kasan_check_read+0x11/0x20
[ 28.165689][ T315] ? __fdget+0x179/0x240
[ 28.169854][ T315] __sys_sendmmsg+0x2bf/0x530
[ 28.174372][ T315] ? __ia32_sys_sendmsg+0x90/0x90
[ 28.179337][ T315] ? __kasan_check_read+0x11/0x20
[ 28.184203][ T315] __x64_sys_sendmmsg+0xa0/0xb0
[ 28.189498][ T315] do_syscall_64+0x3d/0xb0
[ 28.193726][ T315] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 28.199559][ T315] RIP: 0033:0x7f5579b265a9
[ 28.204063][ T315] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 28.224416][ T315] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 28.233691][ T315] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[pid 315] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 315] exit_group(0) = ?
[ 28.242113][ T315] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 28.249952][ T315] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 28.258829][ T315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 28.267586][ T315] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 28.276036][ T315]
[ 28.283004][ T20] ==================================================================
[pid 315] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=315, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./15/binderfs") = 0
umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./15/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./15/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./15") = 0
mkdir("./16", 0777) = 0
[ 28.293499][ T20] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x116/0x2e0
[ 28.305094][ T20]
[ 28.307537][ T20] CPU: 0 PID: 20 Comm: kworker/0:1 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 28.321489][ T20] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 28.333491][ T20] Workqueue: events bpf_map_free_deferred
[ 28.339924][ T20] Call Trace:
[ 28.343292][ T20]
[ 28.346302][ T20] dump_stack_lvl+0x151/0x1b7
[ 28.351318][ T20] ? io_uring_drop_tctx_refs+0x190/0x190
[ 28.358281][ T20] ? panic+0x751/0x751
[ 28.362338][ T20] ? kasan_set_free_info+0x23/0x40
[ 28.367864][ T20] ? ____kasan_slab_free+0x126/0x160
[ 28.373602][ T20] ? kmem_cache_free+0x116/0x2e0
[ 28.378423][ T20] print_address_description+0x87/0x3b0
[ 28.384942][ T20] ? worker_thread+0xad5/0x12a0
[ 28.389882][ T20] ? kthread+0x421/0x510
[ 28.394571][ T20] ? kmem_cache_free+0x116/0x2e0
[ 28.399507][ T20] ? kmem_cache_free+0x116/0x2e0
[ 28.404807][ T20] kasan_report_invalid_free+0x6b/0xa0
[ 28.410208][ T20] ____kasan_slab_free+0x13e/0x160
[ 28.415235][ T20] __kasan_slab_free+0x11/0x20
[ 28.419940][ T20] slab_free_freelist_hook+0xbd/0x190
[ 28.426378][ T20] ? kfree_skbmem+0x104/0x170
[ 28.431035][ T20] kmem_cache_free+0x116/0x2e0
[ 28.436262][ T20] kfree_skbmem+0x104/0x170
[ 28.440856][ T20] consume_skb+0xb4/0x250
[ 28.445867][ T20] __sk_msg_free+0x2dd/0x370
[ 28.450657][ T20] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 28.456352][ T20] sk_psock_stop+0x44c/0x4d0
[ 28.461354][ T20] sk_psock_drop+0x219/0x310
[ 28.465806][ T20] sock_map_unref+0x48f/0x4d0
[ 28.470641][ T20] sock_map_free+0x137/0x2b0
[ 28.475255][ T20] bpf_map_free_deferred+0x10d/0x1e0
[ 28.480792][ T20] process_one_work+0x6bb/0xc10
[ 28.485738][ T20] worker_thread+0xad5/0x12a0
[ 28.490253][ T20] ? _raw_spin_lock+0x1b0/0x1b0
[ 28.495011][ T20] kthread+0x421/0x510
[ 28.498919][ T20] ? worker_clr_flags+0x180/0x180
[ 28.503784][ T20] ? kthread_blkcg+0xd0/0xd0
[ 28.508547][ T20] ret_from_fork+0x1f/0x30
[ 28.512804][ T20]
[ 28.515667][ T20]
[ 28.518735][ T20] Allocated by task 315:
[ 28.523117][ T20] __kasan_slab_alloc+0xb1/0xe0
[ 28.528472][ T20] slab_post_alloc_hook+0x53/0x2c0
[ 28.533519][ T20] kmem_cache_alloc+0xf5/0x200
