./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3477391609 <...> Warning: Permanently added '10.128.10.32' (ED25519) to the list of known hosts. execve("./syz-executor3477391609", ["./syz-executor3477391609"], 0x7ffdc91b8370 /* 10 vars */) = 0 brk(NULL) = 0x555557059000 brk(0x555557059d40) = 0x555557059d40 arch_prctl(ARCH_SET_FS, 0x5555570593c0) = 0 set_tid_address(0x555557059690) = 295 set_robust_list(0x5555570596a0, 24) = 0 rseq(0x555557059ce0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3477391609", 4096) = 28 getrandom("\x99\xa2\xa4\x04\xaa\x4a\x52\xab", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555557059d40 brk(0x55555707ad40) = 0x55555707ad40 brk(0x55555707b000) = 0x55555707b000 mprotect(0x7f95205fa000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.1g9Vcu", 0700) = 0 chmod("./syzkaller.1g9Vcu", 0777) = 0 chdir("./syzkaller.1g9Vcu") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 [ 23.396082][ T30] audit: type=1400 audit(1691188071.099:66): avc: denied { execmem } for pid=295 comm="syz-executor347" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.417533][ T30] audit: type=1400 audit(1691188071.129:67): avc: denied { read write } for pid=295 comm="syz-executor347" name="loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 297 ./strace-static-x86_64: Process 297 attached [pid 297] set_robust_list(0x5555570596a0, 24) = 0 [pid 297] chdir("./0") = 0 [pid 297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 297] setpgid(0, 0) = 0 [pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 297] write(3, "1000", 4) = 4 [pid 297] close(3) = 0 [pid 297] symlink("/dev/binderfs", "./binderfs") = 0 [pid 297] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 297] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 297] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0} => {parent_tid=[298]}, 88) = 298 [pid 297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 297] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 298 attached [pid 298] set_robust_list(0x7f95205359a0, 24) = 0 [pid 298] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 298] memfd_create("syzkaller", 0) = 3 [pid 298] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 298] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 298] munmap(0x7f9518115000, 262144) = 0 [pid 298] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 298] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 298] close(3) = 0 [pid 298] mkdir("./file1", 0777) = 0 [ 23.441599][ T30] audit: type=1400 audit(1691188071.129:68): avc: denied { open } for pid=295 comm="syz-executor347" path="/dev/loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 23.462940][ T298] loop0: detected capacity change from 0 to 512 [ 23.466171][ T30] audit: type=1400 audit(1691188071.149:69): avc: denied { ioctl } for pid=295 comm="syz-executor347" path="/dev/loop0" dev="devtmpfs" ino=112 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 23.497048][ T30] audit: type=1400 audit(1691188071.189:70): avc: denied { mounton } for pid=297 comm="syz-executor347" path="/root/syzkaller.1g9Vcu/0/file1" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 23.522866][ T298] EXT4-fs (loop0): 1 orphan inode deleted [pid 298] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 298] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 298] chdir("./file1") = 0 [pid 298] ioctl(4, LOOP_CLR_FD) = 0 [pid 298] close(4) = 0 [pid 298] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 297] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 0 [ 23.528599][ T298] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [ 23.552200][ T30] audit: type=1400 audit(1691188071.259:71): avc: denied { mount } for pid=297 comm="syz-executor347" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 23.557340][ T298] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/0/file1 supports timestamps until 2038 (0x7fffffff) [pid 298] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 298] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 298] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 297] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 0 [pid 298] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 298] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 298] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 298] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 297] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0} => {parent_tid=[302]}, 88) = 302 [pid 297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 297] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 262144 [pid 298] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 298] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x7f95181549a0, 24) = 0 [pid 302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 23.588045][ T30] audit: type=1400 audit(1691188071.299:72): avc: denied { write } for pid=297 comm="syz-executor347" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 23.609964][ T30] audit: type=1400 audit(1691188071.299:73): avc: denied { add_name } for pid=297 comm="syz-executor347" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 23.621699][ T302] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #16: comm syz-executor347: path[1].p_hdr == NULL [pid 302] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 297] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 23.631233][ T30] audit: type=1400 audit(1691188071.299:74): avc: denied { create } for pid=297 comm="syz-executor347" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 23.642868][ T302] EXT4-fs (loop0): Remounting filesystem read-only [ 23.662716][ T30] audit: type=1400 audit(1691188071.299:75): avc: denied { read write open } for pid=297 comm="syz-executor347" path="/root/syzkaller.1g9Vcu/0/file1/bus" dev="loop0" ino=16 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [pid 302] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 302] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 297] exit_group(0 [pid 298] <... futex resumed>) = ? [pid 297] <... exit_group resumed>) = ? [pid 302] <... futex resumed>) = ? [pid 298] +++ exited with 0 +++ [pid 302] +++ exited with 0 +++ [pid 297] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=15} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 23.669290][ T302] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 23.706979][ T302] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 23.716507][ T302] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 303 attached , child_tidptr=0x555557059690) = 303 [pid 303] set_robust_list(0x5555570596a0, 24) = 0 [pid 303] chdir("./1") = 0 [pid 303] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 303] setpgid(0, 0) = 0 [pid 303] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 303] write(3, "1000", 4) = 4 [pid 303] close(3) = 0 [pid 303] symlink("/dev/binderfs", "./binderfs") = 0 [pid 303] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 303] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 303] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 303] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 303] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 303] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0}./strace-static-x86_64: Process 304 attached => {parent_tid=[304]}, 88) = 304 [pid 304] set_robust_list(0x7f95205359a0, 24) = 0 [pid 304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 303] rt_sigprocmask(SIG_SETMASK, [], [pid 304] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 303] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 303] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 303] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 304] memfd_create("syzkaller", 0) = 3 [pid 304] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 304] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 304] munmap(0x7f9518115000, 262144) = 0 [pid 304] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 304] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 