./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1553115916

<...>
Warning: Permanently added '10.128.0.188' (ED25519) to the list of known hosts.
execve("./syz-executor1553115916", ["./syz-executor1553115916"], 0x7fff4e8135e0 /* 10 vars */) = 0
brk(NULL)                               = 0x55557c3bc000
brk(0x55557c3bcd00)                     = 0x55557c3bcd00
arch_prctl(ARCH_SET_FS, 0x55557c3bc380) = 0
set_tid_address(0x55557c3bc650)         = 5101
set_robust_list(0x55557c3bc660, 24)     = 0
rseq(0x55557c3bcca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1553115916", 4096) = 28
getrandom("\x4d\x80\x15\x5a\x23\x24\x45\xaf", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55557c3bcd00
brk(0x55557c3ddd00)                     = 0x55557c3ddd00
brk(0x55557c3de000)                     = 0x55557c3de000
mprotect(0x7f1582fe6000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5102 attached
, child_tidptr=0x55557c3bc650) = 5102
[pid  5102] set_robust_list(0x55557c3bc660, 24) = 0
[pid  5102] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5102] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5102] setsid()                    = 1
[pid  5102] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5102] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5102] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5102] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5102] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5102] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5102] unshare(CLONE_NEWNS)        = 0
[pid  5102] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5102] unshare(CLONE_NEWIPC)       = 0
[pid  5102] unshare(CLONE_NEWCGROUP)    = 0
[pid  5102] unshare(CLONE_NEWUTS)       = 0
[pid  5102] unshare(CLONE_SYSVSEM)      = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "16777216", 8)     = 8
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "536870912", 9)    = 9
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "1024", 4)         = 4
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "8192", 4)         = 4
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "1024", 4)         = 4
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "1024", 4)         = 4
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5102] close(3)                    = 0
[pid  5102] getpid()                    = 1
[pid  5102] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5102] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5102] unshare(CLONE_NEWNET)       = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "0 65535", 7)      = 7
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK) = 3
[pid  5102] dup2(3, 200)                = 200
[pid  5102] close(3)                    = 0
[pid  5102] ioctl(200, TUNSETIFF, 0x7ffe87abb000) = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/accept_dad", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "0", 1)            = 1
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/router_solicitations", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "0", 1)            = 1
[pid  5102] close(3)                    = 0
[pid  5102] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3
[pid  5102] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5102] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5102] close(4)                    = 0
[pid  5102] sendto(3, [{nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x18\x00\x00\x0b\x00\x00\x00\x08\x00\x02\x00\xac\x14\x14\xaa\x08\x00\x01\x00\xac\x14\x14\xaa"], 40, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 40
[pid  5102] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5102] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5102] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5102] close(4)                    = 0
[pid  5102] sendto(3, [{nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x78\x00\x00\x0b\x00\x00\x00\x14\x00\x02\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa"], 64, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 64