[ 28.538118][ T20] skb_clone+0x1d1/0x360
[ 28.542220][ T20] sk_psock_verdict_recv+0x53/0x840
[ 28.547658][ T20] unix_read_sock+0x132/0x370
[ 28.553266][ T20] sk_psock_verdict_data_ready+0x147/0x1a0
[ 28.559610][ T20] unix_dgram_sendmsg+0x15fa/0x2090
[ 28.564722][ T20] ____sys_sendmsg+0x59e/0x8f0
[ 28.569502][ T20] ___sys_sendmsg+0x252/0x2e0
[ 28.574010][ T20] __sys_sendmmsg+0x2bf/0x530
[ 28.578509][ T20] __x64_sys_sendmmsg+0xa0/0xb0
[ 28.583198][ T20] do_syscall_64+0x3d/0xb0
[ 28.587448][ T20] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 28.593438][ T20]
[ 28.595611][ T20] Freed by task 20:
[ 28.599362][ T20] kasan_set_track+0x4b/0x70
[ 28.603957][ T20] kasan_set_free_info+0x23/0x40
[ 28.609248][ T20] ____kasan_slab_free+0x126/0x160
[ 28.614268][ T20] __kasan_slab_free+0x11/0x20
[ 28.619255][ T20] slab_free_freelist_hook+0xbd/0x190
[ 28.624487][ T20] kmem_cache_free+0x116/0x2e0
[ 28.629329][ T20] kfree_skbmem+0x104/0x170
[ 28.633719][ T20] kfree_skb+0xc2/0x360
[ 28.638791][ T20] sk_psock_backlog+0xc21/0xd90
[ 28.643642][ T20] process_one_work+0x6bb/0xc10
[ 28.648837][ T20] worker_thread+0xad5/0x12a0
[ 28.653712][ T20] kthread+0x421/0x510
[ 28.657946][ T20] ret_from_fork+0x1f/0x30
[ 28.662257][ T20]
[ 28.664418][ T20] The buggy address belongs to the object at ffff88811e763dc0
[ 28.664418][ T20] which belongs to the cache skbuff_head_cache of size 248
[ 28.678832][ T20] The buggy address is located 0 bytes inside of
[ 28.678832][ T20] 248-byte region [ffff88811e763dc0, ffff88811e763eb8)
[ 28.691771][ T20] The buggy address belongs to the page:
[ 28.697331][ T20] page:ffffea000479d8c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e763
[ 28.707566][ T20] flags: 0x4000000000000200(slab|zone=1)
[ 28.713819][ T20] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100351c80
[ 28.723332][ T20] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 28.735783][ T20] page dumped because: kasan: bad access detected
[ 28.742594][ T20] page_owner tracks the page as allocated
[ 28.748127][ T20] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 285, ts 27936446828, free_ts 27936005500
[ 28.764840][ T20] post_alloc_hook+0x1a3/0x1b0
[ 28.769419][ T20] prep_new_page+0x1b/0x110
[ 28.773758][ T20] get_page_from_freelist+0x3550/0x35d0
[ 28.779171][ T20] __alloc_pages+0x206/0x5e0
[ 28.783583][ T20] new_slab+0x9a/0x4e0
[ 28.787575][ T20] ___slab_alloc+0x39e/0x830
[ 28.791978][ T20] __slab_alloc+0x4a/0x90
[ 28.796938][ T20] kmem_cache_alloc+0x134/0x200
[ 28.801623][ T20] skb_clone+0x1d1/0x360
[ 28.807876][ T20] dev_queue_xmit_nit+0x25b/0xa40
[ 28.812736][ T20] dev_hard_start_xmit+0x149/0x620
[ 28.818076][ T20] sch_direct_xmit+0x298/0x9b0
[ 28.822854][ T20] __dev_queue_xmit+0x161e/0x2e70
[ 28.827842][ T20] dev_queue_xmit+0x17/0x20
[ 28.832385][ T20] ip_finish_output2+0xb9f/0xf60
[ 28.838264][ T20] __ip_finish_output+0x162/0x360
[ 28.843635][ T20] page last free stack trace:
[ 28.848766][ T20] free_unref_page_prepare+0x7c8/0x7d0
[ 28.854569][ T20] free_unref_page+0xe6/0x730
[ 28.859095][ T20] __free_pages+0x61/0xf0
[ 28.863636][ T20] free_pages+0x7c/0x90
[ 28.868083][ T20] kasan_depopulate_vmalloc_pte+0x6a/0x90
[ 28.873928][ T20] __apply_to_page_range+0x8dd/0xbe0
[ 28.879111][ T20] apply_to_existing_page_range+0x38/0x50
[ 28.884669][ T20] kasan_release_vmalloc+0x9a/0xb0
[ 28.890137][ T20] __purge_vmap_area_lazy+0x154a/0x1690
[ 28.895546][ T20] _vm_unmap_aliases+0x339/0x3b0
[ 28.900303][ T20] vm_unmap_aliases+0x19/0x20
[ 28.904897][ T20] change_page_attr_set_clr+0x308/0x1050
[ 28.910799][ T20] set_memory_ro+0xa1/0xe0
[ 28.915084][ T20] bpf_int_jit_compile+0xbf42/0xc6d0
[ 28.920447][ T20] bpf_prog_select_runtime+0x706/0x9e0
