./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3469849204 <...> Warning: Permanently added '10.128.0.85' (ED25519) to the list of known hosts. execve("./syz-executor3469849204", ["./syz-executor3469849204"], 0x7ffecdb4a8e0 /* 10 vars */) = 0 brk(NULL) = 0x55557ff67000 brk(0x55557ff67d00) = 0x55557ff67d00 arch_prctl(ARCH_SET_FS, 0x55557ff67380) = 0 set_tid_address(0x55557ff67650) = 5837 set_robust_list(0x55557ff67660, 24) = 0 rseq(0x55557ff67ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3469849204", 4096) = 28 getrandom("\x2c\xa8\x9c\xc2\x11\x8f\x0b\xa8", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557ff67d00 brk(0x55557ff88d00) = 0x55557ff88d00 brk(0x55557ff89000) = 0x55557ff89000 mprotect(0x7fcc6aa71000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.AwevCM", 0700) = 0 chmod("./syzkaller.AwevCM", 0777) = 0 chdir("./syzkaller.AwevCM") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5838 attached , child_tidptr=0x55557ff67650) = 5838 [pid 5838] set_robust_list(0x55557ff67660, 24) = 0 [pid 5838] chdir("./0") = 0 [pid 5838] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5838] setpgid(0, 0) = 0 [pid 5838] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5838] write(3, "1000", 4) = 4 [pid 5838] close(3) = 0 [pid 5838] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5838] write(1, "executing program\n", 18executing program ) = 18 [pid 5838] memfd_create("syzkaller", 0) = 3 [pid 5838] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc62400000 [pid 5838] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536 [pid 5838] munmap(0x7fcc62400000, 138412032) = 0 [pid 5838] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5838] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5838] close(3) = 0 [pid 5838] close(4) = 0 [pid 5838] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [ 73.942226][ T5838] loop0: detected capacity change from 0 to 128 [pid 5838] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "") = 0 [pid 5838] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3 [pid 5838] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0 [pid 5838] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 73.985714][ T5838] VFS: Found a Xenix FS (block size = 1024) on device loop0 [ 74.028114][ T5838] syz-executor346: attempt to access beyond end of device [ 74.028114][ T5838] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 74.042265][ T5838] Buffer I/O error on dev loop0, logical block 3245768, async page read [ 74.052231][ T5838] unable to read i-node block [ 74.057162][ T5838] syz-executor346: attempt to access beyond end of device [ 74.057162][ T5838] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [pid 5838] mknodat(AT_FDCWD, "./file0", S_IFIFO|S_ISGID|010) = -1 EIO (Input/output error) [pid 5838] exit_group(0) = ? [pid 5838] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5838, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55557ff686f0 /* 4 entries */, 32768) = 176 [ 74.071373][ T5838] Buffer I/O error on dev loop0, logical block 3245768, async page read [ 74.079911][ T5838] sysv_free_inode: unable to read inode block on device loop0 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 74.169123][ T5837] sysv_free_block: flc_count > flc_size [ 74.174845][ T5837] sysv_free_block: flc_count > flc_size [ 74.180404][ T5837] sysv_free_block: flc_count > flc_size [ 74.186028][ T5837] sysv_free_block: flc_count > flc_size [ 74.191615][ T5837] sysv_free_block: flc_count > flc_size [ 74.197254][ T5837] sysv_free_block: flc_count > flc_size [ 74.202807][ T5837] sysv_free_block: flc_count > flc_size [ 74.208425][ T5837] sysv_free_block: flc_count > flc_size [ 74.213977][ T5837] sysv_free_block: flc_count > flc_size umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [ 74.219586][ T5837] sysv_free_block: flc_count > flc_size [ 74.226424][ T5837] sysv_free_inode: inode 0,1,2 or nonexistent inode newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55557ff70730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55557ff70730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x55557ff686f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5840 attached [pid 5840] set_robust_list(0x55557ff67660, 24 [pid 5837] <... clone resumed>, child_tidptr=0x55557ff67650) = 5840 [pid 5840] <... set_robust_list resumed>) = 0 [pid 5840] chdir("./1") = 0 [pid 5840] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5840] setpgid(0, 0) = 0 [pid 5840] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5840] write(3, "1000", 4) = 4 [pid 5840] close(3) = 0 [pid 5840] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5840] write(1, "executing program\n", 18) = 18 [pid 5840] memfd_create("syzkaller", 0) = 3 [pid 5840] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc62400000 [pid 5840] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536 [pid 5840] munmap(0x7fcc62400000, 138412032) = 0 [pid 5840] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5840] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5840] close(3) = 0 [pid 5840] close(4) = 0 [pid 5840] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5840] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "") = 0 [pid 5840] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3 [pid 5840] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0 [pid 5840] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 74.508975][ T5840] loop0: detected capacity change from 0 to 128 [ 74.532100][ T5840] VFS: Found a Xenix FS (block size = 1024) on device loop0 [ 74.572828][ T5840] syz-executor346: attempt to access beyond end of device [ 74.572828][ T5840] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 74.587192][ T5840] Buffer I/O error on dev loop0, logical block 3245768, async page read [ 74.609343][ T5840] syz-executor346: attempt to access beyond end of device [ 74.609343][ T5840] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [pid 5840] mknodat(AT_FDCWD, "./file0", S_IFIFO|S_ISGID|010) = -1 EIO (Input/output error) [pid 5840] exit_group(0) = ? [pid 5840] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5840, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55557ff686f0 /* 4 entries */, 32768) = 176 umount2("./1/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 [ 74.623374][ T5840] Buffer I/O error on dev loop0, logical block 3245768, async page read [ 74.682230][ T5837] sysv_free_block: flc_count > flc_size [ 74.688017][ T5837] sysv_free_block: flc_count > flc_size [ 74.693762][ T5837] sysv_free_block: flc_count > flc_size [ 74.699377][ T5837] sysv_free_block: flc_count > flc_size [ 74.705002][ T5837] sysv_free_block: flc_count > flc_size [ 74.710635][ T5837] sysv_free_block: flc_count > flc_size [ 74.716222][ T5837] sysv_free_block: flc_count > flc_size [ 74.721771][ T5837] sysv_free_block: flc_count > flc_size umount2("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [ 74.727403][ T5837] sysv_free_block: flc_count > flc_size [ 74.732950][ T5837] sysv_free_block: flc_count > flc_size [ 74.738913][ T5837] sysv_free_inode: inode 0,1,2 or nonexistent inode getdents64(4, 0x55557ff70730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55557ff70730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x55557ff686f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5841 attached , child_tidptr=0x55557ff67650) = 5841 [pid 5841] set_robust_list(0x55557ff67660, 24) = 0 [pid 5841] chdir("./2") = 0 [pid 5841] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5841] setpgid(0, 0) = 0 [pid 5841] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5841] write(3, "1000", 4) = 4 [pid 5841] close(3) = 0 [pid 5841] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5841] write(1, "executing program\n", 18executing program ) = 18 [pid 5841] memfd_create("syzkaller", 0) = 3 [pid 5841] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc62400000 [pid 5841] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536 [pid 5841] munmap(0x7fcc62400000, 138412032) = 0 [pid 