./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3033533855
<...>
DUID 00:04:b0:cd:33:f9:4f:8a:55:45:4d:7b:3b:ee:3a:71:f0:8b
forked to background, child pid 4645
[ 42.597037][ T4646] 8021q: adding VLAN 0 to HW filter on device bond0
[ 42.630253][ T4646] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts.
execve("./syz-executor3033533855", ["./syz-executor3033533855"], 0x7ffd4abfdcc0 /* 10 vars */) = 0
brk(NULL) = 0x5555568b2000
brk(0x5555568b2c40) = 0x5555568b2c40
arch_prctl(ARCH_SET_FS, 0x5555568b2300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3033533855", 4096) = 28
brk(0x5555568d3c40) = 0x5555568d3c40
brk(0x5555568d4000) = 0x5555568d4000
mprotect(0x7fe1f8a25000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 5070
mkdir("./syzkaller.m3pKKA", 0700) = 0
chmod("./syzkaller.m3pKKA", 0777) = 0
chdir("./syzkaller.m3pKKA") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5071
./strace-static-x86_64: Process 5071 attached
[pid 5071] chdir("./0") = 0
[pid 5071] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5071] setpgid(0, 0) = 0
[pid 5071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5071] write(3, "1000", 4) = 4
[pid 5071] close(3) = 0
[pid 5071] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5071] memfd_create("syzkaller", 0) = 3
[pid 5071] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5071] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5071] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5071] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5071] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5071] close(3) = 0
[pid 5071] mkdir("./file0", 0777) = 0
[pid 5071] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5071] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5071] chdir("./file0") = 0
[pid 5071] ioctl(4, LOOP_CLR_FD) = 0
[pid 5071] close(4) = 0
syzkaller login: [ 65.647720][ T5071] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5071 'syz-executor303'
[ 65.685240][ T5071] loop0: detected capacity change from 0 to 2048
[pid 5071] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5071] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5071] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5071] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5071] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[pid 5071] sendfile(5, 4, NULL, 131071) = 131071
[pid 5071] exit_group(0) = ?
[pid 5071] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5071, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} ---
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./0/binderfs") = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x5555568bb660 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555568bb660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./0/file0") = 0
getdents64(3, 0x5555568b3620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5073
./strace-static-x86_64: Process 5073 attached
[pid 5073] chdir("./1") = 0
[pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5073] setpgid(0, 0) = 0
[pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5073] write(3, "1000", 4) = 4
[pid 5073] close(3) = 0
[pid 5073] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5073] memfd_create("syzkaller", 0) = 3
[pid 5073] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5073] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5073] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5073] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5073] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5073] close(3) = 0
[pid 5073] mkdir("./file0", 0777) = 0
[pid 5073] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5073] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5073] chdir("./file0") = 0
[pid 5073] ioctl(4, LOOP_CLR_FD) = 0
[pid 5073] close(4) = 0
[pid 5073] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5073] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5073] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5073] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5073] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[pid 5073] sendfile(5, 4, NULL, 131071) = 131071
[pid 5073] exit_group(0) = ?
[pid 5073] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5073, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} ---
[ 65.879784][ T5073] loop0: detected capacity change from 0 to 2048
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./1/binderfs") = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x5555568bb660 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555568bb660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./1/file0") = 0
getdents64(3, 0x5555568b3620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5074
./strace-static-x86_64: Process 5074 attached
[pid 5074] chdir("./2") = 0
[pid 5074] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5074] setpgid(0, 0) = 0
[pid 5074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5074] write(3, "1000", 4) = 4
[pid 5074] close(3) = 0
[pid 5074] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5074] memfd_create("syzkaller", 0) = 3
[pid 5074] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5074] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5074] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5074] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5074] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5074] close(3) = 0
[pid 5074] mkdir("./file0", 0777) = 0
[pid 5074] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5074] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5074] chdir("./file0") = 0
[pid 5074] ioctl(4, LOOP_CLR_FD) = 0
[pid 5074] close(4) = 0
[pid 5074] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5074] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5074] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5074] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5074] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[ 66.013436][ T5074] loop0: detected capacity change from 0 to 2048
[pid 5074] sendfile(5, 4, NULL, 131071) = 131071
[pid 5074] exit_group(0) = ?
