./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1084046806 <...> Warning: Permanently added '10.128.0.73' (ED25519) to the list of known hosts. execve("./syz-executor1084046806", ["./syz-executor1084046806"], 0x7ffdab06a940 /* 10 vars */) = 0 brk(NULL) = 0x555555f17000 brk(0x555555f17d40) = 0x555555f17d40 arch_prctl(ARCH_SET_FS, 0x555555f173c0) = 0 set_tid_address(0x555555f17690) = 5031 set_robust_list(0x555555f176a0, 24) = 0 rseq(0x555555f17ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1084046806", 4096) = 28 getrandom("\x57\x81\xec\xb6\xca\x99\xb8\x85", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555f17d40 brk(0x555555f38d40) = 0x555555f38d40 brk(0x555555f39000) = 0x555555f39000 mprotect(0x7f7947455000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 mkdir("./syzkaller.JJpUOn", 0700) = 0 chmod("./syzkaller.JJpUOn", 0777) = 0 chdir("./syzkaller.JJpUOn") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5032 ./strace-static-x86_64: Process 5032 attached [pid 5032] set_robust_list(0x555555f176a0, 24) = 0 [pid 5032] chdir("./0") = 0 [pid 5032] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5032] setpgid(0, 0) = 0 [pid 5032] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5032] write(3, "1000", 4) = 4 [pid 5032] close(3) = 0 [pid 5032] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5032] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5032] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5032] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5032] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5032] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5032] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5032] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5033 attached [pid 5033] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5032] <... clone3 resumed> => {parent_tid=[5033]}, 88) = 5033 [pid 5033] <... rseq resumed>) = 0 [pid 5032] rt_sigprocmask(SIG_SETMASK, [], [pid 5033] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5033] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5033] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5032] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5032] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5033] <... futex resumed>) = 0 [pid 5033] memfd_create("syzkaller", 0 [pid 5032] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5032] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5032] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5032] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5032] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5035]}, 88) = 5035 [pid 5032] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5032] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5032] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5035 attached [pid 5035] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5033] <... memfd_create resumed>) = 3 [pid 5035] <... rseq resumed>) = 0 [pid 5033] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5035] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5033] <... mmap resumed>) = 0x7f793ef10000 [pid 5035] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5035] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5033] munmap(0x7f793ef10000, 138412032) = 0 [pid 5035] <... openat resumed>) = 4 [pid 5033] close(3) = 0 [pid 5035] write(4, "85", 2 [pid 5033] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5035] <... write resumed>) = 2 [pid 5035] memfd_create("syzkaller", 0) = 3 [pid 5035] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 58.815892][ T5033] syz-executor108[5033]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set [ 58.839508][ T5035] FAULT_INJECTION: forcing a failure. [ 58.839508][ T5035] name fail_page_alloc, interval 1, probability 0, space 0, times 1 [ 58.853049][ T5035] CPU: 1 PID: 5035 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 58.863671][ T5035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 58.873814][ T5035] Call Trace: [ 58.877118][ T5035] [ 58.880492][ T5035] dump_stack_lvl+0x1e7/0x2d0 [ 58.885211][ T5035] ? nf_tcp_handle_invalid+0x650/0x650 [ 58.890691][ T5035] ? panic+0x770/0x770 [ 58.894764][ T5035] should_fail_ex+0x3aa/0x4e0 [ 58.899440][ T5035] prepare_alloc_pages+0x1d9/0x5b0 [ 58.904557][ T5035] __alloc_pages+0x165/0x670 [ 58.909254][ T5035] ? zone_statistics+0x170/0x170 [ 58.914220][ T5035] ? verify_lock_unused+0x140/0x140 [ 58.919435][ T5035] ? handle_mm_fault+0x11d/0x62b0 [ 58.924466][ T5035] ? __lock_acquire+0x7f70/0x7f70 [ 58.929487][ T5035] ? pte_offset_map_nolock+0x137/0x1e0 [ 58.934949][ T5035] __folio_alloc+0x13/0x30 [ 58.939363][ T5035] vma_alloc_folio+0x48a/0x9a0 [ 58.944138][ T5035] handle_mm_fault+0x2376/0x62b0 [ 58.949117][ T5035] ? handle_mm_fault+0x11d/0x62b0 [ 58.954157][ T5035] ? numa_migrate_prep+0x380/0x380 [ 58.959343][ T5035] ? mtree_range_walk+0x6a0/0x7e0 [ 58.964392][ T5035] ? lock_vma_under_rcu+0x187/0x6f0 [ 58.969603][ T5035] ? __lock_acquire+0x7f70/0x7f70 [ 58.974747][ T5035] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 58.980070][ T5035] ? lock_vma_under_rcu+0x5df/0x6f0 [ 58.985377][ T5035] ? lock_vma_under_rcu+0x187/0x6f0 [ 58.990607][ T5035] ? exc_page_fault+0x10f/0x860 [ 58.995466][ T5035] exc_page_fault+0x455/0x860 [ 59.000156][ T5035] asm_exc_page_fault+0x26/0x30 [ 59.005026][ T5035] RIP: 0033:0x7f794735bd00 [ 59.009450][ T5035] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 59.029238][ T5035] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 59.035317][ T5035] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 59.043281][ T5035] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 59.051332][ T5035] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [pid 5035] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5035] munmap(0x7f793ef10000, 2097152) = 0 [pid 5035] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 59.059296][ T5035] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 59.067270][ T5035] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 59.075246][ T5035] [ 59.079248][ T5035] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5035] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5035] close(3) = 0 [pid 5035] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [ 59.117528][ T5035] loop0: detected capacity change from 0 to 4096 [ 59.127058][ T5035] ======================================================= [ 59.127058][ T5035] WARNING: The mand mount option has been deprecated and [ 59.127058][ T5035] and is ignored by this kernel. Remove the mand [ 59.127058][ T5035] option from the mount to silence this warning. [ 59.127058][ T5035] ======================================================= [pid 5035] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 59.175191][ T5035] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 