5841] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5841] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5841] close(3) = 0 [pid 5841] close(4) = 0 [pid 5841] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5841] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "") = 0 [pid 5841] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3 [pid 5841] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0 [pid 5841] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 74.952510][ T5841] loop0: detected capacity change from 0 to 128 [ 74.974797][ T5841] VFS: Found a Xenix FS (block size = 1024) on device loop0 [pid 5841] mknodat(AT_FDCWD, "./file0", S_IFIFO|S_ISGID|010) = -1 EIO (Input/output error) [pid 5841] exit_group(0) = ? [pid 5841] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5841, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [ 74.997684][ T5841] syz-executor346: attempt to access beyond end of device [ 74.997684][ T5841] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.012585][ T5841] Buffer I/O error on dev loop0, logical block 3245768, async page read [ 75.030379][ T5841] syz-executor346: attempt to access beyond end of device [ 75.030379][ T5841] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.044495][ T5841] Buffer I/O error on dev loop0, logical block 3245768, async page read getdents64(3, 0x55557ff686f0 /* 4 entries */, 32768) = 176 umount2("./2/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 [ 75.132275][ T5837] sysv_free_block: flc_count > flc_size [ 75.137964][ T5837] sysv_free_block: flc_count > flc_size [ 75.143504][ T5837] sysv_free_block: flc_count > flc_size [ 75.149237][ T5837] sysv_free_block: flc_count > flc_size [ 75.154897][ T5837] sysv_free_block: flc_count > flc_size [ 75.160435][ T5837] sysv_free_block: flc_count > flc_size [ 75.166051][ T5837] sysv_free_block: flc_count > flc_size [ 75.171601][ T5837] sysv_free_block: flc_count > flc_size [ 75.177195][ T5837] sysv_free_block: flc_count > flc_size umount2("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55557ff70730 /* 2 entries */, 32768) = 48 [ 75.182745][ T5837] sysv_free_block: flc_count > flc_size [ 75.188762][ T5837] sysv_free_inode: inode 0,1,2 or nonexistent inode getdents64(4, 0x55557ff70730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x55557ff686f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5842 attached , child_tidptr=0x55557ff67650) = 5842 [pid 5842] set_robust_list(0x55557ff67660, 24) = 0 [pid 5842] chdir("./3") = 0 [pid 5842] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5842] setpgid(0, 0) = 0 [pid 5842] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5842] write(3, "1000", 4) = 4 [pid 5842] close(3) = 0 [pid 5842] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5842] write(1, "executing program\n", 18executing program ) = 18 [pid 5842] memfd_create("syzkaller", 0) = 3 [pid 5842] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcc62400000 [pid 5842] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536 [pid 5842] munmap(0x7fcc62400000, 138412032) = 0 [pid 5842] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5842] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5842] close(3) = 0 [pid 5842] close(4) = 0 [pid 5842] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [ 75.440421][ T5842] loop0: detected capacity change from 0 to 128 [pid 5842] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "") = 0 [pid 5842] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3 [pid 5842] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0 [pid 5842] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 75.483065][ T5842] VFS: Found a Xenix FS (block size = 1024) on device loop0 [ 75.513492][ T5842] syz-executor346: attempt to access beyond end of device [ 75.513492][ T5842] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.527659][ T5842] Buffer I/O error on dev loop0, logical block 3245768, async page read [ 75.536739][ T5842] ================================================================== [ 75.544812][ T5842] BUG: KASAN: use-after-free in sysv_new_inode+0xfc7/0x1160 [ 75.552166][ T5842] Read of size 2 at addr ffff8880755ef1ce by task syz-executor346/5842 [ 75.560396][ T5842] [ 75.562711][ T5842] CPU: 0 UID: 0 PID: 5842 Comm: syz-executor346 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0 [ 75.573813][ T5842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 75.583864][ T5842] Call Trace: [ 75.587137][ T5842] [ 75.590057][ T5842] dump_stack_lvl+0x241/0x360 [ 75.594776][ T5842] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.600000][ T5842] ? __pfx__printk+0x10/0x10 [ 75.604590][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 75.610593][ T5842] ? _printk+0xd5/0x120 [ 75.614747][ T5842] ? __virt_addr_valid+0x183/0x530 [ 75.619858][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 75.625516][ T5842] print_report+0x169/0x550 [ 75.630056][ T5842] ? __virt_addr_valid+0x183/0x530 [ 75.635337][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 75.640973][ T5842] ? __virt_addr_valid+0x45f/0x530 [ 75.646080][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 75.651715][ T5842] ? __phys_addr+0xba/0x170 [ 75.656253][ T5842] ? sysv_new_inode+0xfc7/0x1160 [ 75.661195][ T5842] kasan_report+0x143/0x180 [ 75.665702][ T5842] ? sysv_new_inode+0xfc7/0x1160 [ 75.670644][ T5842] sysv_new_inode+0xfc7/0x1160 [ 75.675437][ T5842] ? __pfx_sysv_new_inode+0x10/0x10 [ 75.680654][ T5842] ? aa_get_newest_label+0xff/0x6f0 [ 75.685869][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 75.691529][ T5842] ? generic_permission+0x241/0x550 [ 75.696752][ T5842] sysv_mknod+0x4e/0xe0 [ 75.700922][ T5842] vfs_mknod+0x36f/0x3b0 [ 75.705164][ T5842] do_mknodat+0x3ec/0x5b0 [ 75.709504][ T5842] ? __pfx_do_mknodat+0x10/0x10 [ 75.714356][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 75.720108][ T5842] ? getname_flags+0x1e3/0x540 [ 75.724880][ T5842] __x64_sys_mknodat+0xa7/0xc0 [ 75.729642][ T5842] do_syscall_64+0xf3/0x230 [ 75.734177][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.740084][ T5842] RIP: 0033:0x7fcc6a9f30e9 [ 75.744511][ T5842] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 75.764115][ T5842] RSP: 002b:00007fff57032338 EFLAGS: 00000246 ORIG_RAX: 0000000000000103 [ 75.772546][ T5842] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcc6a9f30e9 [ 75.780886][ T5842] RDX: 0000000000001408 RSI: 0000000020000080 RDI: 00000000ffffff9c [ 75.788853][ T5842] RBP: 00000000ffffffff R08: 0000000000009e87 R09: 0000000000000000 [ 75.796930][ T5842] R10: 0000000000000103 R11: 0000000000000246 R12: 00007fff57032380 [ 75.805008][ T5842] R13: 00007fff570323c0 R14: 0000000000010000 R15: 0000000000000003 [ 75.812987][ T5842] [ 75.815996][ T5842] [ 75.818306][ T5842] The buggy address belongs to the physical page: [ 75.824706][ T5842] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f5316e1e pfn:0x755ef [ 75.834168][ T5842] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.841583][ T5842] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 [ 75.850271][ T5842] raw: 00000007f5316e1e 0000000000000000 00000000ffffffff 0000000000000000 [ 75.858846][ T5842] page dumped because: kasan: bad access detected [ 75.865248][ T5842] page_owner tracks the page as freed [ 75.870791][ T5842] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5829, tgid 5829 (sshd), ts 67938844651, free_ts 67947430131 [ 75.888772][ T5842] post_alloc_hook+0x1f3/0x230 [ 75.893569][ T5842] get_page_from_freelist+0x303f/0x3190 [ 75.899135][ T5842] __alloc_pages_noprof+0x292/0x710 [ 75.904328][ T5842] alloc_pages_mpol_noprof+0x3e8/0x680 [ 75.909782][ T5842] vma_alloc_folio_noprof+0x12e/0x230 [ 75.915149][ T5842] folio_prealloc+0x31/0x170 [ 75.919729][ T5842] handle_pte_fault+0x24dd/0x6820 [ 75.924748][ T5842] handle_mm_fault+0x1106/0x1bb0 [ 75.929711][ T5842] exc_page_fault+0x459/0x8c0 [ 75.934405][ T5842] asm_exc_page_fault+0x26/0x30 [ 75.939249][ T5842] page last free pid 5829 tgid 5829 stack trace: [ 75.945559][ T5842] free_unref_folios+0xf12/0x18d0 [ 75.950584][ T5842] folios_put_refs+0x76c/0x860 [ 75.955341][ T5842] free_pages_and_swap_cache+0x2ea/0x690 [ 75.960983][ T5842] tlb_flush_mmu+0x3a3/0x680 [ 75.965569][ T5842] tlb_finish_mmu+0xd4/0x200 [ 75.970152][ T5842] vms_clear_ptes+0x437/0x530 [ 75.974849][ T5842] vms_complete_munmap_vmas+0x208/0x910 [ 75.980402][ T5842] do_vmi_align_munmap+0x613/0x730 [ 75.985526][ T5842] do_vmi_munmap+0x24e/0x2d0 [ 75.990108][ T5842] __vm_munmap+0x24c/0x480 [ 75.994950][ T5842] __x64_sys_munmap+0x60/0x70 [ 75.999632][ T5842] do_syscall_64+0xf3/0x230 [ 76.004131][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.010038][ T5842] [ 76.012345][ T5842] Memory state around the buggy address: [ 76.017959][ T5842] ffff8880755ef080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.026018][ T5842] ffff8880755ef100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.034084][ T5842] >ffff8880755ef180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.042130][ T5842] ^ [ 76.048533][ T5842] ffff8880755ef200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.056591][ T5842] ffff8880755ef280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.064651][ T5842] ================================================================== [ 76.072906][ T5842] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.080133][ T5842] CPU: 0 UID: 0 PID: 5842 Comm: syz-executor346 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0 [ 76.091242][ T5842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 76.101295][ T5842] Call Trace: [ 76.104572][ T5842] [ 76.107501][ T5842] dump_stack_lvl+0x241/0x360 [ 76.112190][ T5842] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.117400][ T5842] ? __pfx__printk+0x10/0x10 [ 76.122019][ T5842] ? preempt_schedule+0xe1/0xf0 [ 76.127139][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 76.132785][ T5842] ? vscnprintf+0x5d/0x90 [ 76.137132][ T5842] panic+0x349/0x880 [ 76.141033][ T5842] ? check_panic_on_warn+0x21/0xb0 [ 76.146150][ T5842] ? __pfx_panic+0x10/0x10 [ 76.150569][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 76.156213][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 76.161856][ T5842] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 76.167840][ T5842] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.174174][ T5842] ? print_report+0x502/0x550 [ 76.178859][ T5842] check_panic_on_warn+0x86/0xb0 [ 76.183801][ T5842] ? sysv_new_inode+0xfc7/0x1160 [ 76.188749][ T5842] end_report+0x77/0x160 [ 76.193005][ T5842] kasan_report+0x154/0x180 [ 76.197516][ T5842] ? sysv_new_inode+0xfc7/0x1160 [ 76.202466][ T5842] sysv_new_inode+0xfc7/0x1160 [ 76.207246][ T5842] ? __pfx_sysv_new_inode+0x10/0x10 [ 76.212450][ T5842] ? aa_get_newest_label+0xff/0x6f0 [ 76.217708][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 76.223348][ T5842] ? generic_permission+0x241/0x550 [ 76.228559][ T5842] sysv_mknod+0x4e/0xe0 [ 76.232732][ T5842] vfs_mknod+0x36f/0x3b0 [ 76.236983][ T5842] do_mknodat+0x3ec/0x5b0 [ 76.241325][ T5842] ? __pfx_do_mknodat+0x10/0x10 [ 76.246186][ T5842] ? srso_alias_return_thunk+0x5/0xfbef5 [ 76.251914][ T5842] ? getname_flags+0x1e3/0x540 [ 76.256690][ T5842] __x64_sys_mknodat+0xa7/0xc0 [ 76.261456][ T5842] do_syscall_64+0xf3/0x230 [ 76.265969][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.271865][ T5842] RIP: 0033:0x7fcc6a9f30e9 [ 76.276277][ T5842] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 76.295969][ T5842] RSP: 002b:00007fff57032338 EFLAGS: 00000246 ORIG_RAX: 0000000000000103 [ 76.304386][ T5842] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcc6a9f30e9 [ 76.312352][ T5842] RDX: 0000000000001408 RSI: 0000000020000080 RDI: 00000000ffffff9c [ 76.320323][ T5842] RBP: 00000000ffffffff R08: 0000000000009e87 R09: 0000000000000000 [ 76.328290][ T5842] R10: 0000000000000103 R11: 0000000000000246 R12: 00007fff57032380 [ 76.336286][ T5842] R13: 00007fff570323c0 R14: 0000000000010000 R15: 0000000000000003 [ 76.344262][ T5842] [ 76.347507][ T5842] Kernel Offset: disabled [ 76.351818][ T5842] Rebooting in 86400 seconds..