304] close(3) = 0 [pid 304] mkdir("./file1", 0777) = 0 [ 23.806107][ T304] loop0: detected capacity change from 0 to 512 [ 23.818701][ T304] EXT4-fs (loop0): 1 orphan inode deleted [ 23.824231][ T304] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 304] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 304] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 304] chdir("./file1") = 0 [pid 304] ioctl(4, LOOP_CLR_FD) = 0 [pid 304] close(4) = 0 [pid 304] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 304] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 304] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 304] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 303] <... futex resumed>) = 0 [pid 304] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 303] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... mount resumed>) = 0 [pid 303] <... futex resumed>) = 0 [pid 304] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 303] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] <... futex resumed>) = 1 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 304] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 304] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 303] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 303] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 303] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 303] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0}./strace-static-x86_64: Process 307 attached => {parent_tid=[307]}, 88) = 307 [pid 307] set_robust_list(0x7f95181549a0, 24 [pid 303] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 303] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 303] <... futex resumed>) = 0 [pid 303] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 307] <... set_robust_list resumed>) = 0 [pid 307] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 307] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 304] <... write resumed>) = 262144 [pid 304] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 23.847852][ T304] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/1/file1 supports timestamps until 2038 (0x7fffffff) [ 23.874437][ T307] EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:476: comm syz-executor347: Invalid block bitmap block 0 in block_group 0 [ 23.888624][ T307] EXT4-fs (loop0): Remounting filesystem read-only [ 23.895123][ T307] EXT4-fs error (device loop0) in ext4_mb_clear_bb:6151: Corrupt filesystem [pid 304] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 303] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 303] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 303] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 303] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 23.903886][ T307] ================================================================== [ 23.911749][ T307] BUG: KASAN: out-of-bounds in ext4_ext_remove_space+0x2149/0x4a60 [ 23.919474][ T307] Read of size 18446744073709551544 at addr ffff88811aee3054 by task syz-executor347/307 [ 23.929111][ T307] [ 23.931279][ T307] CPU: 0 PID: 307 Comm: syz-executor347 Not tainted 5.15.120-syzkaller-00229-g748fd0d9ca0f #0 [ 23.941356][ T307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 23.951328][ T307] Call Trace: [ 23.954455][ T307] [ 23.957240][ T307] dump_stack_lvl+0x151/0x1b7 [ 23.961751][ T307] ? io_uring_drop_tctx_refs+0x190/0x190 [ 23.967214][ T307] ? panic+0x751/0x751 [ 23.971121][ T307] print_address_description+0x87/0x3b0 [ 23.976497][ T307] kasan_report+0x179/0x1c0 [ 23.980840][ T307] ? ext4_ext_remove_space+0x2149/0x4a60 [ 23.986303][ T307] ? ext4_ext_remove_space+0x2149/0x4a60 [ 23.991773][ T307] kasan_check_range+0x293/0x2a0 [ 23.996554][ T307] ? ext4_ext_remove_space+0x2149/0x4a60 [ 24.002016][ T307] memmove+0x2d/0x70 [pid 303] exit_group(0 [pid 304] <... futex resumed>) = ? [pid 303] <... exit_group resumed>) = ? [pid 304] +++ exited with 0 +++ [ 24.005745][ T307] ext4_ext_remove_space+0x2149/0x4a60 [ 24.011042][ T307] ? ext4_da_release_space+0x1d0/0x480 [ 24.016334][ T307] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 24.022150][ T307] ? ext4_es_remove_extent+0x1ac/0x380 [ 24.027446][ T307] ext4_punch_hole+0x794/0xbf0 [ 24.032044][ T307] ext4_fallocate+0x30c/0x1f10 [ 24.036644][ T307] ? ext4_ext_truncate+0x240/0x240 [ 24.041595][ T307] ? fsnotify_perm+0x6a/0x5d0 [ 24.046106][ T307] vfs_fallocate+0x492/0x570 [ 24.050533][ T307] do_vfs_ioctl+0x2238/0x2a80 [ 24.055045][ T307] ? __kasan_check_read+0x11/0x20 [ 24.059906][ T307] ? __x64_compat_sys_ioctl+0x90/0x90 [ 24.065109][ T307] ? compat_start_thread+0x20/0x20 [ 24.070063][ T307] ? ioctl_has_perm+0x1f8/0x560 [ 24.074758][ T307] ? ioctl_has_perm+0x3f5/0x560 [ 24.079443][ T307] ? has_cap_mac_admin+0x3c0/0x3c0 [ 24.084389][ T307] ? __kasan_check_write+0x14/0x20 [ 24.089335][ T307] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 24.094278][ T307] ? _raw_spin_unlock_irq+0x4e/0x70 [ 24.099310][ T307] ? cgroup_leave_frozen+0x164/0x2c0 [ 24.104430][ T307] ? selinux_file_ioctl+0x3cc/0x540 [ 24.109561][ T307] ? selinux_file_alloc_security+0x120/0x120 [ 24.115371][ T307] ? __fget_files+0x31e/0x380 [ 24.119878][ T307] ? security_file_ioctl+0x84/0xb0 [ 24.124835][ T307] __se_sys_ioctl+0x99/0x190 [ 24.129258][ T307] __x64_sys_ioctl+0x7b/0x90 [ 24.133688][ T307] do_syscall_64+0x3d/0xb0 [ 24.137934][ T307] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 24.143676][ T307] RIP: 0033:0x7f9520578e19 [ 24.147917][ T307] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 24.167359][ T307] RSP: 002b:00007f9518154218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 24.175605][ T307] RAX: ffffffffffffffda RBX: 00007f95206006d8 RCX: 00007f9520578e19 [ 24.183420][ T307] RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000004 [ 24.191222][ T307] RBP: 00007f95206006d0 R08: 00007ffe005087d7 R09: 0000000000000000 [ 24.199351][ T307] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f95205cd578 [ 24.207162][ T307] R13: 000000000000000b R14: 00007ffe005086f0 R15: 6f6f6c2f7665642f [ 24.214977][ T307] [ 24.217838][ T307] [ 24.220008][ T307] The buggy address belongs to the page: [ 24.225481][ T307] page:ffffea00046bb8c0 refcount:2 mapcount:0 mapping:ffff888109192c98 index:0x3a pfn:0x11aee3 [ 24.235634][ T307] memcg:ffff8881001f8000 [ 24.239710][ T307] aops:def_blk_aops ino:700000 [ 24.244309][ T307] flags: 0x4000000000002036(referenced|uptodate|lru|active|private|zone=1) [ 24.252735][ T307] raw: 4000000000002036 ffffea00046da308 ffffea00046da408 ffff888109192c98 [ 24.261163][ T307] raw: 000000000000003a ffff88811bd1bb28 00000002ffffffff ffff8881001f8000 [ 24.269569][ T307] page dumped because: kasan: bad access detected [ 24.275819][ T307] page_owner tracks the page as allocated [ 24.281370][ T307] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 304, ts 23868189950, free_ts 23787864920 [ 24.298302][ T307] post_alloc_hook+0x1a3/0x1b0 [ 24.302894][ T307] get_page_from_freelist+0x2ed2/0x2f90 [ 24.308276][ T307] __alloc_pages+0x206/0x5e0 [ 24.312703][ T307] pagecache_get_page+0xb18/0xeb0 [ 24.317561][ T307] __getblk_gfp+0x21e/0x7c0 [ 24.321913][ T307] ext4_ext_insert_extent+0xf7a/0x4b10 [ 24.327202][ T307] ext4_ext_map_blocks+0x1c61/0x7250 [ 24.332345][ T307] ext4_map_blocks+0xaa7/0x1e30 [ 24.337017][ T307] _ext4_get_block+0x23b/0x660 [ 24.341643][ T307] ext4_get_block+0x39/0x50 [ 24.346032][ T307] ext4_block_write_begin+0x5ea/0x12a0 [ 24.351334][ T307] ext4_write_begin+0x6bc/0x13d0 [ 24.356110][ T307] ext4_da_write_begin+0x4a2/0xc30 [ 24.361046][ T307] generic_perform_write+0x2bc/0x5a0 [ 24.366166][ T307] ext4_buffered_write_iter+0x48a/0x610 [ 24.371597][ T307] ext4_file_write_iter+0x443/0x1c80 [ 24.376671][ T307] page last free stack trace: [ 24.381183][ T307] free_unref_page_prepare+0x7c8/0x7d0 [ 24.386523][ T307] free_unref_page_list+0x14b/0xa60 [ 24.391517][ T307] release_pages+0x1310/0x1370 [ 24.396113][ T307] __pagevec_release+0x84/0x100 [ 24.400797][ T307] shmem_undo_range+0x604/0x1560 [ 24.405571][ T307] shmem_evict_inode+0x215/0x9d0 [ 24.410346][ T307] evict+0x2a3/0x630 [ 24.414076][ T307] iput+0x63b/0x7e0 [ 24.417722][ T307] dentry_unlink_inode+0x34f/0x440 [ 24.422668][ T307] __dentry_kill+0x447/0x660 [ 24.427095][ T307] dentry_kill+0xc0/0x2a0 [ 24.431349][ T307] dput+0x165/0x320 [ 24.434997][ T307] __fput+0x662/0x910 [ 24.438815][ T307] ____fput+0x15/0x20 [ 24.442631][ T307] task_work_run+0x129/0x190 [ 24.447060][ T307] ptrace_notify+0x29e/0x350 [ 24.451497][ T307] [ 24.453662][ T307] Memory state around the buggy address: [ 24.459131][ T307] ffff88811aee2f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.467038][ T307] ffff88811aee2f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.474926][ T307] >ffff88811aee3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.482847][ T307] ^ [ 24.489332][ T307] ffff88811aee3080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.497233][ T307] ffff88811aee3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [pid 307] <... ioctl resumed>) = ? [pid 307] +++ exited with 0 +++ [pid 303] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=303, si_uid=0, si_status=0, si_utime=0, si_stime=9} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 [ 24.505124][ T307] ================================================================== [ 24.513026][ T307] Disabling lock debugging due to kernel taint [ 24.519227][ T307] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 24.532886][ T307] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 24.542203][ T307] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 309 ./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x5555570596a0, 24) = 0 [pid 309] chdir("./2") = 0 [pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 309] setpgid(0, 0) = 0 [pid 309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 309] write(3, "1000", 4) = 4 [pid 309] close(3) = 0 [pid 309] symlink("/dev/binderfs", "./binderfs") = 0 [pid 309] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 309] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 309] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 309] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 309] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0}./strace-static-x86_64: Process 310 attached => {parent_tid=[310]}, 88) = 310 [pid 310] set_robust_list(0x7f95205359a0, 24) = 0 [pid 310] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 310] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 309] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 309] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 310] <... futex resumed>) = 0 [pid 309] <... futex resumed>) = 1 [pid 310] memfd_create("syzkaller", 0 [pid 309] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 310] <... memfd_create resumed>) = 3 [pid 310] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 310] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 310] munmap(0x7f9518115000, 262144) = 0 [pid 310] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 310] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 310] close(3) = 0 [pid 310] mkdir("./file1", 0777) = 0 [ 24.611767][ T310] loop0: detected capacity change from 0 to 512 [ 24.628838][ T310] EXT4-fs (loop0): 1 orphan inode deleted [ 24.634423][ T310] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 310] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 310] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 310] chdir("./file1") = 0 [pid 310] ioctl(4, LOOP_CLR_FD) = 0 [pid 310] close(4) = 0 [pid 310] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 310] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 310] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945 [pid 309] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] <... write resumed>) = 167936 [pid 310] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 310] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 310] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] <... open resumed>) = 5 [pid 310] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 309] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 309] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 309] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0} [pid 310] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651./strace-static-x86_64: Process 313 attached [pid 309] <... clone3 resumed> => {parent_tid=[313]}, 88) = 313 [pid 309] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 309] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] set_robust_list(0x7f95181549a0, 24 [pid 310] <... write resumed>) = 262144 [pid 310] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 313] <... set_robust_list resumed>) = 0 [pid 313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 24.657930][ T310] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/2/file1 supports timestamps until 2038 (0x7fffffff) [ 24.689163][ T313] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #16: comm syz-executor347: path[1].p_hdr == NULL [ 24.701386][ T313] EXT4-fs (loop0): Remounting filesystem read-only [pid 313] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 309] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 313] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 313] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 309] exit_group(0) = ? [pid 310] <... futex resumed>) = ? [pid 310] +++ exited with 0 +++ [pid 313] <... futex resumed>) = ? [pid 313] +++ exited with 0 +++ [pid 309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 314 ./strace-static-x86_64: Process 314 attached [pid 314] set_robust_list(0x5555570596a0, 24) = 0 [pid 314] chdir("./3") = 0 [pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 314] setpgid(0, 0) = 0 [pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 314] write(3, "1000", 4) = 4 [pid 314] close(3) = 0 [pid 314] symlink("/dev/binderfs", "./binderfs") = 0 [pid 314] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 314] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 314] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 314] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 314] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0} => {parent_tid=[315]}, 88) = 315 [pid 314] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 314] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 315 attached [pid 315] set_robust_list(0x7f95205359a0, 24) = 0 [pid 315] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 315] memfd_create("syzkaller", 0) = 3 [pid 315] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 315] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 315] munmap(0x7f9518115000, 262144) = 0 [pid 315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.707830][ T313] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 24.721052][ T313] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 24.730651][ T313] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error [pid 315] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 315] close(3) = 0 [pid 315] mkdir("./file1", 0777) = 0 [ 24.791249][ T315] loop0: detected capacity change from 0 to 512 [ 24.808971][ T315] EXT4-fs (loop0): 1 orphan inode deleted [ 24.814630][ T315] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 315] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 315] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 315] chdir("./file1") = 0 [pid 315] ioctl(4, LOOP_CLR_FD) = 0 [pid 315] close(4) = 0 [pid 315] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 315] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 315] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 315] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 314] <... futex resumed>) = 1 [pid 314] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 314] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 0 [pid 315] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 315] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 315] <... futex resumed>) = 