./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1552431961 <...> Warning: Permanently added '10.128.0.90' (ED25519) to the list of known hosts. execve("./syz-executor1552431961", ["./syz-executor1552431961"], 0x7fffd8b8f950 /* 10 vars */) = 0 brk(NULL) = 0x555555e3b000 brk(0x555555e3bd00) = 0x555555e3bd00 arch_prctl(ARCH_SET_FS, 0x555555e3b380) = 0 set_tid_address(0x555555e3b650) = 296 set_robust_list(0x555555e3b660, 24) = 0 rseq(0x555555e3bca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1552431961", 4096) = 28 getrandom("\x29\x8f\x63\xca\x4c\x6f\x98\x7c", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555e3bd00 brk(0x555555e5cd00) = 0x555555e5cd00 brk(0x555555e5d000) = 0x555555e5d000 mprotect(0x7f0cb702a000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0executing program ) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e3b650) = 297 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e3b650) = 298 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e3b650) = 299 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e3b650) = 300 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e3b650) = 301 ./strace-static-x86_64: Process 301 attached [pid 301] set_robust_list(0x555555e3b660, 24) = 0 [pid 301] mkdir("./syzkaller.QBcLbX", 0700) = 0 [pid 301] chmod("./syzkaller.QBcLbX", 0777) = 0 [pid 301] chdir("./syzkaller.QBcLbX") = 0 [pid 301] mkdir("./0", 0777) = 0 [pid 301] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e3b650) = 302 ./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x555555e3b660, 24) = 0 [pid 302] chdir("./0") = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 302] setpgid(0, 0) = 0 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 302] write(3, "1000", 4) = 4 [pid 302] close(3) = 0 [pid 302] symlink("/dev/binderfs", "./binderfs") = 0 [pid 302] write(1, "executing program\n", 18) = 18 [pid 302] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_PERCPU_HASH, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 3 [pid 302] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=20, insns=0x200002c0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144) = 4 [pid 302] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_ext_remove_space_done", prog_fd=4}}, 16) = 5 [pid 302] exit_group(0) = ? ./strace-static-x86_64: Process 297 attached ./strace-static-x86_64: Process 299 attached [pid 302] +++ exited with 0 +++ [pid 301] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 301] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 301] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW./strace-static-x86_64: Process 300 attached ./strace-static-x86_64: Process 298 attached ) = -1 EINVAL (Invalid argument) [pid 301] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 301] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 301] getdents64(3, 0x555555e3c6f0 /* 3 entries */, 32768) = 80 [pid 301] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 301] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 301] unlink("./0/binderfs") = 0 [pid 301] getdents64(3, 0x555555e3c6f0 /* 0 entries */, 32768) = 0 [pid 301] close(3) = 0 [pid 301] rmdir("./0" [pid 298] set_robust_list(0x555555e3b660, 24 [pid 301] <... rmdir resumed>) = 0 [pid 300] set_robust_list(0x555555e3b660, 24 [pid 301] mkdir("./1", 0777 [pid 299] set_robust_list(0x555555e3b660, 24 [pid 297] set_robust_list(0x555555e3b660, 24 [pid 300] <... set_robust_list resumed>) = 0 [pid 298] <... set_robust_list resumed>) = 0 [pid 301] <... mkdir resumed>) = 0 [pid 301] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 299] <... set_robust_list resumed>) = 0 [pid 297] <... set_robust_list resumed>) = 0 [pid 300] mkdir("./syzkaller.wZBGM4", 0700 [pid 298] mkdir("./syzkaller.B6bpzE", 0700 [pid 301] <... clone resumed>, child_tidptr=0x555555e3b650) = 303 ./strace-static-x86_64: Process 303 attached [pid 300] <... mkdir resumed>) = 0 [pid 299] mkdir("./syzkaller.i7PiB8", 0700 [pid 298] <... mkdir resumed>) = 0 [pid 297] mkdir("./syzkaller.Zzztbm", 0700 [pid 300] chmod("./syzkaller.wZBGM4", 0777 [pid 299] <... mkdir resumed>) = 0 [pid 298] chmod("./syzkaller.B6bpzE", 0777 [pid 297] <... mkdir resumed>) = 0 [pid 300] <... chmod resumed>) = 0 [pid 299] chmod("./syzkaller.i7PiB8", 0777 [pid 298] <... chmod resumed>) = 0 [pid 297] chmod("./syzkaller.Zzztbm", 0777 [pid 300] chdir("./syzkaller.wZBGM4" [pid 299] <... chmod resumed>) = 0 [pid 298] chdir("./syzkaller.B6bpzE" [pid 297] <... chmod resumed>) = 0 [pid 300] <... chdir resumed>) = 0 [pid 299] chdir("./syzkaller.i7PiB8" [pid 298] <... chdir resumed>) = 0 [pid 297] chdir("./syzkaller.Zzztbm" [pid 300] mkdir("./0", 0777 [pid 299] <... chdir resumed>) = 0 [pid 298] mkdir("./0", 0777 [pid 297] <... chdir resumed>) = 0 [pid 300] <... mkdir resumed>) = 0 [pid 299] mkdir("./0", 0777 [pid 298] <... mkdir resumed>) = 0 [pid 297] mkdir("./0", 0777 [pid 300] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 299] <... mkdir resumed>) = 0 [pid 298] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 297] <... mkdir resumed>) = 0 [pid 299] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 300] <... clone resumed>, child_tidptr=0x555555e3b650) = 304 [pid 298] <... clone resumed>, child_tidptr=0x555555e3b650) = 305 [pid 299] <... clone resumed>, child_tidptr=0x555555e3b650) = 306 [pid 297] <... clone resumed>, child_tidptr=0x555555e3b650) = 307 [pid 303] set_robust_list(0x555555e3b660, 24) = 0 [pid 303] chdir("./1") = 0 [pid 303] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 303] setpgid(0, 0./strace-static-x86_64: Process 307 attached ./strace-static-x86_64: Process 306 attached ./strace-static-x86_64: Process 305 attached ./strace-static-x86_64: Process 304 attached ) = 0 [pid 303] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 304] set_robust_list(0x555555e3b660, 24 [pid 305] set_robust_list(0x555555e3b660, 24 [pid 304] <... set_robust_list resumed>) = 0 [pid 304] chdir("./0" [pid 307] set_robust_list(0x555555e3b660, 24 [pid 306] set_robust_list(0x555555e3b660, 24 [pid 305] <... set_robust_list resumed>) = 0 [pid 305] chdir("./0" [pid 303] <... openat resumed>) = 3 [pid 306] <... set_robust_list resumed>) = 0 [pid 307] <... set_robust_list resumed>) = 0 [pid 306] chdir("./0" [pid 304] <... chdir resumed>) = 0 [pid 307] chdir("./0" [pid 305] <... chdir resumed>) = 0 [pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 304] setpgid(0, 0 [pid 305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 306] <... chdir resumed>) = 0 [pid 303] write(3, "1000", 4 [pid 307] <... chdir resumed>) = 0 [pid 305] setpgid(0, 0 [pid 303] <... write resumed>) = 4 [pid 304] <... setpgid resumed>) = 0 [pid 306] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 307] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 303] close(3 [pid 305] <... setpgid resumed>) = 0 [ 21.813793][ T28] audit: type=1400 audit(1717816039.001:66): avc: denied { execmem } for pid=296 comm="syz-executor155" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.837588][ T28] audit: type=1400 audit(1717816039.001:67): avc: denied { bpf } for pid=302 comm="syz-executor155" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [pid 306] <... prctl resumed>) = 0 [pid 307] <... prctl resumed>) = 0 [pid 306] setpgid(0, 0 [pid 305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 303] <... close resumed>) = 0 [pid 307] setpgid(0, 0 [pid 303] symlink("/dev/binderfs", "./binderfs" [pid 306] <... setpgid resumed>) = 0 [pid 307] <... setpgid resumed>) = 0 [pid 303] <... symlink resumed>) = 0 [pid 306] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 307] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 304] <... openat resumed>) = 3 [pid 305] <... openat resumed>) = 3 [pid 307] <... openat resumed>) = 3 [pid 306] <... openat resumed>) = 3 [pid 307] write(3, "1000", 4 [pid 306] write(3, "1000", 4 [pid 305] write(3, "1000", 4 [pid 304] write(3, "1000", 4 [pid 303] write(1, "executing program\n", 18executing program [pid 307] <... write resumed>) = 4 [pid 306] <... write resumed>) = 4 [pid 305] <... write resumed>) = 4 [pid 304] <... write resumed>) = 4 [pid 303] <... write resumed>) = 18 [pid 307] close(3 [pid 306] close(3 [pid 305] close(3 [pid 304] close(3 [pid 303] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_PERCPU_HASH, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 307] <... close resumed>) = 0 [pid 306] <... close resumed>) = 0 [pid 305] <... close resumed>) = 0 [pid 304] <... close resumed>) = 0 [pid 307] symlink("/dev/binderfs", "./binderfs" [pid 306] symlink("/dev/binderfs", "./binderfs" [pid 305] symlink("/dev/binderfs", "./binderfs" [pid 304] symlink("/dev/binderfs", "./binderfs" [pid 303] <... bpf resumed>) = 3 [pid 307] <... symlink resumed>) = 0 [pid 306] <... symlink resumed>) = 0 [pid 305] <... symlink resumed>) = 0 [pid 304] <... symlink resumed>) = 0 [pid 303] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=20, insns=0x200002c0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 307] write(1, "executing program\n", 18 [pid 306] write(1, "executing program\n", 18 [pid 305] write(1, "executing program\n", 18 [pid 304] write(1, "executing program\n", 18 [pid 303] <... bpf resumed>) = 4 executing program executing program executing program executing program [pid 307] <... write resumed>) = 18 [pid 306] <... write resumed>) = 18 [pid 305] <... write resumed>) = 18 [pid 304] <... write resumed>) = 18 [pid 303] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_ext_remove_space_done", prog_fd=4}}, 16 [pid 307] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_PERCPU_HASH, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 306] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_PERCPU_HASH, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 305] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_PERCPU_HASH, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 304] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_PERCPU_HASH, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 307] <... bpf resumed>) = 3 [pid 306] <... bpf resumed>) = 3 [pid 305] <... bpf resumed>) = 3 [pid 304] <... bpf resumed>) = 3 [pid 307] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=20, insns=0x200002c0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 306] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=20, insns=0x200002c0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 305] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=20, insns=0x200002c0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 304] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=20, insns=0x200002c0, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 307] <... bpf resumed>) = 4 [pid 303] <... bpf resumed>) = 5 [pid 306] <... bpf resumed>) = 4 [pid 306] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_ext_remove_space_done", prog_fd=4}}, 16) = 5 [pid 306] exit_group(0 [pid 305] <... bpf resumed>) = 4 [pid 306] <... exit_group resumed>) = ? [pid 304] <... bpf resumed>) = 4 [pid 307] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_ext_remove_space_done", prog_fd=4}}, 16 [pid 303] exit_group(0 [pid 307] <... bpf resumed>) = 5 [pid 303] <... exit_group resumed>) = ? [pid 305] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_ext_remove_space_done", prog_fd=4}}, 16 [pid 304] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_ext_remove_space_done", prog_fd=4}}, 16 [pid 307] exit_group(0 [pid 303] +++ exited with 0 +++ [pid 305] <... bpf resumed>) = 5 [pid 307] <... exit_group resumed>) = ? [pid 304] <... bpf resumed>) = 5 [pid 305] exit_group(0 [pid 301] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=303, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 301] restart_syscall(<... resuming interrupted clone ...> [pid 306] +++ exited with 0 +++ [pid 307] +++ exited with 0 +++ [pid 299] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=306, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- [pid 297] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=307, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 305] <... exit_group resumed>) = ? [pid 304] exit_group(0 [pid 301] <... restart_syscall resumed>) = 0 [pid 301] umount2("./1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 301] openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 301] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 301] getdents64(3, 0x555555e3c6f0 /* 3 entries */, 32768) = 80 [pid 301] umount2("./1/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 21.858171][ T28] audit: type=1400 audit(1717816039.001:68): avc: denied { map_create } for pid=302 comm="syz-executor155" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 21.877683][ T28] audit: type=1400 audit(1717816039.001:69): avc: denied { map_read map_write } for pid=302 comm="syz-executor155" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [pid 301] newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 301] unlink("./1/binderfs") = 0 [pid 301] getdents64(3, 0x555555e3c6f0 /* 0 entries */, 32768) = 0 [pid 301] close(3) = 0 [pid 301] rmdir("./1" [pid 304] <... exit_group resumed>) = ? [pid 299] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW [pid 297] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW [pid 299] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 297] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 299] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 297] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 299] <... openat resumed>) = 3 [pid 297] <... openat resumed>) = 3 [pid 299] newfstatat(3, "", [pid 297] newfstatat(3, "", [pid 299] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 297] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 299] getdents64(3, [pid 297] getdents64(3, [pid 299] <... getdents64 resumed>0x555555e3c6f0 /* 3 entries */, 32768) = 80 [pid 297] <... getdents64 resumed>0x555555e3c6f0 /* 3 entries */, 32768) = 80 [pid 299] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW [pid 297] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW [pid 299] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 297] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 299] newfstatat(AT_FDCWD, "./0/binderfs", [pid 297] newfstatat(AT_FDCWD, "./0/binderfs", [pid 299] <... newfstatat resumed>{st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 299] unlink("./0/binderfs" [pid 297] <... newfstatat resumed>{st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 21.898819][ T28] audit: type=1400 audit(1717816039.001:70): avc: denied { prog_load } for pid=302 comm="syz-executor155" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 21.902806][ T301] BUG: unable to handle page fault for address: ffffffffff600000 [ 21.921029][ T28] audit: type=1400 audit(1717816039.001:71): avc: denied { perfmon } for pid=302 comm="syz-executor155" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [ 21.927434][ T301] #PF: supervisor read access in kernel mode [ 21.927445][ T301] #PF: error_code(0x0000) - not-present page [ 21.927462][ T301] PGD 6e12067 P4D 6e12067 [pid 299] <... unlink resumed>) = 0 [pid 299] getdents64(3, [pid 297] unlink("./0/binderfs" [pid 299] <... getdents64 resumed>0x555555e3c6f0 /* 0 entries */, 32768) = 0 [pid 299] close(3 [pid 297] <... unlink resumed>) = 0 [pid 299] <... close resumed>) = 0 [ 21.948303][ T28] audit: type=1400 audit(1717816039.001:72): avc: denied { prog_run } for pid=302 comm="syz-executor155" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 21.954076][ T301] PUD 6e14067 PMD 6e16067 PTE 0 [ 21.987752][ T301] Oops: 0000 [#1] PREEMPT SMP KASAN [ 21.992786][ T301] CPU: 0 PID: 301 Comm: syz-executor155 Not tainted 6.1.78-syzkaller-00164-gac9706483e98 #0 [ 22.002678][ T301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 22.012577][ T301] RIP: 0010:copy_from_kernel_nofault+0x86/0x2d0 [ 22.018649][ T301] Code: 48 89 55 d0 0f 85 de 01 00 00 ff 02 bf 07 00 00 00 4c 89 ee e8 ab 39 d2 ff 49 83 fd 07 76 58 4d 89 fe 49 83 c7 08 49 83 c5 f8 <49> 8b 1c 24 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 [ 22.038092][ T301] RSP: 0018:ffffc90000fa74b0 EFLAGS: 00010257 [ 22.043991][ T301] RAX: 0000000000000000 RBX: 00007ffffffff000 RCX: ffff88810974a880 [ 22.051802][ T301] RDX: ffff88810974b420 RSI: 0000000000000008 RDI: 0000000000000007 [ 22.059616][ T301] RBP: ffffc90000fa74e8 R08: ffffffff81a33e95 R09: ffffed10212e9511 [ 22.067427][ T301] R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffffff600000 [ 22.075237][ T301] R13: 0000000000000000 R14: ffffc90000fa7548 R15: ffffc90000fa7550 [ 22.083050][ T301] FS: 0000555555e3b380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 22.091814][ T301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.098236][ T301] CR2: ffffffffff600000 CR3: 00000001213eb000 CR4: 00000000003506b0 [ 22.106052][ T301] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.113869][ T301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.121671][ T301] Call Trace: [ 22.124797][ T301] [ 22.127575][ T301] ? __die_body+0x62/0xb0 [ 22.131740][ T301] ? __die+0x7e/0x90 [ 22.135473][ T301] ? 0xffffffffff600000 [ 22.139465][ T301] ? page_fault_oops+0x7f9/0xa90 [ 22.144237][ T301] ? 0xffffffffff600000 [ 22.148231][ T301] ? kernelmode_fixup_or_oops+0x270/0x270 [ 22.153786][ T301] ? __ext4_get_inode_loc+0x64a/0xe40 [ 22.158992][ T301] ? __kasan_check_read+0x11/0x20 [ 22.163859][ T301] ? jbd2_journal_dirty_metadata+0x362/0xc60 [ 22.169669][ T301] ? 0xffffffffff600000 [ 22.173659][ T301] ? exc_page_fault+0x537/0x700 [ 22.178353][ T301] ? 0xffffffffff600000 [ 22.182341][ T301] ? asm_exc_page_fault+0x27/0x30 [ 22.187202][ T301] ? 