59.182914][ T5035] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5035] ioctl(5, LOOP_CLR_FD) = 0 [pid 5035] close(5) = 0 [pid 5035] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5032] <... futex resumed>) = 0 [pid 5035] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5032] exit_group(0 [pid 5035] <... futex resumed>) = ? [pid 5033] <... futex resumed>) = ? [pid 5032] <... exit_group resumed>) = ? [pid 5035] +++ exited with 0 +++ [pid 5033] +++ exited with 0 +++ [pid 5032] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5032, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5036 attached [pid 5036] set_robust_list(0x555555f176a0, 24) = 0 [pid 5036] chdir("./1") = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5036 [pid 5036] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5036] setpgid(0, 0) = 0 [pid 5036] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5036] write(3, "1000", 4) = 4 [pid 5036] close(3) = 0 [pid 5036] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5036] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5036] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5036] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5036] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5036] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5036] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5036] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5037 attached => {parent_tid=[5037]}, 88) = 5037 [pid 5037] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5036] rt_sigprocmask(SIG_SETMASK, [], [pid 5037] set_robust_list(0x7f79473519a0, 24 [pid 5036] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5037] <... set_robust_list resumed>) = 0 [pid 5037] rt_sigprocmask(SIG_SETMASK, [], [pid 5036] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5037] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5036] <... futex resumed>) = 0 [pid 5037] memfd_create("syzkaller", 0 [pid 5036] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5036] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5036] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5036] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5036] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5037] <... memfd_create resumed>) = 3 [pid 5037] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5036] <... clone3 resumed> => {parent_tid=[5038]}, 88) = 5038 [pid 5036] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5036] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5036] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5038 attached [pid 5038] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5038] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5038] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5038] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5038] write(4, "85", 2) = 2 [pid 5038] memfd_create("syzkaller", 0) = 5 [pid 5038] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 59.312589][ T5038] FAULT_INJECTION: forcing a failure. [ 59.312589][ T5038] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 59.328029][ T5038] CPU: 0 PID: 5038 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 59.338478][ T5038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 59.348541][ T5038] Call Trace: [ 59.351829][ T5038] [ 59.354772][ T5038] dump_stack_lvl+0x1e7/0x2d0 [ 59.359455][ T5038] ? nf_tcp_handle_invalid+0x650/0x650 [ 59.364917][ T5038] ? panic+0x770/0x770 [ 59.369007][ T5038] should_fail_ex+0x3aa/0x4e0 [ 59.373785][ T5038] prepare_alloc_pages+0x1d9/0x5b0 [ 59.378908][ T5038] __alloc_pages+0x165/0x670 [ 59.383505][ T5038] ? zone_statistics+0x170/0x170 [ 59.388461][ T5038] ? verify_lock_unused+0x140/0x140 [ 59.393667][ T5038] ? handle_mm_fault+0x11d/0x62b0 [ 59.398697][ T5038] ? __lock_acquire+0x7f70/0x7f70 [ 59.403722][ T5038] ? pte_offset_map_nolock+0x137/0x1e0 [ 59.409292][ T5038] __folio_alloc+0x13/0x30 [ 59.413885][ T5038] vma_alloc_folio+0x48a/0x9a0 [ 59.418649][ T5038] handle_mm_fault+0x2376/0x62b0 [ 59.423675][ T5038] ? handle_mm_fault+0x11d/0x62b0 [ 59.428703][ T5038] ? numa_migrate_prep+0x380/0x380 [ 59.433912][ T5038] ? mtree_range_walk+0x6a0/0x7e0 [ 59.438958][ T5038] ? lock_vma_under_rcu+0x187/0x6f0 [ 59.444345][ T5038] ? __lock_acquire+0x7f70/0x7f70 [ 59.449387][ T5038] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 59.454605][ T5038] ? lock_vma_under_rcu+0x5df/0x6f0 [ 59.459829][ T5038] ? lock_vma_under_rcu+0x187/0x6f0 [ 59.465039][ T5038] ? exc_page_fault+0x10f/0x860 [ 59.469889][ T5038] exc_page_fault+0x455/0x860 [ 59.474651][ T5038] asm_exc_page_fault+0x26/0x30 [ 59.479493][ T5038] RIP: 0033:0x7f794735bc53 [ 59.483896][ T5038] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 59.503587][ T5038] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5037] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2081717) = 2081717 [pid 5037] munmap(0x7f793ef10000, 2081717) = 0 [pid 5037] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 59.509678][ T5038] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 59.517642][ T5038] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 59.525802][ T5038] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 59.533852][ T5038] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 59.541813][ T5038] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 59.549790][ T5038] [ 59.553821][ T5038] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5037] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5037] close(3) = 0 [pid 5037] mkdir("./file0", 0777) = 0 [pid 5037] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5038] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5037] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5037] ioctl(6, LOOP_CLR_FD [pid 5038] <... write resumed>) = 2097152 [pid 5038] munmap(0x7f7936b10000, 2097152) = 0 [pid 5038] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5038] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5038] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5038] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5038] close(3) = 0 [pid 5038] close(5) = 0 [pid 5038] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5036] <... futex resumed>) = 0 [ 59.569673][ T5037] loop0: detected capacity change from 0 to 4065 [ 59.581500][ T5037] ntfs: (device loop0): ntfs_read_inode_mount(): Incorrect mft record size 810844161 in superblock, should be 1024. [ 59.594626][ T5037] ntfs: (device loop0): ntfs_read_inode_mount(): Failed. Marking inode as bad. [pid 5038] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5037] <... ioctl resumed>) = 0 [pid 5037] close(6) = 0 [pid 5037] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5036] exit_group(0 [pid 5037] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5036] <... exit_group resumed>) = ? [pid 