1 [pid 315] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 314] <... futex resumed>) = 0 [pid 315] <... mount resumed>) = 0 [pid 315] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 315] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 314] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 314] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 0 [pid 315] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 315] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 314] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 314] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 314] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0} => {parent_tid=[318]}, 88) = 318 [pid 314] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 314] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 1 [pid 315] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651./strace-static-x86_64: Process 318 attached [pid 318] set_robust_list(0x7f95181549a0, 24) = 0 [pid 318] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 318] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 315] <... write resumed>) = 262144 [pid 315] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 24.838083][ T315] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/3/file1 supports timestamps until 2038 (0x7fffffff) [ 24.864803][ T318] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #16: comm syz-executor347: path[1].p_hdr == NULL [ 24.877125][ T318] EXT4-fs (loop0): Remounting filesystem read-only [pid 315] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 314] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 318] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 318] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 314] exit_group(0 [pid 315] <... futex resumed>) = ? [pid 314] <... exit_group resumed>) = ? [pid 318] <... futex resumed>) = ? [pid 315] +++ exited with 0 +++ [pid 318] +++ exited with 0 +++ [pid 314] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=8} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 [ 24.883754][ T318] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 24.896951][ T318] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 24.906541][ T318] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 319 ./strace-static-x86_64: Process 319 attached [pid 319] set_robust_list(0x5555570596a0, 24) = 0 [pid 319] chdir("./4") = 0 [pid 319] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 319] setpgid(0, 0) = 0 [pid 319] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 319] write(3, "1000", 4) = 4 [pid 319] close(3) = 0 [pid 319] symlink("/dev/binderfs", "./binderfs") = 0 [pid 319] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 319] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 319] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 319] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 319] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 319] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0}./strace-static-x86_64: Process 320 attached => {parent_tid=[320]}, 88) = 320 [pid 320] set_robust_list(0x7f95205359a0, 24) = 0 [pid 320] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 320] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 319] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 319] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 320] <... futex resumed>) = 0 [pid 320] memfd_create("syzkaller", 0) = 3 [pid 320] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 319] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 320] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 320] munmap(0x7f9518115000, 262144) = 0 [pid 320] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 320] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 320] close(3) = 0 [pid 320] mkdir("./file1", 0777) = 0 [ 25.042204][ T320] loop0: detected capacity change from 0 to 512 [ 25.058986][ T320] EXT4-fs (loop0): 1 orphan inode deleted [ 25.064557][ T320] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 320] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 320] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 320] chdir("./file1") = 0 [pid 320] ioctl(4, LOOP_CLR_FD) = 0 [pid 320] close(4) = 0 [pid 320] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 320] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... futex resumed>) = 0 [pid 320] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 320] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... futex resumed>) = 1 [pid 320] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 320] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 320] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... mount resumed>) = 0 [pid 320] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 320] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... open resumed>) = 5 [pid 320] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000 [pid 320] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 319] <... futex resumed>) = 0 [pid 319] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 319] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 319] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 319] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0} => {parent_tid=[323]}, 88) = 323 [pid 319] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 319] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 323 attached [pid 323] set_robust_list(0x7f95181549a0, 24) = 0 [pid 323] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 323] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 320] <... write resumed>) = 262144 [pid 320] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 25.087962][ T320] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/4/file1 supports timestamps until 2038 (0x7fffffff) [ 25.114500][ T323] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #16: comm syz-executor347: path[1].p_hdr == NULL [ 25.126737][ T323] EXT4-fs (loop0): Remounting filesystem read-only [pid 320] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 319] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 323] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 323] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 323] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 319] exit_group(0 [pid 320] <... futex resumed>) = ? [pid 319] <... exit_group resumed>) = ? [pid 320] +++ exited with 0 +++ [pid 323] <... futex resumed>) = ? [pid 323] +++ exited with 0 +++ [pid 319] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=319, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 [ 25.133393][ T323] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 25.146551][ T323] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 25.156036][ T323] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 324 ./strace-static-x86_64: Process 324 attached [pid 324] set_robust_list(0x5555570596a0, 24) = 0 [pid 324] chdir("./5") = 0 [pid 324] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 324] setpgid(0, 0) = 0 [pid 324] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 324] write(3, "1000", 4) = 4 [pid 324] close(3) = 0 [pid 324] symlink("/dev/binderfs", "./binderfs") = 0 [pid 324] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 324] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 324] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 324] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 324] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 324] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 324] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0} => {parent_tid=[325]}, 88) = 325 [pid 324] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 324] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 324] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 325 attached [pid 325] set_robust_list(0x7f95205359a0, 24) = 0 [pid 325] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 325] memfd_create("syzkaller", 0) = 3 [pid 325] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 325] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 325] munmap(0x7f9518115000, 262144) = 0 [pid 325] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 325] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 325] close(3) = 0 [pid 325] mkdir("./file1", 0777) = 0 [ 25.276268][ T325] loop0: detected capacity change from 0 to 512 [ 25.288960][ T325] EXT4-fs (loop0): 1 orphan inode deleted [ 25.294511][ T325] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 325] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 325] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 325] chdir("./file1") = 0 [pid 325] ioctl(4, LOOP_CLR_FD) = 0 [pid 325] close(4) = 0 [pid 325] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 324] <... futex resumed>) = 0 [pid 325] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000 [pid 324] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 324] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 325] <... open resumed>) = 4 [pid 325] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 324] <... futex resumed>) = 0 [pid 325] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945 [pid 324] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 324] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 325] <... write resumed>) = 167936 [pid 325] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 324] <... futex resumed>) = 0 [pid 324] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 324] <... futex resumed>) = 0 [pid 324] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 325] <... mount resumed>) = 0 [pid 325] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 324] <... futex resumed>) = 0 [pid 325] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 324] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... open resumed>) = 5 [pid 324] <... futex resumed>) = 0 [pid 325] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 324] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 325] <... futex resumed>) = 0 [pid 324] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 325] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 324] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 324] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 324] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 324] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 324] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 324] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0}./strace-static-x86_64: Process 329 attached [pid 329] set_robust_list(0x7f95181549a0, 24) = 0 [pid 329] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 324] <... clone3 resumed> => {parent_tid=[329]}, 88) = 329 [pid 329] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 324] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 324] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 329] <... futex resumed>) = 0 [pid 329] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 324] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 325] <... write resumed>) = 262144 [ 25.317892][ T325] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/5/file1 supports timestamps until 2038 (0x7fffffff) [pid 325] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 25.349761][ T329] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #18: comm syz-executor347: path[1].p_hdr == NULL [ 25.362129][ T329] EXT4-fs (loop0): Remounting filesystem read-only [ 25.368613][ T329] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 25.381729][ T329] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [pid 325] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 324] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 329] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 329] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 329] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 324] exit_group(0 [pid 325] <... futex resumed>) = ? [pid 324] <... exit_group resumed>) = ? [pid 325] +++ exited with 0 +++ [pid 329] <... futex resumed>) = ? [pid 329] +++ exited with 0 +++ [pid 324] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=324, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 [ 25.391194][ T329] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #18: comm syz-executor347: mark_inode_dirty error umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 330 ./strace-static-x86_64: Process 330 attached [pid 330] set_robust_list(0x5555570596a0, 24) = 0 [pid 330] chdir("./6") = 0 [pid 330] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 330] setpgid(0, 0) = 0 [pid 330] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 330] write(3, "1000", 4) = 4 [pid 330] close(3) = 0 [pid 330] symlink("/dev/binderfs", "./binderfs") = 0 [pid 330] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 330] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 330] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 330] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 330] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 330] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0} => {parent_tid=[331]}, 88) = 331 [pid 330] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 330] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 331 attached [pid 331] set_robust_list(0x7f95205359a0, 24) = 0 [pid 331] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 331] memfd_create("syzkaller", 0) = 3 [pid 331] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 331] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 331] munmap(0x7f9518115000, 262144) = 0 [pid 331] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 331] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 331] close(3) = 0 [pid 331] mkdir("./file1", 0777) = 0 [ 25.520048][ T331] loop0: detected capacity change from 0 to 512 [ 25.539192][ T331] EXT4-fs (loop0): 1 orphan inode deleted [ 25.544772][ T331] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 331] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 331] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 331] chdir("./file1") = 0 [pid 331] ioctl(4, LOOP_CLR_FD) = 0 [pid 331] close(4) = 0 [pid 331] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 [pid 331] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 331] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 [pid 331] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 331] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 [pid 331] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 331] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 [pid 331] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 331] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 330] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 330] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 330] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0} => {parent_tid=[335]}, 88) = 335 [pid 330] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 330] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 [pid 331] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651./strace-static-x86_64: Process 335 attached [pid 335] set_robust_list(0x7f95181549a0, 24) = 0 [pid 335] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 335] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 331] <... write resumed>) = 262144 [pid 331] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 25.568264][ T331] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/6/file1 supports timestamps until 2038 (0x7fffffff) [ 25.591321][ T335] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #16: comm syz-executor347: path[1].p_hdr == NULL [ 25.603481][ T335] EXT4-fs (loop0): Remounting filesystem read-only [pid 331] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 330] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 335] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 335] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 330] exit_group(0 [pid 335] <... futex resumed>) = ? [pid 