0xffffffffff600000 [ 22.191195][ T301] ? copy_from_kernel_nofault+0x75/0x2d0 [ 22.196662][ T301] ? copy_from_kernel_nofault+0x86/0x2d0 [ 22.202129][ T301] ? 0xffffffffff600000 [ 22.206208][ T301] bpf_probe_read_compat+0x112/0x180 [ 22.211339][ T301] bpf_prog_baa065642a502c00+0x64/0x68 [ 22.216621][ T301] bpf_trace_run6+0x1ea/0x350 [ 22.221145][ T301] ? bpf_trace_run5+0x2f0/0x2f0 [ 22.225825][ T301] ? sb_end_intwrite+0x130/0x130 [ 22.230595][ T301] __bpf_trace_ext4_ext_remove_space_done+0x4c/0x60 [ 22.237019][ T301] ? __bpf_trace_ext4_ext_remove_space+0x40/0x40 [ 22.243181][ T301] __traceiter_ext4_ext_remove_space_done+0x94/0xf0 [ 22.249603][ T301] ext4_ext_remove_space+0x4d4e/0x4f50 [ 22.254896][ T301] ? __ext4_handle_dirty_metadata+0x2cd/0x830 [ 22.260805][ T301] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 22.266615][ T301] ? ext4_es_remove_extent+0x297/0x460 [ 22.271909][ T301] ? ext4_es_lookup_extent+0x950/0x950 [ 22.277203][ T301] ext4_ext_truncate+0x1f4/0x320 [ 22.281975][ T301] ext4_truncate+0x96c/0xfb0 [ 22.286404][ T301] ? jbd2__journal_start+0x150/0x720 [ 22.291527][ T301] ? __ext4_mark_inode_dirty+0x7d0/0x7d0 [ 22.296991][ T301] ? __kasan_check_read+0x11/0x20 [ 22.301850][ T301] ? ext4_inode_is_fast_symlink+0x322/0x3d0 [ 22.307580][ T301] ? ext4_evict_inode+0xbc2/0x1550 [ 22.312526][ T301] ext4_evict_inode+0xd41/0x1550 [ 22.317301][ T301] ? _raw_spin_unlock+0x4c/0x70 [ 22.321987][ T301] ? ext4_inode_is_fast_symlink+0x3d0/0x3d0 [ 22.327723][ T301] ? _raw_spin_unlock+0x4c/0x70 [ 22.332402][ T301] ? inode_io_list_del+0x18b/0x1a0 [ 22.337350][ T301] ? ext4_inode_is_fast_symlink+0x3d0/0x3d0 [ 22.343080][ T301] evict+0x2a3/0x630 [ 22.346825][ T301] iput+0x642/0x870 [ 22.350458][ T301] vfs_rmdir+0x3c2/0x500 [ 22.354535][ T301] do_rmdir+0x3ab/0x630 [ 22.358528][ T301] ? d_delete_notify+0x160/0x160 [ 22.363310][ T301] ? getname_flags+0x1fd/0x520 [ 22.367987][ T301] __x64_sys_rmdir+0x49/0x50 [ 22.372420][ T301] do_syscall_64+0x3d/0xb0 [ 22.376668][ T301] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 22.382401][ T301] RIP: 0033:0x7f0cb6fb6eb7 [ 22.386647][ T301] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.406093][ T301] RSP: 002b:00007ffedf5d12b8 EFLAGS: 00000207 ORIG_RAX: 0000000000000054 [ 22.414421][ T301] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0cb6fb6eb7 [ 22.422240][ T301] RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007ffedf5d23e0 [ 22.430041][ T301] RBP: 0000000000000065 R08: 0000555555e3c73b R09: 0000000000000000 [ 22.437859][ T301] R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffedf5d23e0 [ 22.445666][ T301] R13: 0000555555e3c6c0 R14: 00007ffedf5d23e0 R15: 0000000000000002 [ 22.453482][ T301] [ 22.456514][ T301] Modules linked in: [ 22.460260][ T301] CR2: ffffffffff600000 [ 22.464247][ T301] ---[ end trace 0000000000000000 ]--- [ 22.464282][ T299] BUG: unable to handle page fault for address: ffffffffff600000 [ 22.469533][ T301] RIP: 0010:copy_from_kernel_nofault+0x86/0x2d0 [ 22.477084][ T299] #PF: supervisor read access in kernel mode [ 22.483159][ T301] Code: 48 89 55 d0 0f 85 de 01 00 00 ff 02 bf 07 00 00 00 4c 89 ee e8 ab 39 d2 ff 49 83 fd 07 76 58 4d 89 fe 49 83 c7 08 49 83 c5 f8 <49> 8b 1c 24 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 [ 22.488974][ T299] #PF: error_code(0x0000) - not-present page [ 22.508417][ T301] RSP: 0018:ffffc90000fa74b0 EFLAGS: 00010257 [ 22.514233][ T299] PGD 6e12067 P4D 6e12067 PUD 6e14067 PMD 6e16067 [ 22.520130][ T301] RAX: 0000000000000000 RBX: 00007ffffffff000 RCX: ffff88810974a880 [ 22.520144][ T301] RDX: ffff88810974b420 RSI: 0000000000000008 RDI: 0000000000000007 [ 22.526729][ T299] PTE 0 [ 22.534538][ T301] RBP: ffffc90000fa74e8 R08: ffffffff81a33e95 R09: ffffed10212e9511 [ 22.542352][ T299] Oops: 0000 [#2] PREEMPT SMP KASAN [ 22.544955][ T301] R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffffff600000 [ 22.552766][ T299] CPU: 1 PID: 299 Comm: syz-executor155 Tainted: G D 6.1.78-syzkaller-00164-gac9706483e98 #0 [ 22.557800][ T301] R13: 0000000000000000 R14: ffffc90000fa7548 R15: ffffc90000fa7550 [ 22.565610][ T299] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 22.576980][ T301] FS: 0000555555e3b380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 22.584793][ T299] RIP: 0010:copy_from_kernel_nofault+0x86/0x2d0 [ 22.594687][ T301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.603453][ T299] Code: 48 89 55 d0 0f 85 de 01 00 00 ff 02 bf 07 00 00 00 4c 89 ee e8 ab 39 d2 ff 49 83 fd 07 76 58 4d 89 fe 49 83 c7 08 49 83 c5 f8 <49> 8b 1c 24 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 [ 22.609526][ T301] CR2: ffffffffff600000 CR3: 00000001213eb000 CR4: 00000000003506b0 [ 22.615951][ T299] RSP: 0018:ffffc90000f874b0 EFLAGS: 00010257 [ 22.635395][ T301] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.643202][ T299] [ 22.643207][ T299] RAX: 0000000000000000 RBX: 00007ffffffff000 RCX: ffff888109748000 [ 22.649105][ T301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.656915][ T299] RDX: ffff888109748ba0 RSI: 0000000000000008 RDI: 0000000000000007 [ 22.659086][ T301] Kernel panic - not syncing: Fatal exception [ 22.666899][ T299] RBP: ffffc90000f874e8 R08: ffffffff81a33e95 R09: ffffed10212e9001 [ 22.666912][ T299] R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffffff600000 [ 22.666922][ T299] R13: 0000000000000000 R14: ffffc90000f87548 R15: ffffc90000f87550 [ 22.666934][ T299] FS: 0000555555e3b380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 22.666948][ T299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.666960][ T299] CR2: ffffffffff600000 CR3: 0000000121c42000 CR4: 00000000003506a0 [ 22.666973][ T299] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.666983][ T299] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.666992][ T299] Call Trace: [ 22.666997][ T299] [ 22.667005][ T299] ? __die_body+0x62/0xb0 [ 22.667036][ T299] ? __die+0x7e/0x90 [ 22.667050][ T299] ? 0xffffffffff600000 [ 22.667061][ T299] ? page_fault_oops+0x7f9/0xa90 [ 22.667081][ T299] ? 0xffffffffff600000 [ 22.667092][ T299] ? kernelmode_fixup_or_oops+0x270/0x270 [ 22.667112][ T299] ? __ext4_get_inode_loc+0x64a/0xe40 [ 22.667133][ T299] ? __kasan_check_read+0x11/0x20 [ 22.667147][ T299] ? jbd2_journal_dirty_metadata+0x362/0xc60 [ 22.667166][ T299] ? 0xffffffffff600000 [ 22.667176][ T299] ? exc_page_fault+0x537/0x700 [ 22.667193][ T299] ? 0xffffffffff600000 [ 22.667204][ T299] ? asm_exc_page_fault+0x27/0x30 [ 22.667220][ T299] ? 0xffffffffff600000 [ 22.667230][ T299] ? copy_from_kernel_nofault+0x75/0x2d0 [ 22.667252][ T299] ? copy_from_kernel_nofault+0x86/0x2d0 [ 22.667274][ T299] ? 