[pid 5074] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5074, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./2/binderfs") = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x5555568bb660 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555568bb660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./2/file0") = 0
getdents64(3, 0x5555568b3620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5075
./strace-static-x86_64: Process 5075 attached
[pid 5075] chdir("./3") = 0
[pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5075] setpgid(0, 0) = 0
[pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5075] write(3, "1000", 4) = 4
[pid 5075] close(3) = 0
[pid 5075] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5075] memfd_create("syzkaller", 0) = 3
[pid 5075] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5075] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5075] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5075] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5075] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5075] close(3) = 0
[pid 5075] mkdir("./file0", 0777) = 0
[pid 5075] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5075] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5075] chdir("./file0") = 0
[pid 5075] ioctl(4, LOOP_CLR_FD) = 0
[pid 5075] close(4) = 0
[pid 5075] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5075] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5075] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5075] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5075] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[ 66.176628][ T5075] loop0: detected capacity change from 0 to 2048
[pid 5075] sendfile(5, 4, NULL, 131071) = 131071
[pid 5075] exit_group(0) = ?
[pid 5075] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5075, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} ---
umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./3/binderfs") = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x5555568bb660 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555568bb660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./3/file0") = 0
getdents64(3, 0x5555568b3620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5076
./strace-static-x86_64: Process 5076 attached
[pid 5076] chdir("./4") = 0
[pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5076] setpgid(0, 0) = 0
[pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5076] write(3, "1000", 4) = 4
[pid 5076] close(3) = 0
[pid 5076] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5076] memfd_create("syzkaller", 0) = 3
[pid 5076] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5076] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5076] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5076] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5076] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5076] close(3) = 0
[pid 5076] mkdir("./file0", 0777) = 0
[pid 5076] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5076] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5076] chdir("./file0") = 0
[pid 5076] ioctl(4, LOOP_CLR_FD) = 0
[pid 5076] close(4) = 0
[pid 5076] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5076] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5076] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5076] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5076] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[ 66.331935][ T5076] loop0: detected capacity change from 0 to 2048
[pid 5076] sendfile(5, 4, NULL, 131071) = 131071
[pid 5076] exit_group(0) = ?
[pid 5076] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5076, si_uid=0, si_status=0, si_utime=0, si_stime=3 /* 0.03 s */} ---
umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./4/binderfs") = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x5555568bb660 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555568bb660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./4/file0") = 0
getdents64(3, 0x5555568b3620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./4") = 0
mkdir("./5", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5077
./strace-static-x86_64: Process 5077 attached
[pid 5077] chdir("./5") = 0
[pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5077] setpgid(0, 0) = 0
[pid 5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5077] write(3, "1000", 4) = 4
[pid 5077] close(3) = 0
[pid 5077] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5077] memfd_create("syzkaller", 0) = 3
[pid 5077] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5077] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5077] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5077] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5077] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5077] close(3) = 0
[pid 5077] mkdir("./file0", 0777) = 0
[pid 5077] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5077] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5077] chdir("./file0") = 0
[pid 5077] ioctl(4, LOOP_CLR_FD) = 0
[pid 5077] close(4) = 0
[pid 5077] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5077] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5077] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5077] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5077] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[pid 5077] sendfile(5, 4, NULL, 131071) = 131071
[pid 5077] exit_group(0) = ?
