./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1188039398 <...> DUID 00:04:76:8b:f6:84:a4:3b:36:39:6c:68:e7:10:38:dd:b7:2c forked to background, child pid 4645 [ 31.003873][ T4646] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.015173][ T4646] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.137' (ECDSA) to the list of known hosts. execve("./syz-executor1188039398", ["./syz-executor1188039398"], 0x7ffeb98a7130 /* 10 vars */) = 0 brk(NULL) = 0x55555685a000 brk(0x55555685ac40) = 0x55555685ac40 arch_prctl(ARCH_SET_FS, 0x55555685a300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1188039398", 4096) = 28 brk(0x55555687bc40) = 0x55555687bc40 brk(0x55555687c000) = 0x55555687c000 mprotect(0x7fd8e1d84000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 5067 mkdir("./syzkaller.BNGvwn", 0700) = 0 chmod("./syzkaller.BNGvwn", 0777) = 0 chdir("./syzkaller.BNGvwn") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555685a5d0) = 5068 ./strace-static-x86_64: Process 5068 attached [pid 5068] chdir("./0") = 0 [pid 5068] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5068] setpgid(0, 0) = 0 [pid 5068] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5068] write(3, "1000", 4) = 4 [pid 5068] close(3) = 0 [pid 5068] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5068] memfd_create("syzkaller", 0) = 3 [pid 5068] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd8d98b8000 [pid 5068] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 67108864) = 67108864 [pid 5068] munmap(0x7fd8d98b8000, 67108864) = 0 [pid 5068] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5068] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5068] close(3) = 0 [pid 5068] mkdir("./file0", 0777) = 0 syzkaller login: [ 53.693835][ T5068] loop0: detected capacity change from 0 to 131072 [ 53.703902][ T5068] ======================================================= [ 53.703902][ T5068] WARNING: The mand mount option has been deprecated and [ 53.703902][ T5068] and is ignored by this kernel. Remove the mand [ 53.703902][ T5068] option from the mount to silence this warning. [ 53.703902][ T5068] ======================================================= [ 53.741445][ T5068] F2FS-fs (loop0): Corrupted extension count (4278190117 + 1 > 64) [ 53.749737][ T5068] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 53.759679][ T5068] F2FS-fs (loop0): invalid crc value [ 53.769059][ T5068] F2FS-fs (loop0): Found nat_bits in checkpoint [pid 5068] mount("/dev/loop0", "./file0", "f2fs", MS_RDONLY|MS_NOSUID|MS_SYNCHRONOUS|MS_MANDLOCK|MS_DIRSYNC|MS_REC|MS_POSIXACL|MS_STRICTATIME, "") = 0 [pid 5068] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5068] chdir("./file0") = 0 [pid 5068] ioctl(4, LOOP_CLR_FD) = 0 [pid 5068] close(4) = 0 [pid 5068] mkdir("./bus", 0777) = -1 E2BIG (Argument list too long) [pid 5068] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 5068] +++ killed by SIGSEGV +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5068, si_uid=0, si_status=SIGSEGV, si_utime=9 /* 0.09 s */, si_stime=51 /* 0.51 s */} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555685b620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 [ 53.798392][ T5068] F2FS-fs (loop0): recover fsync data on readonly fs [ 53.807250][ T5068] F2FS-fs (loop0): Try to recover 2th superblock, ret: -30 [ 53.814723][ T5068] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 [ 53.827221][ T5068] F2FS-fs (loop0): Corrupted max_depth of 3: 2049 [ 53.865770][ T5067] ------------[ cut here ]------------ [ 53.871410][ T5067] kernel BUG at fs/f2fs/inode.c:864! [ 53.877522][ T5067] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 53.883600][ T5067] CPU: 1 PID: 5067 Comm: syz-executor118 Not tainted 6.1.0-syzkaller-13031-g77856d911a8c #0 [ 53.893657][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 53.903696][ T5067] RIP: 0010:f2fs_evict_inode+0x1306/0x1310 [ 53.909508][ T5067] Code: ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 8a f5 ff ff 48 89 df e8 4b 51 1a fe e9 7d f5 ff ff e8 e1 b4 c4 fd 0f 0b e8 da b4 c4 fd <0f> 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56 53 48 89 fb e8 c2 b4 [ 53.929101][ T5067] RSP: 0018:ffffc90003b3f8f8 EFLAGS: 00010293 [ 53.935152][ T5067] RAX: ffffffff83c720e6 RBX: 0000000000000002 RCX: ffff8880251257c0 [ 53.943105][ T5067] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 53.951065][ T5067] RBP: 0000000000000000 R08: ffffffff83c71bc3 R09: ffffed100e5a41b5 [ 53.959019][ T5067] R10: ffffed100e5a41b5 R11: 1ffff1100e5a41b4 R12: dffffc0000000000 [ 53.966975][ T5067] R13: ffff888072d208f0 R14: ffff888072d20da0 R15: 0000000000000000 [ 53.974929][ T5067] FS: 000055555685a300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 53.983857][ T5067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.990432][ T5067] CR2: 00007ffd85832d68 CR3: 00000000726a5000 CR4: 00000000003506e0 [ 53.998388][ T5067] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 54.006342][ T5067] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 54.014298][ T5067] Call Trace: [ 54.017561][ T5067] [ 54.020478][ T5067] ? bit_waitqueue+0x30/0x30 [ 54.025055][ T5067] ? do_raw_spin_unlock+0x134/0x8a0 [ 54.030246][ T5067] ? _raw_spin_unlock+0x24/0x40 [ 54.035102][ T5067] ? f2fs_write_inode+0x550/0x550 [ 54.040112][ T5067] evict+0x2a4/0x620 [ 54.043995][ T5067] evict_inodes+0x658/0x700 [ 54.048484][ T5067] ? clear_inode+0x150/0x150 [ 54.053064][ T5067] ? dput+0x3ee/0x410 [ 54.057031][ T5067] ? sync_filesystem+0x103/0x220 [ 54.061955][ T5067] generic_shutdown_super+0x94/0x310 [ 54.067227][ T5067] kill_block_super+0x79/0xd0 [ 54.071885][ T5067] kill_f2fs_super+0x2f9/0x3c0 [ 54.076638][ T5067] ? __up_read+0x690/0x690 [ 54.081036][ T5067] ? f2fs_mount+0x40/0x40 [ 54.085358][ T5067] ? radix_tree_delete_item+0x2e2/0x3d0 [ 54.091068][ T5067] ? unregister_shrinker+0x261/0x320 [ 54.096337][ T5067] ? trace_kfree+0x30/0xe0 [ 54.100823][ T5067] ? unregister_shrinker+0x261/0x320 [ 54.106096][ T5067] deactivate_locked_super+0xa7/0xf0 [ 54.111384][ T5067] cleanup_mnt+0x494/0x520 [ 54.115784][ T5067] ? lockdep_hardirqs_on+0x8d/0x130 [ 54.120970][ T5067] task_work_run+0x243/0x300 [ 54.125550][ T5067] ? task_work_cancel+0x290/0x290 [ 54.130560][ T5067] ? path_umount+0x1e0/0xf90 [ 54.135138][ T5067] ptrace_notify+0x29a/0x340 [ 54.139746][ T5067] ? do_notify_parent+0xe00/0xe00 [ 54.144753][ T5067] ? user_path_at_empty+0x149/0x1a0 [ 54.149945][ T5067] ? __x64_sys_umount+0x113/0x150 [ 54.154955][ T5067] syscall_exit_work+0x8c/0xe0 [ 54.159708][ T5067] syscall_exit_to_user_mode_prepare+0x63/0xc0 [ 54.165857][ T5067] syscall_exit_to_user_mode+0xa/0x60 [ 54.171309][ T5067] do_syscall_64+0x49/0xb0 [ 54.175708][ T5067] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 54.181677][ T5067] RIP: 0033:0x7fd8e1d06d97 [ 54.186086][ T5067] Code: 08 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 54.205674][ T5067] RSP: 002b:00007ffd858334a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6 [ 54.214069][ T5067] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd8e1d06d97 [ 54.222021][ T5067] RDX: 00007ffd85833569 RSI: 000000000000000a RDI: 00007ffd85833560 [ 54.229975][ T5067] RBP: 00007ffd85833560 R08: 00000000ffffffff R09: 00007ffd85833340 [ 54.237947][ T5067] R10: 000055555685b653 R11: 0000000000000202 R12: 00007ffd858345d0 [ 54.245901][ T5067] R13: 000055555685b5f0 R14: 00007ffd858334d0 R15: 0000000000000001 [ 54.253859][ T5067] [ 54.256883][ T5067] Modules linked in: [ 54.261385][ T5067] ---[ end trace 0000000000000000 ]--- [ 54.266883][ T5067] RIP: 0010:f2fs_evict_inode+0x1306/0x1310 [ 54.272705][ T5067] Code: ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 8a f5 ff ff 48 89 df e8 4b 51 1a fe e9 7d f5 ff ff e8 e1 b4 c4 fd 0f 0b e8 da b4 c4 fd <0f> 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56 53 48 89 fb e8 c2 b4 [ 54.292731][ T5067] RSP: 0018:ffffc90003b3f8f8 EFLAGS: 00010293 [ 54.298834][ T5067] RAX: ffffffff83c720e6 RBX: 0000000000000002 RCX: ffff8880251257c0 [ 54.306854][ T5067] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 54.314858][ T5067] RBP: 0000000000000000 R08: ffffffff83c71bc3 R09: ffffed100e5a41b5 [ 54.322832][ T5067] R10: ffffed100e5a41b5 R11: 1ffff1100e5a41b4 R12: dffffc0000000000 [ 54.330903][ T5067] R13: ffff888072d208f0 R14: ffff888072d20da0 R15: 0000000000000000 [ 54.338917][ T5067] FS: 000055555685a300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 54.347881][ T5067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 54.354486][ T5067] CR2: 00007ffd85832d68 CR3: 00000000726a5000 CR4: 00000000003506e0 [ 54.362446][ T5067] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 54.370545][ T5067] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 54.378553][ T5067] Kernel panic - not syncing: Fatal exception [ 54.384759][ T5067] Kernel Offset: disabled [ 54.389078][ T5067] Rebooting in 86400 seconds..