[pid  5102] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5102] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5102] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5102] close(4)                    = 0
[pid  5102] sendto(3, [{nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x08\x00\x01\x00\xac\x14\x14\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 48, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 48
[pid  5102] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5102] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5102] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5102] close(4)                    = 0
[pid  5102] sendto(3, [{nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 60, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 60
[pid  5102] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5102] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid  5102] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5102] close(4)                    = 0
[pid  5102] sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0a\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44
[pid  5102] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
[pid  5102] close(3)                    = 0
[pid  5102] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
[pid  5102] write(3, "100000", 6)       = 6
[pid  5102] close(3)                    = 0
[pid  5102] mkdir("./syz-tmp", 0777)    = 0
[pid  5102] mount("", "./syz-tmp", "tmpfs", 0, NULL) = 0
[pid  5102] mkdir("./syz-tmp/newroot", 0777) = 0
[pid  5102] mkdir("./syz-tmp/newroot/dev", 0700) = 0
[pid  5102] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid  5102] mkdir("./syz-tmp/newroot/proc", 0700) = 0
[pid  5102] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL) = 0
[pid  5102] mkdir("./syz-tmp/newroot/selinux", 0700) = 0
[pid  5102] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid  5102] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid  5102] mkdir("./syz-tmp/newroot/sys", 0700) = 0
[pid  5102] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid  5102] mkdir("./syz-tmp/pivot", 0777) = 0
[pid  5102] pivot_root("./syz-tmp", "./syz-tmp/pivot") = 0
[pid  5102] chdir("/")                  = 0
[pid  5102] umount2("./pivot", MNT_DETACH) = 0
[pid  5102] chroot("./newroot")         = 0
[pid  5102] chdir("/")                  = 0
[pid  5102] mkdir("/dev/binderfs", 0777) = 0
[pid  5102] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5102] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5102] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55557c3bc650) = 2
./strace-static-x86_64: Process 5105 attached
[pid  5105] set_robust_list(0x55557c3bc660, 24) = 0
[pid  5105] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5105] setpgid(0, 0)               = 0
[pid  5105] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5105] write(3, "1000", 4)         = 4
[pid  5105] close(3)                    = 0
[pid  5105] read(200, "\x33\x33\x00\x00\x00\x16\xaa\xaa\xaa\xaa\xaa\xaa\x86\xdd\x60\x00\x00\x00\x00\x38\x00\x01\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\x3a\x00\x05\x02\x00\x00\x01\x00\x8f\x00\xc2\x46\x00\x00\x00\x02\x04\x00\x00\x00\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xff\xaa\xaa\xaa\x04\x00\x00\x00\xff\x02\x00\x00\x00\x00"..., 1000) = 110
[pid  5105] read(200, 0x7ffe87ababa0, 1000) = -1 EAGAIN (Resource temporarily unavailable)
[pid  5105] write(1, "executing program\n", 18executing program
) = 18
[pid  5105] socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 3
[pid  5105] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_XDP, insn_cnt=3, insns=0x20000140, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=BPF_F_STRICT_ALIGNMENT|BPF_F_TEST_RND_HI32|BPF_F_TEST_STATE_FREQ|0x20, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144) = 4
[pid  5105] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5
[pid  5105] ioctl(5, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0
[pid  5105] bpf(BPF_LINK_CREATE, {link_create={prog_fd=4, target_fd=11, attach_type=BPF_XDP, flags=0}}, 64) = 6