5037] <... futex resumed>) = ? [pid 5038] <... futex resumed>) = ? [pid 5037] +++ exited with 0 +++ [pid 5038] +++ exited with 0 +++ [pid 5036] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5036, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=14 /* 0.14 s */} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5039 ./strace-static-x86_64: Process 5039 attached [ 59.657736][ T5034] I/O error, dev loop0, sector 3840 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5039] set_robust_list(0x555555f176a0, 24) = 0 [pid 5039] chdir("./2") = 0 [pid 5039] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5039] setpgid(0, 0) = 0 [pid 5039] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5039] write(3, "1000", 4) = 4 [pid 5039] close(3) = 0 [pid 5039] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5039] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5039] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5039] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5039] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5039] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5039] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5039] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5040 attached [pid 5040] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5039] <... clone3 resumed> => {parent_tid=[5040]}, 88) = 5040 [pid 5040] <... rseq resumed>) = 0 [pid 5039] rt_sigprocmask(SIG_SETMASK, [], [pid 5040] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5039] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5040] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5039] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5039] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5039] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5040] memfd_create("syzkaller", 0 [pid 5039] <... mmap resumed>) = 0x7f7947310000 [pid 5040] <... memfd_create resumed>) = 3 [pid 5040] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5039] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5040] <... mmap resumed>) = 0x7f793ef10000 [pid 5039] <... mprotect resumed>) = 0 [pid 5039] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5039] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5041 attached => {parent_tid=[5041]}, 88) = 5041 [pid 5041] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5039] rt_sigprocmask(SIG_SETMASK, [], [pid 5041] set_robust_list(0x7f79473309a0, 24 [pid 5039] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5041] <... set_robust_list resumed>) = 0 [pid 5039] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5041] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5039] <... futex resumed>) = 0 [pid 5041] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5039] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5041] <... openat resumed>) = 4 [pid 5041] write(4, "85", 2) = 2 [pid 5041] memfd_create("syzkaller", 0) = 5 [pid 5041] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5040] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 59.761517][ T5041] FAULT_INJECTION: forcing a failure. [ 59.761517][ T5041] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 59.775216][ T5041] CPU: 0 PID: 5041 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 59.785663][ T5041] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 59.795735][ T5041] Call Trace: [ 59.799023][ T5041] [ 59.801959][ T5041] dump_stack_lvl+0x1e7/0x2d0 [ 59.806640][ T5041] ? nf_tcp_handle_invalid+0x650/0x650 [ 59.812105][ T5041] ? panic+0x770/0x770 [ 59.816173][ T5041] should_fail_ex+0x3aa/0x4e0 [ 59.820948][ T5041] prepare_alloc_pages+0x1d9/0x5b0 [ 59.826059][ T5041] __alloc_pages+0x165/0x670 [ 59.830645][ T5041] ? zone_statistics+0x170/0x170 [ 59.835592][ T5041] ? verify_lock_unused+0x140/0x140 [ 59.840812][ T5041] ? handle_mm_fault+0x11d/0x62b0 [ 59.845849][ T5041] ? __lock_acquire+0x7f70/0x7f70 [ 59.850884][ T5041] ? pte_offset_map_nolock+0x137/0x1e0 [ 59.856362][ T5041] __folio_alloc+0x13/0x30 [ 59.860778][ T5041] vma_alloc_folio+0x48a/0x9a0 [ 59.865551][ T5041] handle_mm_fault+0x2376/0x62b0 [ 59.870495][ T5041] ? handle_mm_fault+0x11d/0x62b0 [ 59.875517][ T5041] ? numa_migrate_prep+0x380/0x380 [ 59.880727][ T5041] ? mtree_range_walk+0x6a0/0x7e0 [ 59.885790][ T5041] ? lock_vma_under_rcu+0x187/0x6f0 [ 59.891000][ T5041] ? __lock_acquire+0x7f70/0x7f70 [ 59.896020][ T5041] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 59.901235][ T5041] ? lock_vma_under_rcu+0x5df/0x6f0 [ 59.906423][ T5041] ? lock_vma_under_rcu+0x187/0x6f0 [ 59.911617][ T5041] ? exc_page_fault+0x10f/0x860 [ 59.916461][ T5041] exc_page_fault+0x455/0x860 [ 59.921138][ T5041] asm_exc_page_fault+0x26/0x30 [ 59.926079][ T5041] RIP: 0033:0x7f794735bc53 [ 59.930489][ T5041] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 59.950100][ T5041] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5040] munmap(0x7f793ef10000, 2097152) = 0 [pid 5040] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 59.956249][ T5041] RAX: 000000000008a001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 59.964670][ T5041] RDX: 00007f794732f8f0 RSI: 0000000000000001 RDI: 00007f794732f7f0 [ 59.972634][ T5041] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffe6 [ 59.980609][ T5041] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 59.988592][ T5041] R13: 00007f7947427f80 R14: 0000000000000016 R15: 00007f794732f7f0 [ 59.996583][ T5041] [pid 5040] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5040] close(3) = 0 [pid 5040] mkdir("./file0", 0777) = 0 [pid 5040] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 60.006541][ T5040] loop0: detected capacity change from 0 to 4096 [ 60.006909][ T5041] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 60.023343][ T5040] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 60.034671][ T5040] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 60.048242][ T5040] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [pid 5041] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5041] munmap(0x7f7936b10000, 2097152) = 0 [pid 5041] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5041] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5041] ioctl(3, LOOP_CLR_FD) = 0 [pid 5041] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5041] close(3) = 0 [pid 5041] close(5) = 0 [pid 5041] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5039] <... futex resumed>) = 0 [pid 5041] <... futex resumed>) = 1 [ 60.064108][ T5040] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 60.074495][ T5040] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 60.083186][ T5040] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5041] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5040] <... mount resumed>) = 0 [pid 5040] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5040] chdir("./file0") = 0 [pid 5040] ioctl(6, LOOP_CLR_FD) = 0 [pid 5040] close(6) = 0 [pid 5040] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5040] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5039] exit_group(0 [pid 5040] <... futex resumed>) = ? [pid 5039] <... exit_group resumed>) = ? [pid 5040] +++ exited with 0 +++ [pid 5041] <... futex resumed>) = ? [pid 5041] +++ exited with 0 +++ [pid 5039] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5039, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=22 /* 0.22 s */} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 [ 60.105911][ T5040] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 60.119198][ T5040] ntfs: volume version 12.0. [ 60.123852][ T5040] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5042 ./strace-static-x86_64: Process 5042 attached [pid 5042] set_robust_list(0x555555f176a0, 24) = 0 [pid 5042] chdir("./3") = 0 [pid 5042] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5042] setpgid(0, 0) = 0 [pid 5042] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "1000", 4) = 4 [pid 5042] close(3) = 0 [pid 5042] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5042] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5042] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5042] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5042] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5042] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5042] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5042] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5043 attached => {parent_tid=[5043]}, 88) = 5043 [pid 5043] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5042] rt_sigprocmask(SIG_SETMASK, [], [pid 5043] <... rseq resumed>) = 0 [pid 5043] set_robust_list(0x7f79473519a0, 24 [pid 5042] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5043] <... set_robust_list resumed>) = 0 [pid 5042] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5043] rt_sigprocmask(SIG_SETMASK, [], [pid 5042] <... futex resumed>) = 0 [pid 5043] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5042] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5043] memfd_create("syzkaller", 0 [pid 5042] <... futex resumed>) = 0 [pid 5042] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5042] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5043] <... memfd_create resumed>) = 3 [pid 5042] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5043] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5042] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5042] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5044 attached [pid 5043] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5042] <... clone3 resumed> => {parent_tid=[5044]}, 88) = 5044 [pid 5044] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5042] rt_sigprocmask(SIG_SETMASK, [], [pid 5044] set_robust_list(0x7f79473309a0, 24 [pid 5042] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5042] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5044] <... set_robust_list resumed>) = 0 [pid 5042] <... futex resumed>) = 0 [pid 5044] rt_sigprocmask(SIG_SETMASK, [], [pid 5042] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5044] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5044] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5044] write(4, "85", 2) = 2 [pid 5044] memfd_create("syzkaller", 0) = 5 [pid 5044] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5043] <... write resumed>) = 2097152 [ 60.278570][ T5044] FAULT_INJECTION: forcing a failure. [ 60.278570][ T5044] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 60.291885][ T5044] CPU: 1 PID: 5044 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 60.302317][ T5044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 60.312360][ T5044] Call Trace: [ 60.315641][ T5044] [ 60.318583][ T5044] dump_stack_lvl+0x1e7/0x2d0 [ 60.323270][ T5044] ? nf_tcp_handle_invalid+0x650/0x650 [ 60.328821][ T5044] ? panic+0x770/0x770 [ 60.332986][ T5044] should_fail_ex+0x3aa/0x4e0 [ 60.337667][ T5044] prepare_alloc_pages+0x1d9/0x5b0 [ 60.342794][ T5044] __alloc_pages+0x165/0x670 [ 60.347400][ T5044] ? zone_statistics+0x170/0x170 [ 60.352356][ T5044] ? verify_lock_unused+0x140/0x140 [ 60.357555][ T5044] ? handle_mm_fault+0x11d/0x62b0 [ 60.362668][ T5044] ? __lock_acquire+0x7f70/0x7f70 [ 60.367735][ T5044] ? pte_offset_map_nolock+0x137/0x1e0 [ 60.373281][ T5044] __folio_alloc+0x13/0x30 [ 60.377708][ T5044] vma_alloc_folio+0x48a/0x9a0 [ 60.382470][ T5044] handle_mm_fault+0x2376/0x62b0 [ 60.387431][ T5044] ? handle_mm_fault+0x11d/0x62b0 [ 60.392457][ T5044] ? numa_migrate_prep+0x380/0x380 [ 60.397571][ T5044] ? mtree_range_walk+0x6a0/0x7e0 [ 60.402603][ T5044] ? lock_vma_under_rcu+0x187/0x6f0 [ 60.407808][ T5044] ? __lock_acquire+0x7f70/0x7f70 [ 60.412822][ T5044] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 60.418023][ T5044] ? lock_vma_under_rcu+0x5df/0x6f0 [ 60.423224][ T5044] ? lock_vma_under_rcu+0x187/0x6f0 [ 60.428429][ T5044] ? exc_page_fault+0x10f/0x860 [ 60.433274][ T5044] exc_page_fault+0x455/0x860 [ 60.437953][ T5044] asm_exc_page_fault+0x26/0x30 [ 60.442796][ T5044] RIP: 0033:0x7f794735bc53 [ 60.447211][ T5044] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 60.466896][ T5044] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5043] munmap(0x7f793ef10000, 2097152) = 0 [ 60.472957][ T5044] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 60.480925][ T5044] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 60.488895][ T5044] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 60.496946][ T5044] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 60.504907][ T5044] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 60.512923][ T5044] [ 60.518540][ T5044] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5043] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5043] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5043] close(3) = 0 [pid 5043] mkdir("./file0", 0777) = 0 [pid 5043] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5044] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5043] <... mount resumed>) = 0 [pid 5043] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5043] chdir("./file0") = 0 [pid 5043] ioctl(6, LOOP_CLR_FD) = 0 [pid 5043] close(6) = 0 [pid 5043] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5043] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5044] <... write resumed>) = 2097152 [pid 5044] munmap(0x7f7936b10000, 2097152) = 0 [pid 5044] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5044] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5044] ioctl(6, LOOP_CLR_FD) = 0 [pid 5044] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5044] close(6) = 0 [ 60.529963][ T5043] loop0: detected capacity change from 0 to 4096 [ 60.546893][ T5043] ntfs: volume version 12.0. [pid 