./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3913860346

<...>
Warning: Permanently added '10.128.0.86' (ED25519) to the list of known hosts.
execve("./syz-executor3913860346", ["./syz-executor3913860346"], 0x7fffeb310a80 /* 10 vars */) = 0
brk(NULL)                               = 0x55555b7df000
brk(0x55555b7dfe00)                     = 0x55555b7dfe00
arch_prctl(ARCH_SET_FS, 0x55555b7df480) = 0
set_tid_address(0x55555b7df750)         = 5841
set_robust_list(0x55555b7df760, 24)     = 0
rseq(0x55555b7dfda0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor3913860346", 4096) = 28
getrandom("\x98\x7a\x7f\x22\xc0\x8e\x54\x52", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55555b7dfe00
brk(0x55555b800e00)                     = 0x55555b800e00
brk(0x55555b801000)                     = 0x55555b801000
mprotect(0x7ffac31fa000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5842 attached
 <unfinished ...>
[pid  5842] set_robust_list(0x55555b7df760, 24 <unfinished ...>
[pid  5841] <... clone resumed>, child_tidptr=0x55555b7df750) = 5842
[pid  5842] <... set_robust_list resumed>) = 0
[pid  5841] openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "10000000000", 11) = 11
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "20", 2)           = 2
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "1", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "0", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "0", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "1", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "100", 3)          = 3
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "0", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "0", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "7 4 1 3", 7)      = 7
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "1", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "1", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "0", 1)            = 1
[pid  5841] close(3)                    = 0
[pid  5841] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
[pid  5841] write(3, "5842", 4)         = 4
[pid  5841] close(3)                    = 0
[pid  5841] kill(5842, SIGKILL)         = 0
[pid  5842] +++ killed by SIGKILL +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5842, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3
socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4
sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36
recvfrom(4, [{nlmsg_len=864, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5841}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x30\x00\x00\x00\xe8\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 864
recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5841}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0
close(5)                                = 0
sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36
recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5841}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0
close(5)                                = 0
sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5841}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5841}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0
close(5)                                = 0
sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36
recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5841}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5
ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0
close(5)                                = 0
sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44
recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5841}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36
close(3)                                = 0
close(4)                                = 0
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7ffac3145090, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ffac314d960}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7ffac3145090, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ffac314d960}, NULL, 8) = 0
getrandom("\x2d\x66\xde\x58\x76\x99\x64\xe8", 8, GRND_NONBLOCK) = 8
mkdir("./syzkaller.TMJc7R", 0700)       = 0
chmod("./syzkaller.TMJc7R", 0777)       = 0
chdir("./syzkaller.TMJc7R")             = 0
mkdir("./0", 0777)                      = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 3
ioctl(3, LOOP_CLR_FD)                   = -1 ENXIO (No such device or address)
close(3)                                = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5845 attached
 <unfinished ...>
[pid  5845] set_robust_list(0x55555b7df760, 24 <unfinished ...>
[pid  5841] <... clone resumed>, child_tidptr=0x55555b7df750) = 5845
[pid  5845] <... set_robust_list resumed>) = 0
[pid  5845] chdir("./0")                = 0
[pid  5845] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5845] setpgid(0, 0)               = 0
[pid  5845] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5845] write(3, "1000", 4)         = 4
[pid  5845] close(3)                    = 0
[pid  5845] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5845] write(1, "executing program\n", 18executing program
) = 18
[pid  5845] memfd_create("syzkaller", 0) = 3
[pid  5845] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffabac00000
[pid  5845] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid  5845] munmap(0x7ffabac00000, 138412032) = 0
[pid  5845] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  5845] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid  5845] close(3)                    = 0
[pid  5845] close(4)                    = 0
[pid  5845] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[pid  5845] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "") = 0
[pid  5845] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid  5845] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid  5845] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[   61.651600][ T5845] loop0: detected capacity change from 0 to 128
[   61.688655][ T5845] VFS: Found a Xenix FS (block size = 1024) on device loop0
[   61.700471][ T5845] syz-executor391: attempt to access beyond end of device
[   61.700471][ T5845] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128
[   61.714932][ T5845] Buffer I/O error on dev loop0, logical block 3245768, async page read
[   61.725226][ T5845] unable to read i-node block
[   61.730266][ T5845] syz-executor391: attempt to access beyond end of device
[   61.730266][ T5845] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128
[pid  5845] symlink("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "./file0") = -1 EIO (Input/output error)
[pid  5845] exit_group(0)               = ?
