./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor710987530 <...> Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts. execve("./syz-executor710987530", ["./syz-executor710987530"], 0x7ffc2af23060 /* 10 vars */) = 0 brk(NULL) = 0x5555571b5000 brk(0x5555571b5c40) = 0x5555571b5c40 arch_prctl(ARCH_SET_FS, 0x5555571b5300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555571b55d0) = 5069 set_robust_list(0x5555571b55e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fb9d3a734b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fb9d3a73b80}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fb9d3a73550, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fb9d3a73b80}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor710987530", 4096) = 27 brk(0x5555571d6c40) = 0x5555571d6c40 brk(0x5555571d7000) = 0x5555571d7000 mprotect(0x7fb9d3b36000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 5069 mkdir("./syzkaller.YkfIhu", 0700) = 0 chmod("./syzkaller.YkfIhu", 0777) = 0 chdir("./syzkaller.YkfIhu") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571b55d0) = 5070 ./strace-static-x86_64: Process 5070 attached [pid 5070] set_robust_list(0x5555571b55e0, 24) = 0 [pid 5070] chdir("./0") = 0 [pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5070] setpgid(0, 0) = 0 [pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5070] write(3, "1000", 4) = 4 [pid 5070] close(3) = 0 [pid 5070] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5070] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb9d3a42000 [pid 5070] mprotect(0x7fb9d3a43000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5070] clone(child_stack=0x7fb9d3a623f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5071], tls=0x7fb9d3a62700, child_tidptr=0x7fb9d3a629d0) = 5071 [pid 5070] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5071 attached [pid 5071] set_robust_list(0x7fb9d3a629e0, 24) = 0 [pid 5071] memfd_create("syzkaller", 0) = 3 [pid 5071] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb9cb642000 [pid 5071] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5071] munmap(0x7fb9cb642000, 4194304) = 0 [pid 5071] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 syzkaller login: [ 52.652717][ T5071] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5071 'syz-executor710' [pid 5071] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5071] close(3) = 0 [pid 5071] mkdir("./file0", 0777) = 0 [ 52.707489][ T5071] loop0: detected capacity change from 0 to 8192 [ 52.720657][ T5071] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 52.733800][ T5071] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 52.743123][ T5071] REISERFS (device loop0): using ordered data mode [ 52.749629][ T5071] reiserfs: using flush barriers [ 52.755966][ T5071] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 52.772543][ T5071] REISERFS (device loop0): checking transaction log (loop0) [pid 5071] mount("/dev/loop0", "./file0", "reiserfs", MS_NOEXEC|MS_I_VERSION, "") = 0 [pid 5071] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5071] chdir("./file0") = 0 [pid 5071] ioctl(4, LOOP_CLR_FD) = 0 [pid 5071] close(4) = 0 [pid 5071] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5071] futex(0x7fb9d3b3c7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5070] <... futex resumed>) = 0 [pid 5070] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] <... futex resumed>) = 0 [pid 5070] <... futex resumed>) = 1 [pid 5071] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_LARGEFILE|O_NOATIME, 000 [pid 5070] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5071] <... open resumed>) = 4 [pid 5071] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] <... futex resumed>) = 0 [pid 5070] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] ftruncate(4, 3608577 [pid 5070] <... futex resumed>) = 0 [pid 5070] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5071] <... ftruncate resumed>) = 0 [pid 5071] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] <... futex resumed>) = 0 [pid 5071] openat(AT_FDCWD, ".log", O_WRONLY|O_CREAT|O_TRUNC, 000 [pid 