[ 28.926514][ T20] bpf_prog_load+0x1315/0x1b50
[ 28.931383][ T20]
[ 28.933883][ T20] Memory state around the buggy address:
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 316
./strace-static-x86_64: Process 316 attached
[pid 316] set_robust_list(0x555555cf6660, 24) = 0
[pid 316] chdir("./16") = 0
[pid 316] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 316] setpgid(0, 0) = 0
[pid 316] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 316] write(3, "1000", 4) = 4
[pid 316] close(3) = 0
[pid 316] symlink("/dev/binderfs", "./binderfs") = 0
[pid 316] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 316] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 316] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 316] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 316] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 316] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 316] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 316] write(6, "8", 1) = 1
[pid 316] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 28.940425][ T20] ffff88811e763c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.948596][ T20] ffff88811e763d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 28.956955][ T20] >ffff88811e763d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 28.965032][ T20] ^
[ 28.971305][ T20] ffff88811e763e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 28.979549][ T20] ffff88811e763e80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 28.987444][ T20] ==================================================================
[ 29.005919][ T316] FAULT_INJECTION: forcing a failure.
[ 29.005919][ T316] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 29.019254][ T316] CPU: 1 PID: 316 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 29.031637][ T316] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 29.041967][ T316] Call Trace:
[ 29.045378][ T316]
[ 29.048224][ T316] dump_stack_lvl+0x151/0x1b7
[ 29.053917][ T316] ? io_uring_drop_tctx_refs+0x190/0x190
[ 29.059584][ T316] dump_stack+0x15/0x17
[ 29.063463][ T316] should_fail+0x3c6/0x510
[ 29.067830][ T316] should_fail_alloc_page+0x5a/0x80
[ 29.072858][ T316] prepare_alloc_pages+0x15c/0x700
[ 29.077807][ T316] ? __alloc_pages_bulk+0xe60/0xe60
[ 29.083527][ T316] ? enqueue_task_fair+0xd61/0x29a0
[ 29.088609][ T316] __alloc_pages+0x138/0x5e0
[ 29.092988][ T316] ? prep_new_page+0x110/0x110
[ 29.097586][ T316] wp_page_copy+0x200/0x1b00
[ 29.102001][ T316] ? __kasan_check_write+0x14/0x20
[ 29.107360][ T316] ? insert_page_into_pte_locked+0x4e0/0x4e0
[ 29.113118][ T316] ? __pte_map_lock+0x442/0x620
[ 29.117789][ T316] do_wp_page+0x6fa/0xb60
[ 29.121974][ T316] handle_pte_fault+0x72e/0x2340
[ 29.127003][ T316] ? update_load_avg+0x43a/0x1150
[ 29.131870][ T316] ? fault_around_bytes_set+0xc0/0xc0
[ 29.137085][ T316] do_handle_mm_fault+0x1fed/0x2330
[ 29.142195][ T316] ? numa_migrate_prep+0xe0/0xe0
[ 29.147046][ T316] ? __kasan_check_write+0x14/0x20
[ 29.152319][ T316] ? _raw_spin_lock_irq+0xa5/0x1b0
[ 29.157265][ T316] ? _raw_spin_lock_irqsave+0x210/0x210
[ 29.162820][ T316] ? _raw_spin_unlock_irq+0x4e/0x70
[ 29.167839][ T316] ? down_read_trylock+0x1f9/0x300
[ 29.172979][ T316] ? __init_rwsem+0x1c0/0x1c0
[ 29.177499][ T316] ? vmacache_update+0xb7/0x120
[ 29.182175][ T316] ? __find_vma+0x136/0x150
[ 29.186541][ T316] exc_page_fault+0x3b5/0x830
[ 29.191117][ T316] asm_exc_page_fault+0x27/0x30
[ 29.195788][ T316] RIP: 0033:0x7f5579afc4f0
[ 29.200085][ T316] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d fd 0a 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 b0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 a3 38 0a 00 4c