[pid 5077] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5077, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} ---
[ 66.497045][ T5077] loop0: detected capacity change from 0 to 2048
umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./5/binderfs") = 0
umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x5555568bb660 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555568bb660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./5/file0") = 0
getdents64(3, 0x5555568b3620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./5") = 0
mkdir("./6", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568b25d0) = 5078
./strace-static-x86_64: Process 5078 attached
[pid 5078] chdir("./6") = 0
[pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5078] setpgid(0, 0) = 0
[pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5078] write(3, "1000", 4) = 4
[pid 5078] close(3) = 0
[pid 5078] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5078] memfd_create("syzkaller", 0) = 3
[pid 5078] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe1f0569000
[pid 5078] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5078] munmap(0x7fe1f0569000, 1048576) = 0
[pid 5078] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5078] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5078] close(3) = 0
[pid 5078] mkdir("./file0", 0777) = 0
[pid 5078] mount("/dev/loop0", "./file0", "udf", MS_NOSUID|MS_SYNCHRONOUS|MS_DIRSYNC|MS_REC|MS_SILENT|MS_POSIXACL|MS_LAZYTIME, "fileset=00000000000000001024,gid=forget,longad,") = 0
[pid 5078] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5078] chdir("./file0") = 0
[pid 5078] ioctl(4, LOOP_CLR_FD) = 0
[pid 5078] close(4) = 0
[pid 5078] open("./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY, 000) = -1 ENOTDIR (Not a directory)
[pid 5078] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5078] openat(AT_FDCWD, "./bus", O_RDONLY) = 4
[pid 5078] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 5
[pid 5078] write(5, "\x68\x74\x63\x70\x00", 5) = 5
[ 66.651168][ T5078] loop0: detected capacity change from 0 to 2048
[pid 5078] sendfile(5, 4, NULL, 131071) = 131071
[pid 5078] exit_group(0) = ?
[pid 5078] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5078, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} ---
umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x5555568b3620 /* 4 entries */, 32768) = 112
umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./6/binderfs") = 0
[ 66.734633][ T5070] ==================================================================
[ 66.742938][ T5070] BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2a0
[ 66.749751][ T5070] Read of size 1 at addr ffff88807408e000 by task syz-executor303/5070
[ 66.758008][ T5070]
[ 66.760378][ T5070] CPU: 0 PID: 5070 Comm: syz-executor303 Not tainted 6.2.0-syzkaller-10443-g8cbd92339db0 #0
[ 66.770445][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
[ 66.780510][ T5070] Call Trace:
[ 66.783812][ T5070]
[ 66.786752][ T5070] dump_stack_lvl+0x1e7/0x2d0
[ 66.791509][ T5070] ? nf_tcp_handle_invalid+0x650/0x650
[ 66.796983][ T5070] ? panic+0x770/0x770
[ 66.801058][ T5070] ? _printk+0xd5/0x120
[ 66.805222][ T5070] print_report+0x163/0x540
[ 66.809776][ T5070] ? ktime_get_real_ts64+0x460/0x460
[ 66.815073][ T5070] ? time64_to_tm+0x331/0x4d0
[ 66.819762][ T5070] ? __virt_addr_valid+0x22f/0x2e0
[ 66.824896][ T5070] ? __phys_addr+0xba/0x170
[ 66.829408][ T5070] ? crc_itu_t+0x1d5/0x2a0
[ 66.834273][ T5070] kasan_report+0x143/0x170
[ 66.838792][ T5070] ? crc_itu_t+0x1d5/0x2a0