[pid  5845] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5845, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} ---
umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[   61.744681][ T5845] Buffer I/O error on dev loop0, logical block 3245768, async page read
[   61.754004][ T5845] sysv_free_block: flc_count > flc_size
[   61.759647][ T5845] sysv_free_inode: unable to read inode block on device loop0
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x55555b7e07f0 /* 4 entries */, 32768) = 176
umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs")                  = 0
[   61.897537][ T5841] sysv_free_block: flc_count > flc_size
[   61.903355][ T5841] sysv_free_block: flc_count > flc_size
[   61.908986][ T5841] sysv_free_block: flc_count > flc_size
[   61.914586][ T5841] sysv_free_block: flc_count > flc_size
[   61.920137][ T5841] sysv_free_block: flc_count > flc_size
[   61.925847][ T5841] sysv_free_block: flc_count > flc_size
[   61.931486][ T5841] sysv_free_block: flc_count > flc_size
[   61.937079][ T5841] sysv_free_block: flc_count > flc_size
umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0
umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
[   61.942624][ T5841] sysv_free_block: flc_count > flc_size
[   61.948233][ T5841] sysv_free_block: flc_count > flc_size
[   61.954385][ T5841] sysv_free_inode: inode 0,1,2 or nonexistent inode
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x55555b7e8830 /* 2 entries */, 32768) = 48
getdents64(4, 0x55555b7e8830 /* 0 entries */, 32768) = 0
close(4)                                = 0
rmdir("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0
getdents64(3, 0x55555b7e07f0 /* 0 entries */, 32768) = 0
close(3)                                = 0
rmdir("./0")                            = 0
mkdir("./1", 0777)                      = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 3
ioctl(3, LOOP_CLR_FD)                   = 0
close(3)                                = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5846 attached
 <unfinished ...>
[pid  5846] set_robust_list(0x55555b7df760, 24) = 0
[pid  5841] <... clone resumed>, child_tidptr=0x55555b7df750) = 5846
[pid  5846] chdir("./1")                = 0
[pid  5846] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5846] setpgid(0, 0)               = 0
[pid  5846] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5846] write(3, "1000", 4)         = 4
[pid  5846] close(3)                    = 0
[pid  5846] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5846] write(1, "executing program\n", 18executing program
) = 18
[pid  5846] memfd_create("syzkaller", 0) = 3
[pid  5846] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffabac00000
[pid  5846] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid  5846] munmap(0x7ffabac00000, 138412032) = 0
[pid  5846] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  5846] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid  5846] close(3)                    = 0
[pid  5846] close(4)                    = 0
[pid  5846] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[   62.215948][ T5846] loop0: detected capacity change from 0 to 128
[pid  5846] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "") = 0
[pid  5846] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid  5846] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid  5846] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[   62.258741][ T5846] VFS: Found a Xenix FS (block size = 1024) on device loop0
[   62.278354][ T5846] syz-executor391: attempt to access beyond end of device
[   62.278354][ T5846] loop0: rw=0, sector=6491536, nr_sectors = 2 limit=128
[   62.292549][ T5846] Buffer I/O error on dev loop0, logical block 3245768, async page read
[   62.301501][ T5846] ==================================================================
[   62.309590][ T5846] BUG: KASAN: use-after-free in sysv_new_inode+0xfc7/0x1160
[   62.316909][ T5846] Read of size 2 at addr ffff88807e7bd1ce by task syz-executor391/5846
[   62.325147][ T5846] 