5044] close(5) = 0 [pid 5044] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5044] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5042] <... futex resumed>) = 0 [pid 5042] exit_group(0 [pid 5044] <... futex resumed>) = ? [pid 5042] <... exit_group resumed>) = ? [pid 5043] <... futex resumed>) = ? [pid 5043] +++ exited with 0 +++ [pid 5044] +++ exited with 0 +++ [pid 5042] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5042, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5045 attached , child_tidptr=0x555555f17690) = 5045 [pid 5045] set_robust_list(0x555555f176a0, 24) = 0 [pid 5045] chdir("./4") = 0 [pid 5045] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5045] setpgid(0, 0) = 0 [pid 5045] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5045] write(3, "1000", 4) = 4 [pid 5045] close(3) = 0 [pid 5045] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5045] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5045] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5045] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5045] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5045] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5045] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5046 attached [pid 5046] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5045] <... clone3 resumed> => {parent_tid=[5046]}, 88) = 5046 [pid 5045] rt_sigprocmask(SIG_SETMASK, [], [pid 5046] <... rseq resumed>) = 0 [pid 5046] set_robust_list(0x7f79473519a0, 24 [pid 5045] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5046] <... set_robust_list resumed>) = 0 [pid 5046] rt_sigprocmask(SIG_SETMASK, [], [pid 5045] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5045] <... futex resumed>) = 0 [pid 5045] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] memfd_create("syzkaller", 0 [pid 5045] <... futex resumed>) = 0 [pid 5046] <... memfd_create resumed>) = 3 [pid 5046] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5045] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5046] <... mmap resumed>) = 0x7f793ef31000 [pid 5045] <... mmap resumed>) = 0x7f793ef10000 [pid 5045] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5045] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5045] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5047 attached => {parent_tid=[5047]}, 88) = 5047 [pid 5045] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5045] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5047] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5047] set_robust_list(0x7f793ef309a0, 24 [pid 5045] <... futex resumed>) = 0 [pid 5047] <... set_robust_list resumed>) = 0 [pid 5047] rt_sigprocmask(SIG_SETMASK, [], [pid 5045] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5047] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5047] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5047] write(4, "85", 2) = 2 [pid 5047] memfd_create("syzkaller", 0) = 5 [pid 5047] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 60.687182][ T5047] FAULT_INJECTION: forcing a failure. [ 60.687182][ T5047] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 60.701661][ T5047] CPU: 1 PID: 5047 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 60.712093][ T5047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 60.722150][ T5047] Call Trace: [ 60.725524][ T5047] [ 60.728446][ T5047] dump_stack_lvl+0x1e7/0x2d0 [ 60.733120][ T5047] ? nf_tcp_handle_invalid+0x650/0x650 [ 60.738573][ T5047] ? panic+0x770/0x770 [ 60.742644][ T5047] should_fail_ex+0x3aa/0x4e0 [ 60.747323][ T5047] prepare_alloc_pages+0x1d9/0x5b0 [ 60.752797][ T5047] __alloc_pages+0x165/0x670 [ 60.757820][ T5047] ? zone_statistics+0x170/0x170 [ 60.762780][ T5047] ? verify_lock_unused+0x140/0x140 [ 60.767972][ T5047] ? handle_mm_fault+0x11d/0x62b0 [ 60.772995][ T5047] ? __lock_acquire+0x7f70/0x7f70 [ 60.778094][ T5047] ? pte_offset_map_nolock+0x137/0x1e0 [ 60.783547][ T5047] __folio_alloc+0x13/0x30 [ 60.787960][ T5047] vma_alloc_folio+0x48a/0x9a0 [ 60.792719][ T5047] handle_mm_fault+0x2376/0x62b0 [ 60.797661][ T5047] ? handle_mm_fault+0x11d/0x62b0 [ 60.802779][ T5047] ? numa_migrate_prep+0x380/0x380 [ 60.807888][ T5047] ? mtree_range_walk+0x6a0/0x7e0 [ 60.812923][ T5047] ? lock_vma_under_rcu+0x187/0x6f0 [ 60.818119][ T5047] ? __lock_acquire+0x7f70/0x7f70 [ 60.823139][ T5047] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 60.828347][ T5047] ? lock_vma_under_rcu+0x5df/0x6f0 [ 60.833538][ T5047] ? lock_vma_under_rcu+0x187/0x6f0 [ 60.838762][ T5047] ? exc_page_fault+0x10f/0x860 [ 60.843606][ T5047] exc_page_fault+0x455/0x860 [ 60.848280][ T5047] asm_exc_page_fault+0x26/0x30 [ 60.853119][ T5047] RIP: 0033:0x7f794735bc53 [ 60.857527][ T5047] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 60.877123][ T5047] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5046] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5047] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5046] <... write resumed>) = 2097152 [pid 5046] munmap(0x7f793ef31000, 2097152) = 0 [ 60.883182][ T5047] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 60.891145][ T5047] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 60.899107][ T5047] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 60.907175][ T5047] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 60.915143][ T5047] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 60.923127][ T5047] [ 60.926419][ T5047] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5046] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5046] ioctl(6, LOOP_SET_FD, 3 [pid 5047] <... write resumed>) = 2097152 [pid 5047] munmap(0x7f7936b10000, 2097152 [pid 5046] <... ioctl resumed>) = 0 [pid 5046] close(3) = 0 [pid 5046] mkdir("./file0", 0777 [pid 5047] <... munmap resumed>) = 0 [pid 5047] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5046] <... mkdir resumed>) = 0 [pid 5047] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5046] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5047] ioctl(3, LOOP_CLR_FD) = 0 [pid 5047] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5047] close(3) = 0 [pid 5047] close(5 [pid 5046] <... mount resumed>) = 0 [pid 5046] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5046] chdir("./file0") = 0 [pid 5046] ioctl(6, LOOP_CLR_FD) = 0 [pid 5046] close(6) = 0 [pid 5046] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5047] <... close resumed>) = 0 [pid 5047] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5047] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5045] <... futex resumed>) = 0 [pid 5045] exit_group(0 [pid 5047] <... futex resumed>) = ? [pid 5047] +++ exited with 0 +++ [pid 5046] <... futex resumed>) = ? [pid 5045] <... exit_group resumed>) = ? [pid 5046] +++ exited with 0 +++ [pid 5045] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5045, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 [ 60.971219][ T5046] loop0: detected capacity change from 0 to 4096 [ 61.000260][ T5046] ntfs: volume version 12.0. getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5048 attached , child_tidptr=0x555555f17690) = 5048 [pid 5048] set_robust_list(0x555555f176a0, 24) = 0 [pid 5048] chdir("./5") = 0 [pid 5048] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5048] setpgid(0, 0) = 0 [pid 5048] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5048] write(3, "1000", 4) = 4 [pid 5048] close(3) = 0 [pid 5048] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5048] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5048] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5048] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5048] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5048] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5048] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5049 attached => {parent_tid=[5049]}, 88) = 5049 [pid 5049] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5048] rt_sigprocmask(SIG_SETMASK, [], [pid 5049] set_robust_list(0x7f79473519a0, 24 [pid 5048] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5049] <... set_robust_list resumed>) = 0 [pid 5048] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5049] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5048] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5049] memfd_create("syzkaller", 0 [pid 5048] <... mprotect resumed>) = 0 [pid 5048] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5048] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5050]}, 88) = 5050 [pid 5048] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5050 attached NULL, 8) = 0 [pid 5048] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5049] <... memfd_create resumed>) = 3 [pid 5049] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5050] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5050] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5050] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5050] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5050] write(4, "85", 2) = 2 [pid 5050] memfd_create("syzkaller", 0) = 5 [pid 5050] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5049] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 61.102204][ T5050] FAULT_INJECTION: forcing a failure. [ 61.102204][ T5050] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 61.116034][ T5050] CPU: 1 PID: 5050 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 61.126477][ T5050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 61.136545][ T5050] Call Trace: [ 61.139826][ T5050] [ 61.142784][ T5050] dump_stack_lvl+0x1e7/0x2d0 [ 61.147479][ T5050] ? nf_tcp_handle_invalid+0x650/0x650 [ 61.152934][ T5050] ? panic+0x770/0x770 [ 61.157009][ T5050] should_fail_ex+0x3aa/0x4e0 [ 61.161677][ T5050] prepare_alloc_pages+0x1d9/0x5b0 [ 61.166783][ T5050] __alloc_pages+0x165/0x670 [ 61.171367][ T5050] ? zone_statistics+0x170/0x170 [ 61.176306][ T5050] ? verify_lock_unused+0x140/0x140 [ 61.181499][ T5050] ? handle_mm_fault+0x11d/0x62b0 [ 61.186519][ T5050] ? __lock_acquire+0x7f70/0x7f70 [ 61.191537][ T5050] ? pte_offset_map_nolock+0x137/0x1e0 [ 61.197078][ T5050] __folio_alloc+0x13/0x30 [ 61.201490][ T5050] vma_alloc_folio+0x48a/0x9a0 [ 61.206338][ T5050] handle_mm_fault+0x2376/0x62b0 [ 61.211313][ T5050] ? handle_mm_fault+0x11d/0x62b0 [ 61.216349][ T5050] ? numa_migrate_prep+0x380/0x380 [ 61.221479][ T5050] ? mtree_range_walk+0x6a0/0x7e0 [ 61.226597][ T5050] ? lock_vma_under_rcu+0x187/0x6f0 [ 61.231806][ T5050] ? __lock_acquire+0x7f70/0x7f70 [ 61.236830][ T5050] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 61.242042][ T5050] ? lock_vma_under_rcu+0x5df/0x6f0 [ 61.247238][ T5050] ? lock_vma_under_rcu+0x187/0x6f0 [ 61.252443][ T5050] ? exc_page_fault+0x10f/0x860 [ 61.257292][ T5050] exc_page_fault+0x455/0x860 [ 61.261988][ T5050] asm_exc_page_fault+0x26/0x30 [ 61.266860][ T5050] RIP: 0033:0x7f794735bc53 [ 61.271284][ T5050] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 61.290894][ T5050] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 61.296975][ T5050] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 61.305038][ T5050] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 61.313004][ T5050] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 61.320976][ T5050] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 61.328958][ T5050] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 61.336944][ T5050] [ 61.340274][ T5050] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5049] munmap(0x7f793ef10000, 2097152) = 0 [pid 5049] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5049] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5050] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5049] close(3) = 0 [pid 5049] mkdir("./file0", 0777) = 0 [pid 5049] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5050] <... write resumed>) = 2097152 [pid 5050] munmap(0x7f7936b10000, 2097152) = 0 [pid 5050] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5050] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5050] ioctl(3, LOOP_CLR_FD) = 0 [pid 5050] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5050] close(3) = 0 [ 61.350590][ T5049] loop0: detected capacity change from 0 to 4096 [pid 5050] close(5) = 0 [pid 5050] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5048] <... futex resumed>) = 0 [pid 5050] <... futex resumed>) = 1 [pid 5050] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5049] <... mount resumed>) = 0 [pid 5049] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5049] chdir("./file0") = 0 [pid 5049] ioctl(6, LOOP_CLR_FD) = 0 [pid 5049] close(6) = 0 [pid 5049] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5049] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5048] exit_group(0 [pid 5050] <... futex resumed>) = ? [pid 5049] <... futex resumed>) = ? [pid 5048] <... exit_group resumed>) = ? [pid 5050] +++ exited with 0 +++ [pid 5049] +++ exited with 0 +++ [pid 5048] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5048, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=10 /* 0.10 s */} --- umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [ 61.398607][ T5049] ntfs: volume version 12.0. newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5051 attached [pid 5051] set_robust_list(0x555555f176a0, 24) = 0 [pid 5051] chdir("./6") = 0 [pid 5051] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5051] setpgid(0, 0) = 0 [pid 5051] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5051] write(3, "1000", 4) = 4 [pid 5051] close(3) = 0 [pid 