[ 66.843224][ T5070] crc_itu_t+0x1d5/0x2a0
[ 66.847478][ T5070] udf_sync_fs+0x1d2/0x380
[ 66.851902][ T5070] ? udf_put_super+0x160/0x160
[ 66.856701][ T5070] ? get_nr_dirty_inodes+0x2af/0x2e0
[ 66.861994][ T5070] sync_filesystem+0xec/0x220
[ 66.866671][ T5070] generic_shutdown_super+0x6f/0x340
[ 66.871960][ T5070] kill_block_super+0x7e/0xe0
[ 66.876652][ T5070] deactivate_locked_super+0xa4/0x110
[ 66.882026][ T5070] cleanup_mnt+0x490/0x520
[ 66.886465][ T5070] ? lockdep_hardirqs_on+0x98/0x140
[ 66.891776][ T5070] task_work_run+0x24a/0x300
[ 66.896373][ T5070] ? dput+0x3a1/0x420
[ 66.900352][ T5070] ? task_work_cancel+0x2b0/0x2b0
[ 66.905385][ T5070] ptrace_notify+0x2cd/0x380
[ 66.910010][ T5070] ? do_notify_parent+0xf50/0xf50
[ 66.915060][ T5070] ? user_path_at_empty+0x12f/0x180
[ 66.920275][ T5070] ? __x64_sys_umount+0x126/0x170
[ 66.925303][ T5070] ? path_umount+0xef0/0xef0
[ 66.929892][ T5070] ? syscall_enter_from_user_mode+0x32/0x2c0
[ 66.935913][ T5070] syscall_exit_to_user_mode+0x17a/0x2e0
[ 66.941565][ T5070] do_syscall_64+0x4d/0xc0
[ 66.946016][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 66.951913][ T5070] RIP: 0033:0x7fe1f89b7e57
[ 66.956333][ T5070] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 66.976052][ T5070] RSP: 002b:00007ffcd1e4fbb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[ 66.984501][ T5070] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe1f89b7e57
[ 66.992472][ T5070] RDX: 00007ffcd1e4fc79 RSI: 000000000000000a RDI: 00007ffcd1e4fc70
[ 67.000445][ T5070] RBP: 00007ffcd1e4fc70 R08: 00000000ffffffff R09: 00007ffcd1e4fa50
[ 67.008440][ T5070] R10: 00005555568b3653 R11: 0000000000000206 R12: 00007ffcd1e50ce0
[ 67.016430][ T5070] R13: 00005555568b35f0 R14: 00007ffcd1e4fbe0 R15: 0000000000000007
[ 67.024431][ T5070]
[ 67.027445][ T5070]
[ 67.029771][ T5070] The buggy address belongs to the physical page:
[ 67.036350][ T5070] page:ffffea0001d02380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7408e
[ 67.046689][ T5070] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 67.053809][ T5070] raw: 00fff00000000000 ffffea0001fdb448 ffffea0001d023c8 0000000000000000
[ 67.062389][ T5070] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 67.070985][ T5070] page dumped because: kasan: bad access detected
[ 67.077388][ T5070] page_owner tracks the page as freed
[ 67.082852][ T5070] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5075, tgid 5075 (syz-executor303), ts 66156089751, free_ts 66244626699
[ 67.101970][ T5070] get_page_from_freelist+0x37e0/0x3970
[ 67.107532][ T5070] __alloc_pages+0x291/0x7f0
[ 67.112124][ T5070] __folio_alloc+0x13/0x30
[ 67.116552][ T5070] vma_alloc_folio+0x48a/0x9a0
[ 67.121429][ T5070] handle_mm_fault+0x2984/0x51c0
[ 67.126376][ T5070] exc_page_fault+0x685/0x8a0
[ 67.131053][ T5070] asm_exc_page_fault+0x26/0x30
[ 67.135911][ T5070] page last free stack trace:
[ 67.140576][ T5070] free_unref_page_prepare+0xf0e/0xf70
[ 67.146042][ T5070] free_unref_page_list+0x6be/0x960
[ 67.151245][ T5070] release_pages+0x219e/0x2470
[ 67.156017][ T5070] tlb_flush_mmu+0x100/0x210
[ 67.160653][ T5070] tlb_finish_mmu+0xd4/0x1f0
[ 67.165333][ T5070] exit_mmap+0x2c9/0x990
[ 67.169574][ T5070] __mmput+0x115/0x3c0
[ 67.173649][ T5070] exit_mm+0x227/0x310
[ 67.177737][ T5070] do_exit+0x612/0x2290
[ 67.181912][ T5070] do_group_exit+0x206/0x2c0
[ 67.186508][ T5070] __x64_sys_exit_group+0x3f/0x40
[ 67.191538][ T5070] do_syscall_64+0x41/0xc0
[ 67.195964][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 67.201864][ T5070]