0xffffffffff600000 [ 22.667284][ T299] bpf_probe_read_compat+0x112/0x180 [ 22.667307][ T299] bpf_prog_baa065642a502c00+0x64/0x68 [ 22.667323][ T299] bpf_trace_run6+0x1ea/0x350 [ 22.667337][ T299] ? bpf_trace_run5+0x2f0/0x2f0 [ 22.667352][ T299] ? sb_end_intwrite+0x130/0x130 [ 22.667370][ T299] __bpf_trace_ext4_ext_remove_space_done+0x4c/0x60 [ 22.667393][ T299] ? __bpf_trace_ext4_ext_remove_space+0x40/0x40 [ 22.667414][ T299] __traceiter_ext4_ext_remove_space_done+0x94/0xf0 [ 22.667438][ T299] ext4_ext_remove_space+0x4d4e/0x4f50 [ 22.667458][ T299] ? __ext4_handle_dirty_metadata+0x2cd/0x830 [ 22.667486][ T299] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 22.667506][ T299] ? ext4_es_remove_extent+0x297/0x460 [ 22.667527][ T299] ? ext4_es_lookup_extent+0x950/0x950 [ 22.667549][ T299] ext4_ext_truncate+0x1f4/0x320 [ 22.667569][ T299] ext4_truncate+0x96c/0xfb0 [ 22.667584][ T299] ? jbd2__journal_start+0x150/0x720 [ 22.667602][ T299] ? __ext4_mark_inode_dirty+0x7d0/0x7d0 [ 22.667620][ T299] ? __kasan_check_read+0x11/0x20 [ 22.667633][ T299] ? ext4_inode_is_fast_symlink+0x322/0x3d0 [ 22.667650][ T299] ? ext4_evict_inode+0xbc2/0x1550 [ 22.667666][ T299] ext4_evict_inode+0xd41/0x1550 [ 22.667682][ T299] ? _raw_spin_unlock+0x4c/0x70 [ 22.667704][ T299] ? ext4_inode_is_fast_symlink+0x3d0/0x3d0 [ 22.667722][ T299] ? _raw_spin_unlock+0x4c/0x70 [ 22.667741][ T299] ? inode_io_list_del+0x18b/0x1a0 [ 22.667758][ T299] ? ext4_inode_is_fast_symlink+0x3d0/0x3d0 [ 22.667775][ T299] evict+0x2a3/0x630 [ 22.667794][ T299] iput+0x642/0x870 [ 22.667811][ T299] vfs_rmdir+0x3c2/0x500 [ 22.667827][ T299] do_rmdir+0x3ab/0x630 [ 22.667843][ T299] ? d_delete_notify+0x160/0x160 [ 22.667860][ T299] ? getname_flags+0x1fd/0x520 [ 22.667881][ T299] __x64_sys_rmdir+0x49/0x50 [ 22.667896][ T299] do_syscall_64+0x3d/0xb0 [ 22.667911][ T299] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 22.667926][ T299] RIP: 0033:0x7f0cb6fb6eb7 [ 22.667939][ T299] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.667950][ T299] RSP: 002b:00007ffedf5d12b8 EFLAGS: 00000207 ORIG_RAX: 0000000000000054 [ 22.667967][ T299] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0cb6fb6eb7 [ 22.667977][ T299] RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007ffedf5d23e0 [ 22.667988][ T299] RBP: 0000000000000065 R08: 0000555555e3c73b R09: 0000000000000000 [ 22.667998][ T299] R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffedf5d23e0 [ 22.668008][ T299] R13: 0000555555e3c6c0 R14: 00007ffedf5d23e0 R15: 0000000000000001 [ 22.668022][ T299] [ 22.668030][ T299] Modules linked in: [ 22.668039][ T299] CR2: ffffffffff600000 [ 22.675800][ T299] ---[ end trace 0000000000000000 ]--- [ 22.675807][ T299] RIP: 0010:copy_from_kernel_nofault+0x86/0x2d0 [ 22.675831][ T299] Code: 48 89 55 d0 0f 85 de 01 00 00 ff 02 bf 07 00 00 00 4c 89 ee e8 ab 39 d2 ff 49 83 fd 07 76 58 4d 89 fe 49 83 c7 08 49 83 c5 f8 <49> 8b 1c 24 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 [ 22.675842][ T299] RSP: 0018:ffffc90000fa74b0 EFLAGS: 00010257 [ 22.675855][ T299] RAX: 0000000000000000 RBX: 00007ffffffff000 RCX: ffff88810974a880 [ 22.675866][ T299] RDX: ffff88810974b420 RSI: 0000000000000008 RDI: 0000000000000007 [ 22.675876][ T299] RBP: ffffc90000fa74e8 R08: ffffffff81a33e95 R09: ffffed10212e9511 [ 22.675888][ T299] R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffffff600000 [ 22.675898][ T299] R13: 0000000000000000 R14: ffffc90000fa7548 R15: ffffc90000fa7550 [ 22.675909][ T299] FS: 0000555555e3b380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 22.675923][ T299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.675935][ T299] CR2: ffffffffff600000 CR3: 0000000121c42000 CR4: 00000000003506a0 [ 22.675948][ T299] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.675957][ T299] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.763158][ T301] Shutting down cpus with NMI [ 24.300384][ T301] Kernel Offset: disabled [ 24.304504][ T301] Rebooting in 86400 seconds..