331] <... futex resumed>) = ? [pid 330] <... exit_group resumed>) = ? [pid 331] +++ exited with 0 +++ [pid 335] +++ exited with 0 +++ [pid 330] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=330, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 [ 25.610098][ T335] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 25.623354][ T335] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 25.632822][ T335] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 336 ./strace-static-x86_64: Process 336 attached [pid 336] set_robust_list(0x5555570596a0, 24) = 0 [pid 336] chdir("./7") = 0 [pid 336] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 336] setpgid(0, 0) = 0 [pid 336] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 336] write(3, "1000", 4) = 4 [pid 336] close(3) = 0 [pid 336] symlink("/dev/binderfs", "./binderfs") = 0 [pid 336] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 336] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 336] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 336] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 336] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0} => {parent_tid=[337]}, 88) = 337 [pid 336] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 336] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 337 attached [pid 337] set_robust_list(0x7f95205359a0, 24) = 0 [pid 337] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 337] memfd_create("syzkaller", 0) = 3 [pid 337] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 337] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 337] munmap(0x7f9518115000, 262144) = 0 [pid 337] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 337] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 337] close(3) = 0 [pid 337] mkdir("./file1", 0777) = 0 [ 25.771536][ T337] loop0: detected capacity change from 0 to 512 [ 25.788962][ T337] EXT4-fs (loop0): 1 orphan inode deleted [ 25.794525][ T337] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 337] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 337] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 337] chdir("./file1") = 0 [pid 337] ioctl(4, LOOP_CLR_FD) = 0 [pid 337] close(4) = 0 [pid 337] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 336] <... futex resumed>) = 0 [pid 336] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 337] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000 [pid 336] <... futex resumed>) = 0 [pid 336] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 337] <... open resumed>) = 4 [pid 337] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] <... futex resumed>) = 0 [pid 337] <... futex resumed>) = 1 [pid 337] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945 [pid 336] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 337] <... write resumed>) = 167936 [pid 337] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 336] <... futex resumed>) = 0 [pid 336] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 337] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 336] <... futex resumed>) = 0 [pid 336] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 337] <... mount resumed>) = 0 [pid 337] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 336] <... futex resumed>) = 0 [pid 337] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 336] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 337] <... open resumed>) = 5 [pid 336] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 337] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 336] <... futex resumed>) = 0 [pid 337] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 336] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 336] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 336] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 336] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0}./strace-static-x86_64: Process 340 attached => {parent_tid=[340]}, 88) = 340 [pid 340] set_robust_list(0x7f95181549a0, 24) = 0 [pid 340] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 340] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 336] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 336] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 336] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 340] <... futex resumed>) = 0 [pid 340] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 337] <... write resumed>) = 262144 [pid 337] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 25.817942][ T337] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/7/file1 supports timestamps until 2038 (0x7fffffff) [ 25.850348][ T340] EXT4-fs error (device loop0): ext4_ext_remove_space:2864: inode #16: comm syz-executor347: path[1].p_hdr == NULL [ 25.862790][ T340] EXT4-fs (loop0): Remounting filesystem read-only [pid 337] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 336] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 340] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 340] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7f95206006d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 336] exit_group(0) = ? [pid 340] <... futex resumed>) = ? [pid 337] <... futex resumed>) = ? [pid 337] +++ exited with 0 +++ [pid 340] +++ exited with 0 +++ [pid 336] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=336, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555705a730 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 [ 25.869178][ T340] EXT4-fs error (device loop0): __ext4_get_inode_loc:4350: comm syz-executor347: Invalid inode table block 0 in block_group 0 [ 25.882222][ T340] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5830: Corrupt filesystem [ 25.891698][ T340] EXT4-fs error (device loop0): ext4_punch_hole:4142: inode #16: comm syz-executor347: mark_inode_dirty error umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555557062770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557062770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file1") = 0 getdents64(3, 0x55555705a730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557059690) = 341 ./strace-static-x86_64: Process 341 attached [pid 341] set_robust_list(0x5555570596a0, 24) = 0 [pid 341] chdir("./8") = 0 [pid 341] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 341] setpgid(0, 0) = 0 [pid 341] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 341] write(3, "1000", 4) = 4 [pid 341] close(3) = 0 [pid 341] symlink("/dev/binderfs", "./binderfs") = 0 [pid 341] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] rt_sigaction(SIGRT_1, {sa_handler=0x7f952059f230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95205903e0}, NULL, 8) = 0 [pid 341] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 341] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9520515000 [pid 341] mprotect(0x7f9520516000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 341] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 341] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9520535990, parent_tid=0x7f9520535990, exit_signal=0, stack=0x7f9520515000, stack_size=0x20300, tls=0x7f95205356c0}./strace-static-x86_64: Process 342 attached [pid 342] set_robust_list(0x7f95205359a0, 24) = 0 [pid 342] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 342] futex(0x7f95206006c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 341] <... clone3 resumed> => {parent_tid=[342]}, 88) = 342 [pid 341] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 341] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 342] <... futex resumed>) = 0 [pid 342] memfd_create("syzkaller", 0 [pid 341] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 342] <... memfd_create resumed>) = 3 [pid 342] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9518115000 [pid 342] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 342] munmap(0x7f9518115000, 262144) = 0 [pid 342] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 342] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 342] close(3) = 0 [pid 