[ 29.221920][ T316] RSP: 002b:00007fffca7ebfe0 EFLAGS: 00010246
[ 29.228488][ T316] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 29.236566][ T316] RDX: 0000000000000001 RSI: 00007f5579b9d120 RDI: 0000000000000000
[ 29.246334][ T316] RBP: 00007f5579b9d120 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[pid 316] exit_group(0) = ?
[pid 316] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=316, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./16/binderfs") = 0
umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./16/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./16/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./16") = 0
mkdir("./17", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 318
./strace-static-x86_64: Process 318 attached
[pid 318] set_robust_list(0x555555cf6660, 24) = 0
[pid 318] chdir("./17") = 0
[pid 318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 318] setpgid(0, 0) = 0
[pid 318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 318] write(3, "1000", 4) = 4
[pid 318] close(3) = 0
[pid 318] symlink("/dev/binderfs", "./binderfs") = 0
[pid 318] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 318] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 318] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 318] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 318] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 318] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 318] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 318] write(6, "8", 1) = 1
[ 29.256053][ T316] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 29.265067][ T316] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 29.273685][ T316]
[ 29.277619][ T316] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 29.294688][ T318] FAULT_INJECTION: forcing a failure.
[ 29.294688][ T318] name failslab, interval 1, probability 0, space 0, times 0
[ 29.308901][ T318] CPU: 1 PID: 318 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 29.322480][ T318] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 29.332704][ T318] Call Trace:
[ 29.337410][ T318]
[ 29.340926][ T318] dump_stack_lvl+0x151/0x1b7
[ 29.345517][ T318] ? io_uring_drop_tctx_refs+0x190/0x190
[ 29.351359][ T318] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 29.357490][ T318] ? __skb_try_recv_datagram+0x495/0x6a0
[ 29.363899][ T318] dump_stack+0x15/0x17
[ 29.367904][ T318] should_fail+0x3c6/0x510
[ 29.373139][ T318] __should_failslab+0xa4/0xe0
[ 29.378245][ T318] ? skb_clone+0x1d1/0x360
[ 29.383194][ T318] should_failslab+0x9/0x20
[ 29.387787][ T318] slab_pre_alloc_hook+0x37/0xd0
[ 29.392944][ T318] ? skb_clone+0x1d1/0x360
[ 29.397436][ T318] kmem_cache_alloc+0x44/0x200
[ 29.402421][ T318] skb_clone+0x1d1/0x360
[ 29.406586][ T318] sk_psock_verdict_recv+0x53/0x840
[ 29.412117][ T318] ? avc_has_perm_noaudit+0x430/0x430
[ 29.417497][ T318] ? mntput_no_expire+0xfc/0x6b0
[ 29.422444][ T318] ? lockref_put_return+0x1b7/0x210
[ 29.427547][ T318] unix_read_sock+0x132/0x370
[ 29.432062][ T318] ? sk_psock_skb_redirect+0x440/0x440
[ 29.437435][ T318] ? unix_stream_splice_actor+0x120/0x120
[ 29.442999][ T318] ? _raw_spin_lock_irqsave+0xf9/0x210
[ 29.448375][ T318] ? unix_stream_splice_actor+0x120/0x120
[ 29.454765][ T318] sk_psock_verdict_data_ready+0x147/0x1a0
[ 29.460351][ T318] ? sk_psock_start_verdict+0xc0/0xc0
[ 29.466057][ T318] ? _raw_spin_lock+0xa4/0x1b0
[ 29.471107][ T318] ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 29.478491][ T318] ? skb_queue_tail+0xfb/0x120
[ 29.483438][ T318] unix_dgram_sendmsg+0x15fa/0x2090
[ 29.488481][ T318] ? unix_dgram_poll+0x710/0x710