[ 67.204203][ T5070] Memory state around the buggy address:
[ 67.209927][ T5070] ffff88807408df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.217985][ T5070] ffff88807408df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.226132][ T5070] >ffff88807408e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 67.234185][ T5070] ^
[ 67.238334][ T5070] ffff88807408e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 67.246409][ T5070] ffff88807408e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 67.254483][ T5070] ==================================================================
[ 67.262902][ T5070] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 67.270134][ T5070] CPU: 1 PID: 5070 Comm: syz-executor303 Not tainted 6.2.0-syzkaller-10443-g8cbd92339db0 #0
[ 67.280305][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
[ 67.290360][ T5070] Call Trace:
[ 67.293760][ T5070]
[ 67.296691][ T5070] dump_stack_lvl+0x1e7/0x2d0
[ 67.301407][ T5070] ? nf_tcp_handle_invalid+0x650/0x650
[ 67.306993][ T5070] ? vsnprintf+0x17f/0x1d80
[ 67.311517][ T5070] ? panic+0x770/0x770
[ 67.315591][ T5070] ? preempt_schedule_common+0x83/0xc0
[ 67.321095][ T5070] ? vscnprintf+0x5d/0x80
[ 67.325437][ T5070] panic+0x31c/0x770
[ 67.329342][ T5070] ? check_panic_on_warn+0x21/0xa0
[ 67.334463][ T5070] ? memcpy_page_flushcache+0x100/0x100
[ 67.340020][ T5070] ? _raw_spin_unlock_irqrestore+0x12c/0x140
[ 67.346031][ T5070] ? _raw_spin_unlock+0x40/0x40
[ 67.350896][ T5070] check_panic_on_warn+0x82/0xa0
[ 67.355850][ T5070] ? crc_itu_t+0x1d5/0x2a0
[ 67.360285][ T5070] end_report+0xbb/0x170
[ 67.364565][ T5070] kasan_report+0x150/0x170
[ 67.369081][ T5070] ? crc_itu_t+0x1d5/0x2a0
[ 67.373535][ T5070] crc_itu_t+0x1d5/0x2a0
[ 67.377796][ T5070] udf_sync_fs+0x1d2/0x380
[ 67.382225][ T5070] ? udf_put_super+0x160/0x160
[ 67.386996][ T5070] ? get_nr_dirty_inodes+0x2af/0x2e0
[ 67.392296][ T5070] sync_filesystem+0xec/0x220
[ 67.396989][ T5070] generic_shutdown_super+0x6f/0x340
[ 67.402286][ T5070] kill_block_super+0x7e/0xe0
[ 67.406976][ T5070] deactivate_locked_super+0xa4/0x110
[ 67.412378][ T5070] cleanup_mnt+0x490/0x520
[ 67.416804][ T5070] ? lockdep_hardirqs_on+0x98/0x140
[ 67.422010][ T5070] task_work_run+0x24a/0x300
[ 67.426616][ T5070] ? dput+0x3a1/0x420
[ 67.430604][ T5070] ? task_work_cancel+0x2b0/0x2b0
[ 67.435820][ T5070] ptrace_notify+0x2cd/0x380
[ 67.440433][ T5070] ? do_notify_parent+0xf50/0xf50
[ 67.445481][ T5070] ? user_path_at_empty+0x12f/0x180
[ 67.450778][ T5070] ? __x64_sys_umount+0x126/0x170
[ 67.455821][ T5070] ? path_umount+0xef0/0xef0
[ 67.460415][ T5070] ? syscall_enter_from_user_mode+0x32/0x2c0
[ 67.466400][ T5070] syscall_exit_to_user_mode+0x17a/0x2e0
[ 67.472041][ T5070] do_syscall_64+0x4d/0xc0
[ 67.476501][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 67.482403][ T5070] RIP: 0033:0x7fe1f89b7e57
[ 67.486825][ T5070] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 67.506433][ T5070] RSP: 002b:00007ffcd1e4fbb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[ 67.514855][ T5070] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe1f89b7e57
[ 67.522856][ T5070] RDX: 00007ffcd1e4fc79 RSI: 000000000000000a RDI: 00007ffcd1e4fc70
[ 67.530831][ T5070] RBP: 00007ffcd1e4fc70 R08: 00000000ffffffff R09: 00007ffcd1e4fa50
[ 67.538807][ T5070] R10: 00005555568b3653 R11: 0000000000000206 R12: 00007ffcd1e50ce0
[ 67.546782][ T5070] R13: 00005555568b35f0 R14: 00007ffcd1e4fbe0 R15: 0000000000000007
[ 67.554764][ T5070]
[ 67.558062][ T5070] Kernel Offset: disabled
[ 67.562396][ T5070] Rebooting in 86400 seconds..