[   62.327499][ T5846] CPU: 0 UID: 0 PID: 5846 Comm: syz-executor391 Not tainted 6.12.0-syzkaller-10313-g7d4050728c83 #0
[   62.338246][ T5846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[   62.348491][ T5846] Call Trace:
[   62.351772][ T5846]  <TASK>
[   62.354692][ T5846]  dump_stack_lvl+0x241/0x360
[   62.359370][ T5846]  ? __pfx_dump_stack_lvl+0x10/0x10
[   62.364554][ T5846]  ? __pfx__printk+0x10/0x10
[   62.369135][ T5846]  ? _printk+0xd5/0x120
[   62.373294][ T5846]  ? __virt_addr_valid+0x183/0x530
[   62.378398][ T5846]  ? __virt_addr_valid+0x183/0x530
[   62.383516][ T5846]  print_report+0x169/0x550
[   62.388026][ T5846]  ? __virt_addr_valid+0x183/0x530
[   62.393147][ T5846]  ? __virt_addr_valid+0x183/0x530
[   62.398257][ T5846]  ? __virt_addr_valid+0x45f/0x530
[   62.403715][ T5846]  ? __phys_addr+0xba/0x170
[   62.408223][ T5846]  ? sysv_new_inode+0xfc7/0x1160
[   62.413165][ T5846]  kasan_report+0x143/0x180
[   62.417751][ T5846]  ? sysv_new_inode+0xfc7/0x1160
[   62.422783][ T5846]  sysv_new_inode+0xfc7/0x1160
[   62.427560][ T5846]  ? tomoyo_path_perm+0x5ea/0x740
[   62.432579][ T5846]  ? tomoyo_path_perm+0x287/0x740
[   62.437600][ T5846]  ? __pfx_sysv_new_inode+0x10/0x10
[   62.442820][ T5846]  ? generic_permission+0x356/0x680
[   62.448026][ T5846]  sysv_symlink+0x9f/0x180
[   62.452442][ T5846]  vfs_symlink+0x137/0x2e0
[   62.456938][ T5846]  do_symlinkat+0x222/0x3a0
[   62.462053][ T5846]  ? __virt_addr_valid+0x45f/0x530
[   62.467164][ T5846]  ? __pfx_do_symlinkat+0x10/0x10
[   62.472197][ T5846]  ? strncpy_from_user+0x152/0x270
[   62.477326][ T5846]  ? getname_flags+0x1e3/0x540
[   62.482173][ T5846]  __x64_sys_symlink+0x7a/0x90
[   62.486925][ T5846]  do_syscall_64+0xf3/0x230
[   62.491417][ T5846]  ? clear_bhb_loop+0x35/0x90
[   62.496290][ T5846]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.502188][ T5846] RIP: 0033:0x7ffac3182749
[   62.506709][ T5846] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   62.526310][ T5846] RSP: 002b:00007fff7c2c0ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
[   62.534739][ T5846] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ffac3182749
[   62.542762][ T5846] RDX: 0000000000000000 RSI: 0000000020000200 RDI: 00000000200049c0
[   62.550738][ T5846] RBP: 0000000000000000 R08: 0000000000009e7f R09: 00007fff7c2c0b1c
[   62.558721][ T5846] R10: 00007fff7c2c09b0 R11: 0000000000000246 R12: 00007fff7c2c0b1c
[   62.566692][ T5846] R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007fff7c2c0b50
[   62.574804][ T5846]  </TASK>
[   62.577840][ T5846] 
[   62.580150][ T5846] The buggy address belongs to the physical page:
[   62.586567][ T5846] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f68329e5 pfn:0x7e7bd
[   62.596026][ T5846] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   62.603157][ T5846] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[   62.611837][ T5846] raw: 00000007f68329e5 0000000000000000 00000000ffffffff 0000000000000000
[   62.620419][ T5846] page dumped because: kasan: bad access detected
[   62.626829][ T5846] page_owner tracks the page as freed
[   62.632187][ T5846] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5833, tgid 5833 (sshd), ts 55885858589, free_ts 55892796337
[   62.650322][ T5846]  post_alloc_hook+0x1f3/0x230
[   62.655084][ T5846]  get_page_from_freelist+0x363e/0x3790
[   62.660648][ T5846]  __alloc_pages_noprof+0x292/0x710
[   62.665842][ T5846]  alloc_pages_mpol_noprof+0x3e8/0x680
[   62.671308][ T5846]  vma_alloc_folio_noprof+0x12e/0x230
[   62.676673][ T5846]  folio_prealloc+0x2e/0x170
[   62.681281][ T5846]  handle_pte_fault+0x2518/0x68a0
[   62.686297][ T5846]  handle_mm_fault+0x1053/0x1ad0
[   62.691236][ T5846]  exc_page_fault+0x459/0x8c0
[   62.695903][ T5846]  asm_exc_page_fault+0x26/0x30
[   62.700741][ T5846] page last free pid 5833 tgid 5833 stack trace:
[   62.707070][ T5846]  free_unref_folios+0xf21/0x1a10
[   62.712100][ T5846]  folios_put_refs+0x76c/0x860
[   62.716845][ T5846]  free_pages_and_swap_cache+0x2ea/0x690