[ 29.493454][ T318] ? __kasan_check_read+0x11/0x20
[ 29.498339][ T318] ? security_socket_sendmsg+0x82/0xb0
[ 29.503739][ T318] ? unix_dgram_poll+0x710/0x710
[ 29.509444][ T318] ____sys_sendmsg+0x59e/0x8f0
[ 29.514251][ T318] ? __sys_sendmsg_sock+0x40/0x40
[ 29.519182][ T318] ? kasan_set_track+0x5d/0x70
[ 29.524038][ T318] ? import_iovec+0xe5/0x120
[ 29.528819][ T318] ___sys_sendmsg+0x252/0x2e0
[ 29.533334][ T318] ? __sys_sendmsg+0x260/0x260
[ 29.539544][ T318] ? compat_start_thread+0x20/0x20
[ 29.545853][ T318] ? __kasan_check_read+0x11/0x20
[ 29.551551][ T318] ? __fdget+0x179/0x240
[ 29.555697][ T318] __sys_sendmmsg+0x2bf/0x530
[ 29.560528][ T318] ? __ia32_sys_sendmsg+0x90/0x90
[ 29.566000][ T318] ? __kasan_check_read+0x11/0x20
[ 29.571110][ T318] __x64_sys_sendmmsg+0xa0/0xb0
[ 29.575788][ T318] do_syscall_64+0x3d/0xb0
[ 29.580058][ T318] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 29.586264][ T318] RIP: 0033:0x7f5579b265a9
[ 29.590583][ T318] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 29.610246][ T318] RSP: 002b:00007fffca7ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 29.618654][ T318] RAX: ffffffffffffffda RBX: 00007fffca7ec060 RCX: 00007f5579b265a9
[ 29.626812][ T318] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 29.634630][ T318] RBP: 0000000000000001 R08: 00007fffca7ebdd7 R09: 00007fffca7fc198
[ 29.642621][ T318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 29.650872][ T318] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[pid 318] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 318] exit_group(0) = ?
[pid 318] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=318, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555cf76f0 /* 4 entries */, 32768) = 112
umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./17/binderfs") = 0
umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./17/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./17/file0") = 0
getdents64(3, 0x555555cf76f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./17") = 0
mkdir("./18", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cf6650) = 319
./strace-static-x86_64: Process 319 attached
[pid 319] set_robust_list(0x555555cf6660, 24) = 0
[pid 319] chdir("./18") = 0
[pid 319] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 319] setpgid(0, 0) = 0
[pid 319] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 319] write(3, "1000", 4) = 4
[pid 319] close(3) = 0
[pid 319] symlink("/dev/binderfs", "./binderfs") = 0
[pid 319] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 319] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 319] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 319] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 319] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 319] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 319] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 319] write(6, "8", 1) = 1
[ 29.659203][ T318]
[ 29.678686][ T319] FAULT_INJECTION: forcing a failure.
[ 29.678686][ T319] name failslab, interval 1, probability 0, space 0, times 0
[ 29.692259][ T319] CPU: 0 PID: 319 Comm: syz-executor305 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0
[ 29.703912][ T319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 29.713809][ T319] Call Trace:
[ 29.716925][ T319]
[ 29.719711][ T319] dump_stack_lvl+0x151/0x1b7
[ 29.724917][ T319] ? io_uring_drop_tctx_refs+0x190/0x190
[ 29.731235][ T319] dump_stack+0x15/0x17
[ 29.736258][ T319] should_fail+0x3c6/0x510
[ 29.740623][ T319] __should_failslab+0xa4/0xe0
[ 29.745190][ T319] should_failslab+0x9/0x20
[ 29.749659][ T319] slab_pre_alloc_hook+0x37/0xd0