342] mkdir("./file1", 0777) = 0 [ 25.989332][ T342] loop0: detected capacity change from 0 to 512 [ 26.009218][ T342] EXT4-fs (loop0): 1 orphan inode deleted [ 26.014821][ T342] EXT4-fs (loop0): mounted filesystem without journal. Opts: errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x0000000000000000,barrier,auto_da_alloc,max_dir_size_kb=0x00000000000004e1,. Quota mode: writeback. [pid 342] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 342] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 342] chdir("./file1") = 0 [pid 342] ioctl(4, LOOP_CLR_FD) = 0 [pid 342] close(4) = 0 [pid 342] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 341] <... futex resumed>) = 0 [pid 341] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 342] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 342] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 341] <... futex resumed>) = 0 [pid 341] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 342] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 342] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 341] <... futex resumed>) = 0 [pid 341] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 342] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 342] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 341] <... futex resumed>) = 0 [pid 341] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7f95206006cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 342] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 342] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 341] <... futex resumed>) = 0 [pid 341] futex(0x7f95206006c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7f95206006dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9518134000 [pid 341] mprotect(0x7f9518135000, 131072, PROT_READ|PROT_WRITE [pid 342] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 341] <... mprotect resumed>) = 0 [pid 341] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 341] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9518154990, parent_tid=0x7f9518154990, exit_signal=0, stack=0x7f9518134000, stack_size=0x20300, tls=0x7f95181546c0} => {parent_tid=[346]}, 88) = 346 [pid 341] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 341] futex(0x7f95206006d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7f95206006dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 346 attached [pid 346] set_robust_list(0x7f95181549a0, 24) = 0 [pid 346] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 346] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 342] <... write resumed>) = 262144 [pid 342] futex(0x7f95206006cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 26.038458][ T342] ext4 filesystem being mounted at /root/syzkaller.1g9Vcu/8/file1 supports timestamps until 2038 (0x7fffffff) [ 26.065491][ T346] EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:476: comm syz-executor347: Invalid block bitmap block 0 in block_group 0 [ 26.079406][ T346] EXT4-fs (loop0): Remounting filesystem read-only [ 26.085829][ T346] EXT4-fs error (device loop0) in ext4_mb_clear_bb:6151: Corrupt filesystem [ 26.095594][ C1] BUG: unable to handle page fault for address: 00000001ffff8881 [ 26.103110][ C1] #PF: supervisor instruction fetch in kernel mode [ 26.109449][ C1] #PF: error_code(0x0010) - not-present page [ 26.115263][ C1] PGD 11e2da067 P4D 11e2da067 PUD 0 [ 26.120383][ C1] Oops: 0010 [#1] PREEMPT SMP KASAN [ 26.125525][ C1] CPU: 1 PID: 346 Comm: syz-executor347 Tainted: G B 5.15.120-syzkaller-00229-g748fd0d9ca0f #0 [ 26.136981][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 26.146876][ C1] RIP: 0010:0x1ffff8881 [ 26.150865][ C1] Code: Unable to access opcode bytes at RIP 0x1ffff8857. [ 26.157817][ C1] RSP: 0018:ffffc900001d0d58 EFLAGS: 00010046 [ 26.163723][ C1] RAX: ffffffff81607e65 RBX: 00000001ffff8881 RCX: ffff8881195e8000 [ 26.171525][ C1] RDX: 0000000080010000 RSI: 0000000000000046 RDI: ffffc90000937d20 [ 26.179336][ C1] RBP: ffffc900001d0e98 R08: ffffffff81607d91 R09: 0000000000000003 [ 26.187145][ C1] R10: fffff5200003a1c0 R11: dffffc0000000001 R12: 1ffff92000126fab [ 26.194956][ C1] R13: ffffc90000937d20 R14: dffffc0000000000 R15: ffff8881f7129a00 [ 26.202768][ C1] FS: 00007f95181546c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 26.211883][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.218305][ C1] CR2: 00000001ffff8881 CR3: 0000000105b95000 CR4: 00000000003506a0 [ 26.226119][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.233926][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.241741][ C1] Call Trace: [ 26.244872][ C1] [ 26.247557][ C1] ? __die_body+0x62/0xb0 [ 26.251728][ C1] ? __die+0x7e/0x90 [ 26.255452][ C1] ? page_fault_oops+0x7f9/0xa90 [ 26.260226][ C1] ? kernelmode_fixup_or_oops+0x270/0x270 [ 26.265782][ C1] ? __kasan_check_read+0x11/0x20 [ 26.270644][ C1] ? ttwu_do_wakeup+0xe3/0x430 [ 26.275241][ C1] ? ttwu_do_activate+0x15d/0x280 [ 26.280100][ C1] ? is_errata93+0xc7/0x240 [ 26.284440][ C1] ? exc_page_fault+0x521/0x830 [ 26.289131][ C1] ? asm_exc_page_fault+0x27/0x30 [ 26.293987][ C1] ? __hrtimer_run_queues+0x341/0xad0 [ 26.299197][ C1] ? __hrtimer_run_queues+0x415/0xad0 [ 26.304404][ C1] ? __hrtimer_run_queues+0x41a/0xad0 [ 26.309613][ C1] ? hrtimer_interrupt+0xaa0/0xaa0 [ 26.314564][ C1] ? ktime_get_update_offsets_now+0x2ba/0x2d0 [ 26.320461][ C1] hrtimer_interrupt+0x40c/0xaa0 [ 26.325239][ C1] __sysvec_apic_timer_interrupt+0xfd/0x3c0 [ 26.331051][ C1] sysvec_apic_timer_interrupt+0x95/0xc0 [ 26.336521][ C1] [ 26.339294][ C1] [ 26.342072][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 26.347887][ C1] RIP: 0010:__memmove+0x19c/0x1a0 [ 26.352748][ C1] Code: fa 02 72 16 66 44 8b 1e 66 44 8b 54 16 fe 66 44 89 1f 66 44 89 54 17 fe eb 0c 48 83 fa 01 72 06 44 8a 1e 44 88 1f c3 48 89 d1 a4 c3 cc eb 2e 0f 1f 00 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 [ 26.372198][ C1] RSP: 0018:ffffc90000987520 EFLAGS: 00010282 [ 26.378092][ C1] RAX: ffff88811d355048 RBX: ffffffff81dfeee9 RCX: ffffffffffdf02ff [ 26.385906][ C1] RDX: ffffffffffffffb8 RSI: ffff88811d564d0d RDI: ffff88811d564d01 [ 26.393716][ C1] RBP: ffffc90000987550 R08: ffffffff81dfedd2 R09: ffffed10237ba26a [ 26.401527][ C1] R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffffffffffb8 [ 26.409337][ C1] R13: 0000000000000000 R14: ffff88811d355054 R15: ffff88811d355048 [ 26.417155][ C1] ? ext4_ext_remove_space+0x2149/0x4a60 [ 26.422636][ C1] ? ext4_ext_remove_space+0x2032/0x4a60 [ 26.428098][ C1] ? memmove+0x56/0x70 [ 26.431992][ C1] ext4_ext_remove_space+0x2149/0x4a60 [ 26.437292][ C1] ? ext4_da_release_space+0x1d0/0x480 [ 26.442580][ C1] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 26.448394][ C1] ? ext4_es_remove_extent+0x1ac/0x380 [ 26.453691][ C1] ext4_punch_hole+0x794/0xbf0 [ 26.458293][ C1] ext4_fallocate+0x30c/0x1f10 [ 26.462890][ C1] ? ext4_ext_truncate+0x240/0x240 [ 26.467835][ C1] ? fsnotify_perm+0x6a/0x5d0 [ 26.472351][ C1] vfs_fallocate+0x492/0x570 [ 26.476779][ C1] do_vfs_ioctl+0x2238/0x2a80 [ 26.481289][ C1] ? __kasan_check_read+0x11/0x20 [ 26.486150][ C1] ? __x64_compat_sys_ioctl+0x90/0x90 [ 26.491358][ C1] ? compat_start_thread+0x20/0x20 [ 26.496334][ C1] ? ioctl_has_perm+0x1f8/0x560 [ 26.500992][ C1] ? ioctl_has_perm+0x3f5/0x560 [ 26.505678][ C1] ? has_cap_mac_admin+0x3c0/0x3c0 [ 26.510632][ C1] ? __kasan_check_write+0x14/0x20 [ 26.515574][ C1] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 26.520535][ C1] ? _raw_spin_unlock_irq+0x4e/0x70 [ 26.525565][ C1] ? cgroup_leave_frozen+0x164/0x2c0 [ 26.530676][ C1] ? selinux_file_ioctl+0x3cc/0x540 [ 26.535711][ C1] ? selinux_file_alloc_security+0x120/0x120 [ 26.541525][ C1] ? __fget_files+0x31e/0x380 [ 26.546038][ C1] ? security_file_ioctl+0x84/0xb0 [ 26.550984][ C1] __se_sys_ioctl+0x99/0x190 [ 26.555416][ C1] __x64_sys_ioctl+0x7b/0x90 [ 26.559838][ C1] do_syscall_64+0x3d/0xb0 [ 26.564098][ C1] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 26.569822][ C1] RIP: 0033:0x7f9520578e19 [ 26.574075][ C1] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 