./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1816644411 <...> Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. execve("./syz-executor1816644411", ["./syz-executor1816644411"], 0x7ffd052910b0 /* 10 vars */) = 0 brk(NULL) = 0x555555619000 brk(0x555555619c40) = 0x555555619c40 arch_prctl(ARCH_SET_FS, 0x555555619300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555556195d0) = 4998 set_robust_list(0x5555556195e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f4187a34860, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f4187a34f30}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f4187a34900, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f4187a34f30}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1816644411", 4096) = 28 brk(0x55555563ac40) = 0x55555563ac40 brk(0x55555563b000) = 0x55555563b000 mprotect(0x7f4187af7000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 4998 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "4998", 4) = 4 close(3) = 0 getpid() = 4998 mkdir("./syzkaller.nyp5N9", 0700) = 0 chmod("./syzkaller.nyp5N9", 0777) = 0 chdir("./syzkaller.nyp5N9") = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 4999 attached , child_tidptr=0x5555556195d0) = 4999 [pid 4999] set_robust_list(0x5555556195e0, 24) = 0 [pid 4999] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 4999] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 4999] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 4999] dup2(4, 202) = 202 [pid 4999] close(4) = 0 [pid 4999] write(202, "\xff\x00", 2) = 2 [pid 4999] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 4999] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f4187223000 [pid 4999] mprotect(0x7f4187224000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 4999] clone(child_stack=0x7f4187a233f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2], tls=0x7f4187a23700, child_tidptr=0x7f4187a239d0) = 2 [pid 4999] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 5002 attached [pid 5002] set_robust_list(0x7f4187a239e0, 24) = 0 [pid 5002] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 5002] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 5002] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5002] read(202, [pid 4999] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 4999] ioctl(3, HCISETSCAN [pid 5002] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 5002] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 4999] <... ioctl resumed>, 0x7ffdb43c09e0) = 0 [pid 5002] madvise(0x7f4187223000, 8372224, MADV_DONTNEED [pid 4999] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 [pid 5002] <... madvise resumed>) = 0 [pid 4999] <... writev resumed>) = 13 [pid 4999] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14 [pid 4999] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [pid 4999] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 4999] futex(0x7f4187a239d0, FUTEX_WAIT, 2, NULL [pid 5002] exit(0) = ? [pid 4999] <... futex resumed>) = 0 [pid 4999] close(3) = 0 [pid 4999] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4999] setsid() = 1 [pid 4999] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 4999] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 4999] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 4999] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 4999] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 4999] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 4999] unshare(CLONE_NEWNS) = 0 [pid 4999] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 4999] unshare(CLONE_NEWIPC) = 0 [pid 4999] unshare(CLONE_NEWCGROUP) = 0 [pid 4999] unshare(CLONE_NEWUTS) = 0 [pid 4999] unshare(CLONE_SYSVSEM) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "16777216", 8) = 8 [pid 4999] close(3) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "536870912", 9) = 9 [pid 4999] close(3) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "1024", 4) = 4 [pid 4999] close(3) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "8192", 4) = 4 [pid 4999] close(3 [pid 5002] +++ exited with 0 +++ [pid 4999] <... close resumed>) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "1024", 4) = 4 [pid 4999] close(3) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "1024", 4) = 4 [pid 4999] close(3) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "1024 1048576 500 1024", 21) = 21 [pid 4999] close(3) = 0 [pid 4999] getpid() = 1 [pid 4999] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< 1 [ 45.251077][ T5000] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 45.258975][ T5000] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 