[   62.722474][ T5846]  tlb_flush_mmu+0x3a3/0x680
[   62.727064][ T5846]  tlb_finish_mmu+0xd4/0x200
[   62.731657][ T5846]  vms_clear_ptes+0x437/0x530
[   62.736345][ T5846]  vms_complete_munmap_vmas+0x210/0x8f0
[   62.741879][ T5846]  do_vmi_align_munmap+0x5ef/0x6f0
[   62.747016][ T5846]  do_vmi_munmap+0x24e/0x2d0
[   62.751603][ T5846]  __vm_munmap+0x24c/0x480
[   62.756158][ T5846]  __x64_sys_munmap+0x60/0x70
[   62.760836][ T5846]  do_syscall_64+0xf3/0x230
[   62.765330][ T5846]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.771217][ T5846] 
[   62.773528][ T5846] Memory state around the buggy address:
[   62.779141][ T5846]  ffff88807e7bd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.787203][ T5846]  ffff88807e7bd100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.795257][ T5846] >ffff88807e7bd180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.803406][ T5846]                                               ^
[   62.809821][ T5846]  ffff88807e7bd200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.817913][ T5846]  ffff88807e7bd280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.826063][ T5846] ==================================================================
[   62.834806][ T5846] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   62.842028][ T5846] CPU: 0 UID: 0 PID: 5846 Comm: syz-executor391 Not tainted 6.12.0-syzkaller-10313-g7d4050728c83 #0
[   62.852886][ T5846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[   62.862945][ T5846] Call Trace:
[   62.866244][ T5846]  <TASK>
[   62.869183][ T5846]  dump_stack_lvl+0x241/0x360
[   62.873861][ T5846]  ? __pfx_dump_stack_lvl+0x10/0x10
[   62.879050][ T5846]  ? __pfx__printk+0x10/0x10
[   62.883731][ T5846]  ? preempt_schedule+0xe1/0xf0
[   62.888610][ T5846]  ? vscnprintf+0x5d/0x90
[   62.892975][ T5846]  panic+0x349/0x880
[   62.896879][ T5846]  ? check_panic_on_warn+0x21/0xb0
[   62.901996][ T5846]  ? __pfx_panic+0x10/0x10
[   62.906416][ T5846]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   62.912492][ T5846]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   62.919454][ T5846]  ? print_report+0x502/0x550
[   62.924163][ T5846]  check_panic_on_warn+0x86/0xb0
[   62.929188][ T5846]  ? sysv_new_inode+0xfc7/0x1160
[   62.934143][ T5846]  end_report+0x77/0x160
[   62.938381][ T5846]  kasan_report+0x154/0x180
[   62.942871][ T5846]  ? sysv_new_inode+0xfc7/0x1160
[   62.947806][ T5846]  sysv_new_inode+0xfc7/0x1160
[   62.952598][ T5846]  ? tomoyo_path_perm+0x5ea/0x740
[   62.957621][ T5846]  ? tomoyo_path_perm+0x287/0x740
[   62.962646][ T5846]  ? __pfx_sysv_new_inode+0x10/0x10
[   62.967856][ T5846]  ? generic_permission+0x356/0x680
[   62.973051][ T5846]  sysv_symlink+0x9f/0x180
[   62.977482][ T5846]  vfs_symlink+0x137/0x2e0
[   62.981893][ T5846]  do_symlinkat+0x222/0x3a0
[   62.986396][ T5846]  ? __virt_addr_valid+0x45f/0x530
[   62.991504][ T5846]  ? __pfx_do_symlinkat+0x10/0x10
[   62.996530][ T5846]  ? strncpy_from_user+0x152/0x270
[   63.001646][ T5846]  ? getname_flags+0x1e3/0x540
[   63.006406][ T5846]  __x64_sys_symlink+0x7a/0x90
[   63.011157][ T5846]  do_syscall_64+0xf3/0x230
[   63.015821][ T5846]  ? clear_bhb_loop+0x35/0x90
[   63.020486][ T5846]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.026366][ T5846] RIP: 0033:0x7ffac3182749
[   63.030766][ T5846] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   63.050368][ T5846] RSP: 002b:00007fff7c2c0ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
[   63.058788][ T5846] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ffac3182749
[   63.066793][ T5846] RDX: 0000000000000000 RSI: 0000000020000200 RDI: 00000000200049c0
[   63.074755][ T5846] RBP: 0000000000000000 R08: 0000000000009e7f R09: 00007fff7c2c0b1c
[   63.082806][ T5846] R10: 00007fff7c2c09b0 R11: 0000000000000246 R12: 00007fff7c2c0b1c
[   63.090775][ T5846] R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007fff7c2c0b50
[   63.099012][ T5846]  </TASK>
[   63.102328][ T5846] Kernel Offset: disabled
[   63.106648][ T5846] Rebooting in 86400 seconds..