[   56.918460][    C0] ==================================================================
[   56.926537][    C0] BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x231/0x240
[   56.934674][    C0] Read of size 4 at addr ffffc900035777f8 by task syz-executor155/5105
[   56.942884][    C0] 
[   56.945188][    C0] CPU: 0 UID: 0 PID: 5105 Comm: syz-executor155 Not tainted 6.10.0-rc7-next-20240712-syzkaller #0
[   56.955751][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   56.965789][    C0] Call Trace:
[   56.969052][    C0]  <IRQ>
[   56.971896][    C0]  dump_stack_lvl+0x241/0x360
[   56.976563][    C0]  ? __pfx_dump_stack_lvl+0x10/0x10
[   56.981748][    C0]  ? __pfx__printk+0x10/0x10
[   56.986317][    C0]  ? _printk+0xd5/0x120
[   56.990454][    C0]  print_report+0x169/0x550
[   56.994962][    C0]  ? __virt_addr_valid+0xbd/0x530
[   56.999965][    C0]  ? xdp_do_check_flushed+0x231/0x240
[   57.005330][    C0]  kasan_report+0x143/0x180
[   57.009814][    C0]  ? xdp_do_check_flushed+0x231/0x240
[   57.015175][    C0]  xdp_do_check_flushed+0x231/0x240
[   57.020366][    C0]  __napi_poll+0xe4/0x490
[   57.024687][    C0]  net_rx_action+0x89b/0x1240
[   57.029360][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   57.034463][    C0]  ? sched_clock+0x4a/0x70
[   57.038879][    C0]  ? __pfx___local_bh_disable_ip+0x10/0x10
[   57.044672][    C0]  ? sched_clock_cpu+0x76/0x490
[   57.049512][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   57.055826][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.060576][    C0]  handle_softirqs+0x2c4/0x970
[   57.065335][    C0]  ? do_softirq+0x11b/0x1e0
[   57.069827][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   57.075106][    C0]  do_softirq+0x11b/0x1e0
[   57.079423][    C0]  </IRQ>
[   57.082340][    C0]  <TASK>
[   57.085255][    C0]  ? __pfx_do_softirq+0x10/0x10
[   57.090095][    C0]  ? lock_release+0xbf/0xa30
[   57.094677][    C0]  ? __pfx_lockdep_softirqs_on+0x10/0x10
[   57.100302][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.105050][    C0]  __local_bh_enable_ip+0x1bb/0x200
[   57.110237][    C0]  ? tun_get_user+0x270a/0x4720
[   57.115086][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   57.120794][    C0]  ? tun_get_user+0x270a/0x4720
[   57.125632][    C0]  tun_get_user+0x2884/0x4720
[   57.130301][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.135049][    C0]  ? lock_release+0xbf/0xa30
[   57.139627][    C0]  ? aa_file_perm+0x137/0xf60
[   57.144294][    C0]  ? __pfx_tun_get_user+0x10/0x10
[   57.149303][    C0]  ? do_raw_spin_unlock+0x13c/0x8b0
[   57.154496][    C0]  ? tun_get+0x1e/0x2f0
[   57.158638][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.163388][    C0]  ? tun_get+0x1e/0x2f0
[   57.167530][    C0]  ? lock_release+0xbf/0xa30
[   57.172108][    C0]  ? __pfx_ref_tracker_alloc+0x10/0x10
[   57.177552][    C0]  ? __pfx_lock_release+0x10/0x10
[   57.182567][    C0]  ? end_current_label_crit_section+0x14e/0x180
[   57.188796][    C0]  ? common_file_perm+0x1a6/0x210
[   57.193808][    C0]  ? tun_get+0x1e/0x2f0
[   57.197949][    C0]  ? tun_get+0x27d/0x2f0
[   57.202178][    C0]  tun_chr_write_iter+0x113/0x1f0
[   57.207191][    C0]  vfs_write+0xa72/0xc90
[   57.211427][    C0]  ? __pfx_tun_chr_write_iter+0x10/0x10
[   57.216961][    C0]  ? __pfx_vfs_write+0x10/0x10
[   57.221722][    C0]  ksys_write+0x1a0/0x2c0
[   57.226045][    C0]  ? __pfx_ksys_write+0x10/0x10
[   57.230885][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.235744][    C0]  do_syscall_64+0xf3/0x230
[   57.240256][    C0]  ? clear_bhb_loop+0x35/0x90
[   57.244927][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   57.250813][    C0] RIP: 0033:0x7f1582f6cdd0
[   57.255222][    C0] Code: 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d d1 e2 07 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
[   57.274819][    C0] RSP: 002b:00007ffe87abaf98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[   57.283224][    C0] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1582f6cdd0