26.593513][ C1] RSP: 002b:00007f9518154218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 26.601765][ C1] RAX: ffffffffffffffda RBX: 00007f95206006d8 RCX: 00007f9520578e19 [ 26.609573][ C1] RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000004 [ 26.617391][ C1] RBP: 00007f95206006d0 R08: 00007ffe005087d7 R09: 0000000000000000 [ 26.625194][ C1] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f95205cd578 [ 26.633027][ C1] R13: 0000000000000006 R14: 00007ffe005086f0 R15: 6f6f6c2f7665642f [ 26.640820][ C1] [ 26.643678][ C1] Modules linked in: [ 26.647413][ C1] CR2: 00000001ffff8881 [ 26.651419][ C1] ---[ end trace 5591db00fb8732ef ]--- [ 26.651462][ T292] BUG: unable to handle page fault for address: ffff88811d6905c8 [ 26.656701][ C1] RIP: 0010:0x1ffff8881 [ 26.664252][ T292] #PF: supervisor read access in kernel mode [ 26.668245][ C1] Code: Unable to access opcode bytes at RIP 0x1ffff8857. [ 26.674063][ T292] #PF: error_code(0x0009) - reserved bit violation [ 26.681000][ C1] RSP: 0018:ffffc900001d0d58 EFLAGS: 00010046 [ 26.687345][ T292] BAD [ 26.687349][ T292] Thread overran stack, or stack corrupted [ 26.693241][ C1] RAX: ffffffff81607e65 RBX: 00000001ffff8881 RCX: ffff8881195e8000 [ 26.695668][ T292] Oops: 0009 [#2] PREEMPT SMP KASAN [ 26.701309][ C1] RDX: 0000000080010000 RSI: 0000000000000046 RDI: ffffc90000937d20 [ 26.709127][ T292] CPU: 0 PID: 292 Comm: strace-static-x Tainted: G B D 5.15.120-syzkaller-00229-g748fd0d9ca0f #0 [ 26.714155][ C1] RBP: ffffc900001d0e98 R08: ffffffff81607d91 R09: 0000000000000003 [ 26.721968][ T292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 26.733443][ C1] R10: fffff5200003a1c0 R11: dffffc0000000001 R12: 1ffff92000126fab [ 26.741236][ T292] RIP: 0010:vmacache_find+0x166/0x4d0 [ 26.751217][ C1] R13: ffffc90000937d20 R14: dffffc0000000000 R15: ffff8881f7129a00 [ 26.759043][ T292] Code: 8b 1b 48 85 db 0f 84 95 00 00 00 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 48 89 df e8 0a 3e 0d 00 <4c> 8b 2b 4c 89 ef 4c 89 f6 e8 0c ae cb ff 4d 39 f5 76 6a e8 f2 ab [ 26.764241][ C1] FS: 00007f95181546c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 26.772047][ T292] RSP: 0018:ffffc9000079fa00 EFLAGS: 00010246 [ 26.791491][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.800343][ T292] [ 26.800349][ T292] RAX: 1ffff11023ad20b9 RBX: ffff88811d6905c8 RCX: dffffc0000000000 [ 26.806243][ C1] CR2: 00000001ffff8881 CR3: 0000000105b95000 CR4: 00000000003506a0 [ 26.812666][ T292] RDX: ffff88811b3062c0 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.814840][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.822649][ T292] RBP: ffffc9000079fa30 R08: ffffffff81a4354c R09: ffffed10239406a1 [ 26.830458][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.838274][ T292] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 [ 26.846084][ C1] Kernel panic - not syncing: Fatal exception in interrupt [ 26.853902][ T292] R13: 1ffff11023660cfe R14: 00007ffdc91b80ac R15: ffff88811b3062c0 [ 26.884375][ T292] FS: 0000000001fda340(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 26.893126][ T292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.899549][ T292] CR2: ffff88811d680888 CR3: 000000011d680000 CR4: 00000000003506b0 [ 26.907365][ T292] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.915175][ T292] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.923038][ T292] Call Trace: [ 26.926205][ T292] [ 26.928983][ T292] ? __die_body+0x62/0xb0 [ 26.933147][ T292] ? __die+0x7e/0x90 [ 26.936880][ T292] ? page_fault_oops+0x7f9/0xa90 [ 26.941655][ T292] ? kernelmode_fixup_or_oops+0x270/0x270 [ 26.947207][ T292] ? is_prefetch+0x47a/0x6d0 [ 26.951634][ T292] ? vmacache_find+0x166/0x4d0 [ 26.956233][ T292] ? vmacache_find+0x166/0x4d0 [ 26.960832][ T292] ? vmacache_find+0x166/0x4d0 [ 26.965434][ T292] ? kernelmode_fixup_or_oops+0x21b/0x270 [ 26.970999][ T292] ? __bad_area_nosemaphore+0xcf/0x490 [ 26.976296][ T292] ? bad_area_nosemaphore+0x2d/0x40 [ 26.981317][ T292] ? do_kern_addr_fault+0x69/0x80 [ 26.986178][ T292] ? exc_page_fault+0x4eb/0x830 [ 26.990881][ T292] ? __update_load_avg_cfs_rq+0xb1/0x2f0 [ 26.996335][ T292] ? update_load_avg+0x43a/0x1150 [ 27.001197][ T292] ? __kasan_check_write+0x14/0x20 [ 27.006143][ T292] ? asm_exc_page_fault+0x27/0x30 [ 27.011003][ T292] ? vmacache_find+0xfc/0x4d0 [ 27.015515][ T292] ? vmacache_find+0x166/0x4d0 [ 27.020115][ T292] __find_vma+0x23/0x150 [ 27.024194][ T292] exc_page_fault+0x2ea/0x830 [ 27.028716][ T292] asm_exc_page_fault+0x27/0x30 [ 27.033407][ T292] RIP: 0010:__put_user_nocheck_4+0x3/0x11 [ 27.038965][ T292] Code: 00 00 48 39 d9 73 54 0f 01 cb 66 89 01 31 c9 0f 01 ca c3 0f 1f 44 00 00 48 bb fd ef ff ff ff 7f 00 00 48 39 d9 73 34 0f 01 cb <89> 01 31 c9 0f 01 ca c3 66 0f 1f 44 00 00 48 bb f9 ef ff ff ff 7f [ 27.058392][ T292] RSP: 0018:ffffc9000079fc78 EFLAGS: 00050297 [ 27.064552][ T292] RAX: 000000000000857f RBX: 00007fffffffeffd RCX: 00007ffdc91b80ac [ 27.072374][ T292] RDX: 0000000000000000 RSI: 0000000000000286 RDI: ffffc9000079fcd8 [ 27.080186][ T292] RBP: ffffc9000079fd90 R08: ffffffff81426448 R09: 0000000000000003 [ 27.087989][ T292] R10: fffff520000f3f60 R11: dffffc0000000001 R12: 1ffff920000f3f9b [ 27.095807][ T292] R13: 1ffff920000f3f94 R14: 0000000000000155 R15: 0000000000000000 [ 27.103615][ T292] ? kernel_wait4+0x2b8/0x3d0 [ 27.108124][ T292] ? kernel_wait4+0x2ef/0x3d0 [ 27.112645][ T292] ? __ia32_sys_waitid+0xd0/0xd0 [ 27.117407][ T292] ? task_rq_lock+0xd2/0x2b0 [ 27.121841][ T292] ? kernel_waitid+0x520/0x520 [ 27.126435][ T292] ? wait_task_inactive+0x2cd/0x4f0 [ 27.131478][ T292] __x64_sys_wait4+0x130/0x1e0 [ 27.136074][ T292] ? kernel_wait+0x230/0x230 [ 27.140497][ T292] ? debug_smp_processor_id+0x17/0x20 [ 27.145714][ T292] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 27.151606][ T292] ? exit_to_user_mode_prepare+0x39/0xa0 [ 27.157079][ T292] do_syscall_64+0x3d/0xb0 [ 27.161327][ T292] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 27.167061][ T292] RIP: 0033:0x4d49a6 [ 27.170790][ T292] Code: 00 00 00 90 31 c9 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 49 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 90 48 83 ec 28 89 54 24 14 48 89 74 24 [ 27.190241][ T292] RSP: 002b:00007ffdc91b8088 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 27.198485][ T292] RAX: ffffffffffffffda RBX: 0000000001fda2f8 RCX: 00000000004d49a6 [ 27.206288][ T292] RDX: 0000000040000000 RSI: 00007ffdc91b80ac RDI: 00000000ffffffff [ 27.214103][ T292] RBP: 0000000000000000 R08: 0000000000000017 R09: 0000000000000000 [ 27.221911][ T292] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000001fe02b0 [ 27.229722][ T292] R13: 0000000000000000 R14: 00007ffdc91b80ac R15: 0000000000617180 [ 27.237540][ T292] [ 27.240396][ T292] Modules linked in: [ 27.244129][ T292] CR2: ffff88811d6905c8 [ 27.248125][ T292] ---[ end trace 5591db00fb8732f0 ]--- [ 27.253414][ T292] RIP: 0010:0x1ffff8881 [ 27.257408][ T292] Code: Unable to access opcode bytes at RIP 0x1ffff8857. [ 27.264349][ T292] RSP: 0018:ffffc900001d0d58 EFLAGS: 00010046 [ 27.270253][ T292] RAX: ffffffff81607e65 RBX: 00000001ffff8881 RCX: ffff8881195e8000 [ 27.278064][ T292] RDX: 0000000080010000 RSI: 0000000000000046 RDI: ffffc90000937d20 [ 27.285877][ T292] RBP: ffffc900001d0e98 R08: ffffffff81607d91 R09: 0000000000000003 [ 27.293687][ T292] R10: fffff5200003a1c0 R11: dffffc0000000001 R12: 1ffff92000126fab [ 27.301504][ T292] R13: ffffc90000937d20 R14: dffffc0000000000 R15: ffff8881f7129a00 [ 27.309342][ T292] FS: 0000000001fda340(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 27.318162][ T292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.324587][ T292] CR2: ffff88811d680888 CR3: 000000011d680000 CR4: 00000000003506b0 [ 27.332521][ T292] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.340323][ T292] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.981924][ C1] Shutting down cpus with NMI [ 27.986575][ C1] Kernel Offset: disabled [ 27.990694][ C1] Rebooting in 86400 seconds..