5051] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5051] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5051] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5051] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5051] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5051] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5051] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5051] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5052 attached => {parent_tid=[5052]}, 88) = 5052 [pid 5052] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5051] rt_sigprocmask(SIG_SETMASK, [], [pid 5052] <... rseq resumed>) = 0 [pid 5052] set_robust_list(0x7f79473519a0, 24 [pid 5051] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5052] <... set_robust_list resumed>) = 0 [pid 5051] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5052] rt_sigprocmask(SIG_SETMASK, [], [pid 5051] <... futex resumed>) = 0 [pid 5052] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5051] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5052] memfd_create("syzkaller", 0 [pid 5051] <... futex resumed>) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5051 [pid 5051] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5051] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5051] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5051] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5053]}, 88) = 5053 [pid 5052] <... memfd_create resumed>) = 3 [pid 5051] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5052] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5051] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5053 attached [pid 5052] <... mmap resumed>) = 0x7f793ef10000 [pid 5051] <... futex resumed>) = 0 [pid 5053] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5053] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5053] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5051] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5053] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5053] write(4, "85", 2) = 2 [pid 5053] memfd_create("syzkaller", 0) = 5 [pid 5053] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5052] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 61.510017][ T5053] FAULT_INJECTION: forcing a failure. [ 61.510017][ T5053] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 61.524027][ T5053] CPU: 0 PID: 5053 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 61.534484][ T5053] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 61.544555][ T5053] Call Trace: [ 61.547837][ T5053] [ 61.550754][ T5053] dump_stack_lvl+0x1e7/0x2d0 [ 61.555417][ T5053] ? nf_tcp_handle_invalid+0x650/0x650 [ 61.561501][ T5053] ? panic+0x770/0x770 [ 61.565650][ T5053] should_fail_ex+0x3aa/0x4e0 [ 61.570496][ T5053] prepare_alloc_pages+0x1d9/0x5b0 [ 61.575608][ T5053] __alloc_pages+0x165/0x670 [ 61.580200][ T5053] ? zone_statistics+0x170/0x170 [ 61.585167][ T5053] ? verify_lock_unused+0x140/0x140 [ 61.590365][ T5053] ? handle_mm_fault+0x11d/0x62b0 [ 61.595391][ T5053] ? __lock_acquire+0x7f70/0x7f70 [ 61.600497][ T5053] ? pte_offset_map_nolock+0x137/0x1e0 [ 61.606073][ T5053] __folio_alloc+0x13/0x30 [ 61.610489][ T5053] vma_alloc_folio+0x48a/0x9a0 [ 61.615281][ T5053] handle_mm_fault+0x2376/0x62b0 [ 61.620331][ T5053] ? handle_mm_fault+0x11d/0x62b0 [ 61.625402][ T5053] ? numa_migrate_prep+0x380/0x380 [ 61.630550][ T5053] ? mtree_range_walk+0x6a0/0x7e0 [ 61.635582][ T5053] ? lock_vma_under_rcu+0x187/0x6f0 [ 61.640871][ T5053] ? __lock_acquire+0x7f70/0x7f70 [ 61.645890][ T5053] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 61.651097][ T5053] ? lock_vma_under_rcu+0x5df/0x6f0 [ 61.656294][ T5053] ? lock_vma_under_rcu+0x187/0x6f0 [ 61.661496][ T5053] ? exc_page_fault+0x10f/0x860 [ 61.666345][ T5053] exc_page_fault+0x455/0x860 [ 61.671289][ T5053] asm_exc_page_fault+0x26/0x30 [ 61.676137][ T5053] RIP: 0033:0x7f794735bc53 [ 61.680563][ T5053] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 61.700163][ T5053] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5052] munmap(0x7f793ef10000, 2097152) = 0 [pid 5052] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 61.706241][ T5053] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 61.714240][ T5053] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 61.722219][ T5053] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 61.730277][ T5053] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 61.738242][ T5053] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 61.746407][ T5053] [ 61.749890][ T5053] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5052] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5052] close(3) = 0 [pid 5052] mkdir("./file0", 0777) = 0 [pid 5052] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5053] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5052] <... mount resumed>) = 0 [pid 5052] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5052] chdir("./file0") = 0 [pid 5052] ioctl(6, LOOP_CLR_FD) = 0 [pid 5052] close(6) = 0 [pid 5052] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5052] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5053] <... write resumed>) = 2097152 [pid 5053] munmap(0x7f7936b10000, 2097152) = 0 [pid 5053] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5053] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5053] ioctl(6, LOOP_CLR_FD) = 0 [pid 5053] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5053] close(6) = 0 [ 61.762149][ T5052] loop0: detected capacity change from 0 to 4096 [ 61.778076][ T5052] ntfs: volume version 12.0. [pid 5053] close(5) = 0 [pid 5053] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5051] <... futex resumed>) = 0 [pid 5053] <... futex resumed>) = 1 [pid 5053] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5051] exit_group(0 [pid 5053] <... futex resumed>) = ? [pid 5052] <... futex resumed>) = ? [pid 5051] <... exit_group resumed>) = ? [pid 5053] +++ exited with 0 +++ [pid 5052] +++ exited with 0 +++ [pid 5051] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5051, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=13 /* 0.13 s */} --- umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5054 attached , child_tidptr=0x555555f17690) = 5054 [pid 5054] set_robust_list(0x555555f176a0, 24) = 0 [pid 5054] chdir("./7") = 0 [pid 5054] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5054] setpgid(0, 0) = 0 [pid 5054] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5054] write(3, "1000", 4) = 4 [pid 5054] close(3) = 0 [pid 5054] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5054] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5054] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5054] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5054] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5054] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5054] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5055 attached => {parent_tid=[5055]}, 88) = 5055 [pid 