5070] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7fb9d3b3c7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb9cba21000 [pid 5070] mprotect(0x7fb9cba22000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5070] clone(child_stack=0x7fb9cba413f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5074], tls=0x7fb9cba41700, child_tidptr=0x7fb9cba419d0) = 5074 ./strace-static-x86_64: Process 5074 attached [pid 5071] <... openat resumed>) = 5 [pid 5070] futex(0x7fb9d3b3c7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5071] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5070] futex(0x7fb9d3b3c7bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5071] <... futex resumed>) = 0 [pid 5071] futex(0x7fb9d3b3c7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5074] set_robust_list(0x7fb9cba419e0, 24) = 0 [pid 5074] mknod("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 [pid 5074] futex(0x7fb9d3b3c7bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] <... futex resumed>) = 0 [pid 5070] exit_group(0 [pid 5071] <... futex resumed>) = ? [pid 5070] <... exit_group resumed>) = ? [pid 5071] +++ exited with 0 +++ [pid 5074] +++ exited with 0 +++ [pid 5070] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=0, si_stime=16 /* 0.16 s */} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571b6620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 52.816739][ T5071] REISERFS (device loop0): Using r5 hash to sort names [ 52.824661][ T5071] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555571be660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555571be660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x5555571b6620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571b55d0) = 5075 ./strace-static-x86_64: Process 5075 attached [pid 5075] set_robust_list(0x5555571b55e0, 24) = 0 [pid 5075] chdir("./1") = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5075] setpgid(0, 0) = 0 [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5075] write(3, "1000", 4) = 4 [pid 5075] close(3) = 0 [pid 5075] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5075] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb9d3a42000 [pid 5075] mprotect(0x7fb9d3a43000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5075] clone(child_stack=0x7fb9d3a623f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5076], tls=0x7fb9d3a62700, child_tidptr=0x7fb9d3a629d0) = 5076 [pid 5075] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5076 attached [pid 5076] set_robust_list(0x7fb9d3a629e0, 24) = 0 [pid 5076] memfd_create("syzkaller", 0) = 3 [pid 5076] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb9cb642000 [pid 5076] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5076] munmap(0x7fb9cb642000, 4194304) = 0 [pid 5076] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5076] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5076] close(3) = 0 [pid 5076] mkdir("./file0", 0777) = 0 [ 52.993286][ T5076] loop0: detected capacity change from 0 to 8192 [ 53.005093][ T5076] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 53.018169][ T5076] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 53.027481][ T5076] REISERFS (device loop0): using ordered data mode [ 53.034092][ T5076] reiserfs: using flush barriers [ 53.040271][ T5076] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 53.056755][ T5076] REISERFS (device loop0): checking transaction log (loop0) [pid 5076] mount("/dev/loop0", "./file0", "reiserfs", MS_NOEXEC|MS_I_VERSION, "") = 0 [pid 5076] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5076] chdir("./file0") = 0 [pid 5076] ioctl(4, LOOP_CLR_FD) = 0 [pid 5076] close(4) = 0 [pid 5076] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5076] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_LARGEFILE|O_NOATIME, 000) = 4 [pid 5076] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5076] ftruncate(4, 3608577) = 0 [pid 5076] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7fb9d3b3c7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5076] openat(AT_FDCWD, ".log", O_WRONLY|O_CREAT|O_TRUNC, 000 [pid 5075] <... mmap resumed>) = 0x7fb9cba21000 [pid 5075] mprotect(0x7fb9cba22000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5075] clone(child_stack=0x7fb9cba413f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5078], tls=0x7fb9cba41700, child_tidptr=0x7fb9cba419d0) = 5078 [pid 5075] futex(0x7fb9d3b3c7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... openat resumed>) = 5 [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7fb9d3b3c7bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5078 attached [pid 5076] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] set_robust_list(0x7fb9cba419e0, 24 [pid 5076] <... futex resumed>) = 0 [pid 5078] <... set_robust_list resumed>) = 0 [pid 5076] futex(0x7fb9d3b3c7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5078] mknod("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 [pid 5078] futex(0x7fb9d3b3c7bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5075] <... futex resumed>) = 0 [pid 5078] futex(0x7fb9d3b3c7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] exit_group(0 [pid 5078] <... futex resumed>) = ? [pid 5076] <... futex resumed>) = ? [pid 5075] <... exit_group resumed>) = ? [pid 5076] +++ exited with 0 +++ [ 53.105988][ T5076] REISERFS (device loop0): Using r5 hash to sort names [ 53.113204][ T5076] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [pid 5078] +++ exited with 0 +++ [pid 5075] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5075, si_uid=0, si_status=0, si_utime=0, si_stime=16 /* 0.16 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571b6620 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./1/binderfs") = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555571be660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555571be660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x5555571b6620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571b55d0) = 5079 ./strace-static-x86_64: Process 5079 attached [pid 5079] set_robust_list(0x5555571b55e0, 24) = 0 [pid 5079] chdir("./2") = 0 [pid 5079] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5079] setpgid(0, 0) = 0 [pid 5079] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5079] write(3, "1000", 4) = 4 [pid 5079] close(3) = 0 [pid 5079] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5079] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb9d3a42000 [pid 5079] mprotect(0x7fb9d3a43000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5079] clone(child_stack=0x7fb9d3a623f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5080], tls=0x7fb9d3a62700, child_tidptr=0x7fb9d3a629d0) = 5080 ./strace-static-x86_64: Process 5080 attached [pid 5079] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5080] set_robust_list(0x7fb9d3a629e0, 24) = 0 [pid 5080] memfd_create("syzkaller", 0) = 3 [pid 5080] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb9cb642000 [pid 5080] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5080] munmap(0x7fb9cb642000, 4194304) = 0 [pid 5080] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5080] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5080] close(3) = 0 [pid 5080] mkdir("./file0", 0777) = 0 [ 53.289209][ T5080] loop0: detected capacity change from 0 to 8192 [ 53.300233][ T5080] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 53.313451][ T5080] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 53.322780][ T5080] REISERFS (device loop0): using ordered data mode [ 53.329290][ T5080] reiserfs: using flush barriers [ 53.335422][ T5080] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 53.351771][ T5080] REISERFS (device loop0): checking transaction log (loop0) [pid 5080] mount("/dev/loop0", "./file0", "reiserfs", MS_NOEXEC|MS_I_VERSION, "") = 0 [pid 5080] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5080] chdir("./file0") = 0 [pid 5080] ioctl(4, LOOP_CLR_FD) = 0 [pid 5080] close(4) = 0 [pid 5080] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5080] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_LARGEFILE|O_NOATIME, 000 [pid 5079] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5080] <... open resumed>) = 4 [pid 