[   57.291181][    C0] RDX: 0000000000011dc0 RSI: 0000000020000480 RDI: 00000000000000c8
[   57.299137][    C0] RBP: 0000000000000000 R08: 00007ffe87abb0c8 R09: 00007ffe87abb0c8
[   57.307108][    C0] R10: 00007ffe87abb0c8 R11: 0000000000000202 R12: 0000000000000000
[   57.315079][    C0] R13: 0000000000000000 R14: 00007ffe87abafd0 R15: 00007ffe87abafc0
[   57.323135][    C0]  </TASK>
[   57.326138][    C0] 
[   57.328467][    C0] The buggy address belongs to stack of task syz-executor155/5105
[   57.336251][    C0]  and is located at offset 88 in frame:
[   57.341859][    C0]  do_softirq+0x0/0x1e0
[   57.346005][    C0] 
[   57.348311][    C0] This frame has 2 objects:
[   57.352790][    C0]  [32, 40) 'flags.i.i.i105'
[   57.352801][    C0]  [64, 72) 'flags.i.i.i'
[   57.357372][    C0] 
[   57.363982][    C0] The buggy address belongs to the virtual mapping at
[   57.363982][    C0]  [ffffc90003570000, ffffc90003579000) created by:
[   57.363982][    C0]  copy_process+0x5d1/0x3d90
[   57.381591][    C0] 
[   57.383899][    C0] The buggy address belongs to the physical page:
[   57.390304][    C0] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c1ce
[   57.399073][    C0] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   57.406178][    C0] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[   57.414746][    C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   57.423311][    C0] page dumped because: kasan: bad access detected
[   57.429720][    C0] page_owner tracks the page as allocated
[   57.435422][    C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5102, tgid 5102 (syz-executor155), ts 56906611268, free_ts 50419268345
[   57.454853][    C0]  post_alloc_hook+0x1f3/0x230
[   57.459609][    C0]  get_page_from_freelist+0x2ccb/0x2d80
[   57.465139][    C0]  __alloc_pages_noprof+0x256/0x6c0
[   57.470321][    C0]  alloc_pages_mpol_noprof+0x3e8/0x680
[   57.475765][    C0]  __vmalloc_node_range_noprof+0x971/0x1460
[   57.481647][    C0]  dup_task_struct+0x444/0x8c0
[   57.486405][    C0]  copy_process+0x5d1/0x3d90
[   57.490984][    C0]  kernel_clone+0x226/0x8f0
[   57.495479][    C0]  __x64_sys_clone+0x258/0x2a0
[   57.500229][    C0]  do_syscall_64+0xf3/0x230
[   57.504719][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   57.510606][    C0] page last free pid 5095 tgid 5095 stack trace:
[   57.516922][    C0]  free_unref_page+0xd22/0xea0
[   57.521679][    C0]  __folio_put+0x2c8/0x440
[   57.526080][    C0]  pipe_read+0x6f2/0x13e0
[   57.530392][    C0]  vfs_read+0x9bd/0xbc0
[   57.534536][    C0]  ksys_read+0x1a0/0x2c0
[   57.538767][    C0]  do_syscall_64+0xf3/0x230
[   57.543256][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   57.549136][    C0] 
[   57.551441][    C0] Memory state around the buggy address:
[   57.557053][    C0]  ffffc90003577680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.565097][    C0]  ffffc90003577700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.573139][    C0] >ffffc90003577780: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3
[   57.581177][    C0]                                                                 ^
[   57.589134][    C0]  ffffc90003577800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.597178][    C0]  ffffc90003577880: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
[   57.605219][    C0] ==================================================================
[   57.613341][    C0] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   57.620538][    C0] CPU: 0 UID: 0 PID: 5105 Comm: syz-executor155 Not tainted 6.10.0-rc7-next-20240712-syzkaller #0
[   57.631135][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   57.641178][    C0] Call Trace:
[   57.644443][    C0]  <IRQ>
[   57.647274][    C0]  dump_stack_lvl+0x241/0x360
[   57.651945][    C0]  ? __pfx_dump_stack_lvl+0x10/0x10
[   57.657132][    C0]  ? __pfx__printk+0x10/0x10
[   57.661709][    C0]  ? __irq_exit_rcu+0x100/0x1c0
[   57.666551][    C0]  ? vscnprintf+0x5d/0x90
[   57.670864][    C0]  panic+0x349/0x870