45.268238][ T5000] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 45.276195][ T5000] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 45.283736][ T5000] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [pid 4999] unshare(CLONE_NEWNET) = 0 [pid 4999] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3 [pid 4999] write(3, "0 65535", 7) = 7 [pid 4999] close(3) = 0 [pid 4999] mkdir("/dev/binderfs", 0777) = 0 [pid 4999] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0 [pid 4999] memfd_create("syzkaller", 0) = 3 [pid 4999] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f417ee23000 [pid 4999] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 4999] munmap(0x7f417ee23000, 4194304) = 0 [pid 4999] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4999] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4999] close(3) = 0 [pid 4999] mkdir("./file0", 0777) = 0 [ 45.329881][ T4999] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4999 'syz-executor181' [ 45.361898][ T4999] loop0: detected capacity change from 0 to 8192 [ 45.371970][ T4999] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 45.385083][ T4999] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 45.394354][ T4999] REISERFS (device loop0): using ordered data mode [ 45.400876][ T4999] reiserfs: using flush barriers [ 45.406678][ T4999] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 45.423273][ T4999] REISERFS (device loop0): checking transaction log (loop0) [pid 4999] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0 [pid 4999] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4999] chdir("./file0") = 0 [pid 4999] ioctl(4, LOOP_CLR_FD) = 0 [pid 4999] close(4) = 0 [pid 4999] open(".", O_RDONLY) = 4 [ 45.455217][ T4999] REISERFS (device loop0): Using r5 hash to sort names [ 45.465244][ T4999] ================================================================== [ 45.473318][ T4999] BUG: KASAN: use-after-free in reiserfs_readdir_inode+0xb0d/0x13b0 [ 45.481324][ T4999] Read of size 8 at addr ffff888073653000 by task syz-executor181/4999 [ 45.489557][ T4999] [ 45.491872][ T4999] CPU: 1 PID: 4999 Comm: syz-executor181 Not tainted 6.4.0-rc4-syzkaller-00371-g6f64a5ebe1dc #0 [ 45.502276][ T4999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 45.512400][ T4999] Call Trace: [ 45.515655][ T4999] [ 45.518565][ T4999] dump_stack_lvl+0xd9/0x150 [ 45.523148][ T4999] print_address_description.constprop.0+0x2c/0x3c0 [ 45.529717][ T4999] ? reiserfs_readdir_inode+0xb0d/0x13b0 [ 45.535327][ T4999] kasan_report+0x11c/0x130 [ 45.539813][ T4999] ? reiserfs_readdir_inode+0xb0d/0x13b0 [ 45.545422][ T4999] kasan_check_range+0x141/0x190 [ 45.550337][ T4999] reiserfs_readdir_inode+0xb0d/0x13b0 [ 45.555772][ T4999] ? reiserfs_dir_fsync+0x140/0x140 [ 45.561124][ T4999] ? lock_sync+0x190/0x190 [ 45.565520][ T4999] ? aa_path_link+0x2f0/0x2f0 [ 45.570203][ T4999] ? down_read_killable+0x14a/0x4f0 [ 45.575391][ T4999] ? down_read+0x480/0x480 [ 45.579878][ T4999] ? fsnotify_perm.part.0+0x221/0x610 [ 45.585227][ T4999] ? apparmor_file_permission+0x272/0x4e0 [ 45.590929][ T4999] iterate_dir+0x56e/0x6f0 [ 45.595332][ T4999] __x64_sys_getdents64+0x13e/0x2c0 [ 45.600508][ T4999] ? __ia32_sys_getdents+0x2c0/0x2c0 [ 45.605773][ T4999] ? compat_fillonedir+0x470/0x470 [ 45.610871][ T4999] ? lockdep_hardirqs_on+0x7d/0x100 [ 45.616046][ T4999] ? _raw_spin_unlock_irq+0x2e/0x50 [ 45.621224][ T4999] ? ptrace_notify+0xfe/0x140 [ 45.625887][ T4999] do_syscall_64+0x39/0xb0 [ 45.630295][ T4999] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 45.636168][ T4999] RIP: 0033:0x7f4187a7ecd9 [ 45.640559][ T4999] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 45.660150][ T4999] RSP: 002b:00007ffdb43c09b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 45.668624][ T4999] RAX: ffffffffffffffda RBX: 00007f4187af7e90 RCX: 00007f4187a7ecd9 [ 45.676569][ T4999] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 45.684519][ T4999] RBP: 00007f4187af7e90 R08: 0000000000000000 R09: 0000000000000000 [ 45.692475][ T4999] R10: 0000000000001131 R11: 0000000000000246 R12: 00007ffdb43c09e8 [ 45.700427][ T4999] R13: 00007ffdb43c0a20 R14: 0000000000000000 R15: 00007ffdb43c0a00 [ 45.708385][ T4999] [ 45.711378][ T4999] [ 45.713673][ T4999] The buggy address belongs to the physical page: [ 45.720054][ T4999] page:ffffea0001cd94c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73653 [ 45.730177][ T4999] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 45.737258][ T4999] page_type: 0xffffffff() [ 45.741561][ T4999] raw: 00fff00000000000 ffffea0001c8a088 ffff8880b9943660 0000000000000000 [ 