5080] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5080] ftruncate(4, 3608577 [pid 5079] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7fb9d3b3c7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5080] <... ftruncate resumed>) = 0 [pid 5080] futex(0x7fb9d3b3c7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] <... futex resumed>) = 0 [pid 5079] futex(0x7fb9d3b3c7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7fb9d3b3c7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb9cba21000 [pid 5079] mprotect(0x7fb9cba22000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5079] clone(child_stack=0x7fb9cba413f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5082 attached , parent_tid=[5082], tls=0x7fb9cba41700, child_tidptr=0x7fb9cba419d0) = 5082 [pid 5079] futex(0x7fb9d3b3c7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7fb9d3b3c7bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5082] set_robust_list(0x7fb9cba419e0, 24) = 0 [pid 5080] <... futex resumed>) = 1 [pid 5082] mknod("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 [pid 5082] futex(0x7fb9d3b3c7bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5082] futex(0x7fb9d3b3c7b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 53.394606][ T5080] REISERFS (device loop0): Using r5 hash to sort names [ 53.401656][ T5080] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 53.443403][ T5080] REISERFS panic (device loop0): vs-12195 balance_leaf: CFR not initialized [ 53.452961][ T5080] ------------[ cut here ]------------ [ 53.458745][ T5080] kernel BUG at fs/reiserfs/prints.c:390! [ 53.464886][ T5080] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 53.470964][ T5080] CPU: 0 PID: 5080 Comm: syz-executor710 Not tainted 6.2.0-rc1-next-20221226-syzkaller #0 [ 53.481016][ T5080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 53.491066][ T5080] RIP: 0010:__reiserfs_panic.cold+0x37/0x8a [ 53.497079][ T5080] Code: 61 8a 74 6d e8 98 f8 bf f7 4c 89 e9 4c 89 f2 4c 89 e6 49 c7 c0 20 8b d2 91 48 c7 c7 e0 76 61 8a e8 64 1f fd ff e8 77 f8 bf f7 <0f> 0b e8 70 f8 bf f7 4d 85 e4 49 c7 c6 20 75 61 8a 75 0a 49 c7 c6 [ 53.516693][ T5080] RSP: 0018:ffffc90003c6ed50 EFLAGS: 00010293 [ 53.522768][ T5080] RAX: 0000000000000000 RBX: ffff88807c8e0000 RCX: 0000000000000000 [ 53.530828][ T5080] RDX: ffff8880222e8000 RSI: ffffffff89c10d59 RDI: fffff5200078dd9c [ 53.538794][ T5080] RBP: ffffc90003c6ee20 R08: 0000000000000049 R09: 0000000000000000 [ 53.546762][ T5080] R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff8a60ec60 [ 53.554725][ T5080] R13: ffffffff8a60f640 R14: ffffffff8a617520 R15: 0000000000000000 [ 53.562691][ T5080] FS: 00007fb9d3a62700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 53.573181][ T5080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.579759][ T5080] CR2: 00007fb9d3af7c30 CR3: 000000001dc9a000 CR4: 00000000003506f0 [ 53.587810][ T5080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 53.595771][ T5080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 53.603828][ T5080] Call Trace: [ 53.607100][ T5080] [ 53.610024][ T5080] ? reiserfs_debug+0x10/0x10 [ 53.614708][ T5080] ? leaf_insert_into_buf+0x86f/0xa20 [ 53.620090][ T5080] balance_leaf+0xb78c/0xde40 [ 53.624774][ T5080] ? reiserfs_prepare_for_journal+0x162/0x2b0 [ 53.630840][ T5080] ? fix_nodes+0x14cf/0x8660 [ 53.635432][ T5080] ? replace_key+0x170/0x170 [ 53.640025][ T5080] do_balance+0x319/0x810 [ 53.644354][ T5080] ? get_right_neighbor_position+0x170/0x170 [ 53.650335][ T5080] ? wait_for_completion_io_timeout+0x20/0x20 [ 53.656421][ T5080] reiserfs_insert_item+0xdb2/0x11b0 [ 53.661731][ T5080] ? reiserfs_paste_into_item+0x8e0/0x8e0 [ 53.667457][ T5080] ? __find_get_block+0x5b4/0xbb0 [ 53.672504][ T5080] ? rwlock_bug.part.0+0x90/0x90 [ 53.677440][ T5080] ? lock_acquire+0x32/0xc0 [ 53.681937][ T5080] ? inode_get_bytes+0x21/0xa0 [ 53.686710][ T5080] ? do_raw_spin_unlock+0x175/0x230 [ 53.691912][ T5080] ? _raw_spin_unlock+0x28/0x40 [ 53.696767][ T5080] ? real_space_diff+0x135/0x170 [ 53.701707][ T5080] reiserfs_new_inode+0xe55/0x2190 [ 53.706849][ T5080] ? reiserfs_fh_to_parent+0x1b0/0x1b0 [ 53.712330][ T5080] ? __mutex_unlock_slowpath+0x157/0x5e0 [ 53.717973][ T5080] ? wait_for_completion_io_timeout+0x20/0x20 [ 53.724060][ T5080] ? dquot_get_next_dqblk+0x180/0x180 [ 53.729439][ T5080] ? rwlock_bug.part.0+0x90/0x90 [ 53.734373][ T5080] ? bpf_lsm_inode_init_security+0x9/0x10 [ 53.740095][ T5080] ? security_old_inode_init_security+0xf8/0x130 [ 53.746442][ T5080] reiserfs_create+0x351/0x730 [ 53.751209][ T5080] ? reiserfs_link+0x520/0x520 [ 53.755968][ T5080] ? apparmor_path_mknod+0x16a/0x720 [ 53.761259][ T5080] ? security_inode_permission+0xc9/0xf0 [ 53.766890][ T5080] ? reiserfs_listxattr+0x2e0/0x2e0 [ 53.772089][ T5080] ? bpf_lsm_inode_create+0x9/0x10 [ 53.777210][ T5080] ? reiserfs_link+0x520/0x520 [ 53.782150][ T5080] lookup_open.isra.0+0xee7/0x1270 [ 53.787273][ T5080] ? link_path_walk.part.0+0xdf0/0xdf0 [ 53.792737][ T5080] ? rcu_read_lock_sched_held+0x3e/0x70 [ 53.798293][ T5080] ? lock_acquire+0x32/0xc0 [ 53.802797][ T5080] ? path_openat+0x90f/0x2a50 [ 53.807482][ T5080] path_openat+0x975/0x2a50 [ 53.811993][ T5080] ? path_lookupat+0x840/0x840 [ 53.816763][ T5080] do_filp_open+0x1ba/0x410 [ 53.821276][ T5080] ? may_open_dev+0xf0/0xf0 [ 53.825780][ T5080] ? find_held_lock+0x2d/0x110 [ 53.830556][ T5080] ? do_raw_spin_lock+0x124/0x2b0 [ 53.835579][ T5080] ? rwlock_bug.part.0+0x90/0x90 [ 53.840519][ T5080] ? _raw_spin_unlock+0x28/0x40 [ 53.845369][ T5080] ? alloc_fd+0x2d8/0x6d0 [ 53.849703][ T5080] do_sys_openat2+0x16d/0x4c0 [ 53.854382][ T5080] ? build_open_flags+0x6f0/0x6f0 [ 53.859405][ T5080] ? ptrace_notify+0xfe/0x140 [ 53.864079][ T5080] ? lock_downgrade+0x6e0/0x6e0 [ 53.868928][ T5080] __x64_sys_openat+0x143/0x1f0 [ 53.874731][ T5080] ? __ia32_sys_open+0x1c0/0x1c0 [ 53.879665][ T5080] ? _raw_spin_unlock_irq+0x23/0x50 [ 53.886512][ T5080] ? lockdep_hardirqs_on+0x7d/0x100 [ 53.891707][ T5080] ? _raw_spin_unlock_irq+0x2e/0x50 [ 53.896919][ T5080] ? ptrace_notify+0xfe/0x140 [ 53.902142][ T5080] do_syscall_64+0x39/0xb0 [ 53.906573][ T5080] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.912470][ T5080] RIP: 0033:0x7fb9d3ab6559 [ 53.916879][ T5080] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 53.936483][ T5080] RSP: 002b:00007fb9d3a622f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 53.944890][ T5080] RAX: ffffffffffffffda RBX: 00007fb9d3b3c7a0 RCX: 00007fb9d3ab6559 [ 53.952854][ T5080] RDX: 0000000000000241 RSI: 0000000020000000 RDI: 00000000ffffff9c [ 53.960819][ T5080] RBP: 00007fb9d3b092b0 R08: 0000000000000000 R09: 0000000000000000 [ 53.968785][ T5080] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb9d3b091b8 [ 53.976753][ T5080] R13: 0030656c69662f2e R14: 7366726573696572 R15: 00007fb9d3b3c7a8 [ 53.984726][ T5080] [ 53.987755][ T5080] Modules linked in: [ 53.992021][ T5080] ---[ end trace 0000000000000000 ]--- [ 53.997496][ T5080] RIP: 0010:__reiserfs_panic.cold+0x37/0x8a [ 54.003999][ T5080] Code: 61 8a 74 6d e8 98 f8 bf f7 4c 89 e9 4c 89 f2 4c 89 e6 49 c7 c0 20 8b d2 91 48 c7 c7 e0 76 61 8a e8 64 1f fd ff e8 77 f8 bf f7 <0f> 0b e8 70 f8 bf f7 4d 85 e4 49 c7 c6 20 75 61 8a 75 0a 49 c7 c6 [ 54.023833][ T5080] RSP: 0018:ffffc90003c6ed50 EFLAGS: 00010293 [ 54.030063][ T5080] RAX: 0000000000000000 RBX: ffff88807c8e0000 RCX: 0000000000000000 [ 54.038105][ T5080] RDX: ffff8880222e8000 RSI: ffffffff89c10d59 RDI: fffff5200078dd9c [ 54.046123][ T5080] RBP: ffffc90003c6ee20 R08: 0000000000000049 R09: 0000000000000000 [ 54.054126][ T5080] R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff8a60ec60 [ 54.062139][ T5080] R13: ffffffff8a60f640 R14: ffffffff8a617520 R15: 0000000000000000 [ 54.070120][ T5080] FS: 00007fb9d3a62700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 54.079076][ T5080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 54.085718][ T5080] CR2: 00007fb9d3af7c30 CR3: 000000001dc9a000 CR4: 00000000003506f0 [ 54.093882][ T5080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 54.101859][ T5080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 54.109880][ T5080] Kernel panic - not syncing: Fatal exception [ 54.116131][ T5080] Kernel Offset: disabled [ 54.120448][ T5080] Rebooting in 86400 seconds..