[   57.674749][    C0]  ? check_panic_on_warn+0x21/0xb0
[   57.679848][    C0]  ? __pfx_panic+0x10/0x10
[   57.684258][    C0]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   57.690135][    C0]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   57.696011][    C0]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   57.702326][    C0]  check_panic_on_warn+0x86/0xb0
[   57.707248][    C0]  ? xdp_do_check_flushed+0x231/0x240
[   57.712610][    C0]  end_report+0x77/0x160
[   57.716845][    C0]  kasan_report+0x154/0x180
[   57.721336][    C0]  ? xdp_do_check_flushed+0x231/0x240
[   57.726700][    C0]  xdp_do_check_flushed+0x231/0x240
[   57.731888][    C0]  __napi_poll+0xe4/0x490
[   57.736227][    C0]  net_rx_action+0x89b/0x1240
[   57.741001][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   57.746109][    C0]  ? sched_clock+0x4a/0x70
[   57.750521][    C0]  ? __pfx___local_bh_disable_ip+0x10/0x10
[   57.756320][    C0]  ? sched_clock_cpu+0x76/0x490
[   57.761160][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   57.767914][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.772694][    C0]  handle_softirqs+0x2c4/0x970
[   57.777468][    C0]  ? do_softirq+0x11b/0x1e0
[   57.781965][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   57.787244][    C0]  do_softirq+0x11b/0x1e0
[   57.791566][    C0]  </IRQ>
[   57.794485][    C0]  <TASK>
[   57.797402][    C0]  ? __pfx_do_softirq+0x10/0x10
[   57.802242][    C0]  ? lock_release+0xbf/0xa30
[   57.806825][    C0]  ? __pfx_lockdep_softirqs_on+0x10/0x10
[   57.812449][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.817209][    C0]  __local_bh_enable_ip+0x1bb/0x200
[   57.822404][    C0]  ? tun_get_user+0x270a/0x4720
[   57.827249][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   57.832958][    C0]  ? tun_get_user+0x270a/0x4720
[   57.837795][    C0]  tun_get_user+0x2884/0x4720
[   57.842464][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.847213][    C0]  ? lock_release+0xbf/0xa30
[   57.851792][    C0]  ? aa_file_perm+0x137/0xf60
[   57.856459][    C0]  ? __pfx_tun_get_user+0x10/0x10
[   57.861473][    C0]  ? do_raw_spin_unlock+0x13c/0x8b0
[   57.866665][    C0]  ? tun_get+0x1e/0x2f0
[   57.870808][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.875555][    C0]  ? tun_get+0x1e/0x2f0
[   57.879698][    C0]  ? lock_release+0xbf/0xa30
[   57.884279][    C0]  ? __pfx_ref_tracker_alloc+0x10/0x10
[   57.889729][    C0]  ? __pfx_lock_release+0x10/0x10
[   57.894748][    C0]  ? end_current_label_crit_section+0x14e/0x180
[   57.900976][    C0]  ? common_file_perm+0x1a6/0x210
[   57.905991][    C0]  ? tun_get+0x1e/0x2f0
[   57.910133][    C0]  ? tun_get+0x27d/0x2f0
[   57.914366][    C0]  tun_chr_write_iter+0x113/0x1f0
[   57.919386][    C0]  vfs_write+0xa72/0xc90
[   57.923635][    C0]  ? __pfx_tun_chr_write_iter+0x10/0x10
[   57.929261][    C0]  ? __pfx_vfs_write+0x10/0x10
[   57.934025][    C0]  ksys_write+0x1a0/0x2c0
[   57.938413][    C0]  ? __pfx_ksys_write+0x10/0x10
[   57.943271][    C0]  ? rcu_is_watching+0x15/0xb0
[   57.948023][    C0]  do_syscall_64+0xf3/0x230
[   57.952521][    C0]  ? clear_bhb_loop+0x35/0x90
[   57.957187][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   57.963066][    C0] RIP: 0033:0x7f1582f6cdd0
[   57.967472][    C0] Code: 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d d1 e2 07 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
[   57.987069][    C0] RSP: 002b:00007ffe87abaf98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[   57.995470][    C0] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1582f6cdd0
[   58.003427][    C0] RDX: 0000000000011dc0 RSI: 0000000020000480 RDI: 00000000000000c8
[   58.011382][    C0] RBP: 0000000000000000 R08: 00007ffe87abb0c8 R09: 00007ffe87abb0c8
[   58.019345][    C0] R10: 00007ffe87abb0c8 R11: 0000000000000202 R12: 0000000000000000
[   58.027300][    C0] R13: 0000000000000000 R14: 00007ffe87abafd0 R15: 00007ffe87abafc0
[   58.035262][    C0]  </TASK>
[   58.038486][    C0] Kernel Offset: disabled
[   58.042790][    C0] Rebooting in 86400 seconds..