45.750118][ T4999] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 45.758672][ T4999] page dumped because: kasan: bad access detected [ 45.765071][ T4999] page_owner tracks the page as freed [ 45.770415][ T4999] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4990, tgid 4990 (sshd), ts 39715746599, free_ts 39737011646 [ 45.788359][ T4999] post_alloc_hook+0x2db/0x350 [ 45.793106][ T4999] get_page_from_freelist+0xf41/0x2c00 [ 45.798547][ T4999] __alloc_pages+0x1cb/0x4a0 [ 45.803114][ T4999] __folio_alloc+0x16/0x40 [ 45.807507][ T4999] vma_alloc_folio+0x155/0x890 [ 45.812269][ T4999] __handle_mm_fault+0x224c/0x41c0 [ 45.817441][ T4999] handle_mm_fault+0x2af/0x9f0 [ 45.822256][ T4999] do_user_addr_fault+0x2ca/0x1210 [ 45.827365][ T4999] exc_page_fault+0x98/0x170 [ 45.831930][ T4999] asm_exc_page_fault+0x26/0x30 [ 45.836758][ T4999] page last free stack trace: [ 45.841402][ T4999] free_unref_page_prepare+0x62e/0xcb0 [ 45.846847][ T4999] free_unref_page_list+0xe3/0xa70 [ 45.852038][ T4999] release_pages+0xcd8/0x1380 [ 45.856798][ T4999] tlb_batch_pages_flush+0xa8/0x1a0 [ 45.861990][ T4999] tlb_finish_mmu+0x14b/0x7e0 [ 45.866644][ T4999] unmap_region+0x23d/0x2d0 [ 45.871215][ T4999] do_vmi_align_munmap+0xe26/0x1580 [ 45.876555][ T4999] do_vmi_munmap+0x26e/0x2c0 [ 45.881138][ T4999] __vm_munmap+0x133/0x3b0 [ 45.885532][ T4999] __x64_sys_munmap+0x62/0x80 [ 45.890272][ T4999] do_syscall_64+0x39/0xb0 [ 45.894671][ T4999] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 45.900545][ T4999] [ 45.902846][ T4999] Memory state around the buggy address: [ 45.908450][ T4999] ffff888073652f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.916509][ T4999] ffff888073652f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.924557][ T4999] >ffff888073653000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.932593][ T4999] ^ [ 45.936681][ T4999] ffff888073653080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.944717][ T4999] ffff888073653100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.952750][ T4999] ================================================================== [ 45.961045][ T4999] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 45.968236][ T4999] CPU: 1 PID: 4999 Comm: syz-executor181 Not tainted 6.4.0-rc4-syzkaller-00371-g6f64a5ebe1dc #0 [ 45.978630][ T4999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 45.988670][ T4999] Call Trace: [ 45.991933][ T4999] [ 45.994849][ T4999] dump_stack_lvl+0xd9/0x150 [ 45.999428][ T4999] panic+0x686/0x730 [ 46.003313][ T4999] ? panic_smp_self_stop+0xa0/0xa0 [ 46.008416][ T4999] ? preempt_schedule_thunk+0x1a/0x20 [ 46.013783][ T4999] ? preempt_schedule_common+0x45/0xb0 [ 46.019230][ T4999] check_panic_on_warn+0xb1/0xc0 [ 46.024156][ T4999] end_report+0xe9/0x120 [ 46.028479][ T4999] ? reiserfs_readdir_inode+0xb0d/0x13b0 [ 46.034096][ T4999] kasan_report+0xf9/0x130 [ 46.038504][ T4999] ? reiserfs_readdir_inode+0xb0d/0x13b0 [ 46.044124][ T4999] kasan_check_range+0x141/0x190 [ 46.049054][ T4999] reiserfs_readdir_inode+0xb0d/0x13b0 [ 46.054587][ T4999] ? reiserfs_dir_fsync+0x140/0x140 [ 46.059771][ T4999] ? lock_sync+0x190/0x190 [ 46.064173][ T4999] ? aa_path_link+0x2f0/0x2f0 [ 46.068846][ T4999] ? down_read_killable+0x14a/0x4f0 [ 46.074031][ T4999] ? down_read+0x480/0x480 [ 46.078517][ T4999] ? fsnotify_perm.part.0+0x221/0x610 [ 46.083870][ T4999] ? apparmor_file_permission+0x272/0x4e0 [ 46.089577][ T4999] iterate_dir+0x56e/0x6f0 [ 46.093980][ T4999] __x64_sys_getdents64+0x13e/0x2c0 [ 46.099165][ T4999] ? __ia32_sys_getdents+0x2c0/0x2c0 [ 46.104442][ T4999] ? compat_fillonedir+0x470/0x470 [ 46.109627][ T4999] ? lockdep_hardirqs_on+0x7d/0x100 [ 46.114811][ T4999] ? _raw_spin_unlock_irq+0x2e/0x50 [ 46.119994][ T4999] ? ptrace_notify+0xfe/0x140 [ 46.124656][ T4999] do_syscall_64+0x39/0xb0 [ 46.129060][ T4999] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.134940][ T4999] RIP: 0033:0x7f4187a7ecd9 [ 46.139336][ T4999] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 46.159025][ T4999] RSP: 002b:00007ffdb43c09b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 46.167426][ T4999] RAX: ffffffffffffffda RBX: 00007f4187af7e90 RCX: 00007f4187a7ecd9 [ 46.175379][ T4999] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 46.183336][ T4999] RBP: 00007f4187af7e90 R08: 0000000000000000 R09: 0000000000000000 [ 46.191299][ T4999] R10: 0000000000001131 R11: 0000000000000246 R12: 00007ffdb43c09e8 [ 46.199275][ T4999] R13: 00007ffdb43c0a20 R14: 0000000000000000 R15: 00007ffdb43c0a00 [ 46.207237][ T4999] [ 46.211140][ T4999] Kernel Offset: disabled [ 46.215451][ T4999] Rebooting in 86400 seconds..