5055] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5055] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5055] rt_sigprocmask(SIG_SETMASK, [], [pid 5054] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5055] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5055] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5054] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5054] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5055] <... futex resumed>) = 0 [pid 5054] <... futex resumed>) = 0 [pid 5055] memfd_create("syzkaller", 0 [pid 5054] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5054] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5055] <... memfd_create resumed>) = 3 [pid 5054] <... mprotect resumed>) = 0 [pid 5055] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5054] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5054] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5056 attached => {parent_tid=[5056]}, 88) = 5056 [pid 5056] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5056] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5054] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5054] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5056] rt_sigprocmask(SIG_SETMASK, [], [pid 5054] <... futex resumed>) = 0 [pid 5056] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5054] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5056] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5055] munmap(0x7f793ef10000, 138412032 [pid 5056] <... openat resumed>) = 4 [pid 5056] write(4, "85", 2) = 2 [pid 5056] memfd_create("syzkaller", 0) = 5 [pid 5056] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5055] <... munmap resumed>) = 0 [pid 5055] close(3) = 0 [pid 5055] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 61.914212][ T5056] FAULT_INJECTION: forcing a failure. [ 61.914212][ T5056] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 61.928924][ T5056] CPU: 0 PID: 5056 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 61.939469][ T5056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 61.949979][ T5056] Call Trace: [ 61.953257][ T5056] [ 61.956185][ T5056] dump_stack_lvl+0x1e7/0x2d0 [ 61.960884][ T5056] ? nf_tcp_handle_invalid+0x650/0x650 [ 61.966370][ T5056] ? panic+0x770/0x770 [ 61.970544][ T5056] should_fail_ex+0x3aa/0x4e0 [ 61.975492][ T5056] prepare_alloc_pages+0x1d9/0x5b0 [ 61.980714][ T5056] __alloc_pages+0x165/0x670 [ 61.985310][ T5056] ? zone_statistics+0x170/0x170 [ 61.990263][ T5056] ? verify_lock_unused+0x140/0x140 [ 61.995465][ T5056] ? handle_mm_fault+0x11d/0x62b0 [ 62.000487][ T5056] ? __lock_acquire+0x7f70/0x7f70 [ 62.005505][ T5056] ? pte_offset_map_nolock+0x137/0x1e0 [ 62.011225][ T5056] __folio_alloc+0x13/0x30 [ 62.015639][ T5056] vma_alloc_folio+0x48a/0x9a0 [ 62.020407][ T5056] handle_mm_fault+0x2376/0x62b0 [ 62.025364][ T5056] ? handle_mm_fault+0x11d/0x62b0 [ 62.030411][ T5056] ? numa_migrate_prep+0x380/0x380 [ 62.035532][ T5056] ? mtree_range_walk+0x6a0/0x7e0 [ 62.040559][ T5056] ? lock_vma_under_rcu+0x187/0x6f0 [ 62.045765][ T5056] ? __lock_acquire+0x7f70/0x7f70 [ 62.051309][ T5056] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 62.056537][ T5056] ? lock_vma_under_rcu+0x5df/0x6f0 [ 62.062284][ T5056] ? lock_vma_under_rcu+0x187/0x6f0 [ 62.067503][ T5056] ? exc_page_fault+0x10f/0x860 [ 62.072376][ T5056] exc_page_fault+0x455/0x860 [ 62.077095][ T5056] asm_exc_page_fault+0x26/0x30 [ 62.082139][ T5056] RIP: 0033:0x7f794735bc53 [ 62.086731][ T5056] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 62.106766][ T5056] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5055] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5056] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5056] munmap(0x7f793ef10000, 2097152) = 0 [pid 5056] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 62.112832][ T5056] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 62.120797][ T5056] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 62.128765][ T5056] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 62.136731][ T5056] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 62.144697][ T5056] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 62.152679][ T5056] [ 62.156061][ T5056] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5056] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5056] close(5) = 0 [pid 5056] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5056] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5056] ioctl(3, LOOP_CLR_FD) = 0 [pid 5056] close(3) = 0 [pid 5056] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5056] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5054] <... futex resumed>) = 0 [pid 5054] exit_group(0 [pid 5056] <... futex resumed>) = ? [pid 5054] <... exit_group resumed>) = ? [pid 5056] +++ exited with 0 +++ [pid 5055] <... futex resumed>) = ? [pid 5055] +++ exited with 0 +++ [pid 5054] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5054, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 62.191539][ T5056] loop0: detected capacity change from 0 to 4096 [ 62.209078][ T5056] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 62.216565][ T5056] ntfs3: loop0: Failed to load $AttrDef (-22) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 umount2("\x2e\x2f\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5057 attached , child_tidptr=0x555555f17690) = 5057 [pid 5057] set_robust_list(0x555555f176a0, 24) = 0 [pid 5057] chdir("./8") = 0 [pid 5057] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5057] setpgid(0, 0) = 0 [pid 5057] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1000", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5057] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5057] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5057] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5057] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5057] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5057] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5058]}, 88) = 5058 ./strace-static-x86_64: Process 5058 attached [pid 5057] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5057] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5057] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5057] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5057] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5057] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5059 attached [pid 5058] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5059] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5058] <... rseq resumed>) = 0 [pid 5057] <... clone3 resumed> => {parent_tid=[5059]}, 88) = 5059 [pid 5059] <... rseq resumed>) = 0 [pid 5058] set_robust_list(0x7f79473519a0, 24 [pid 5057] rt_sigprocmask(SIG_SETMASK, [], [pid 5058] <... set_robust_list resumed>) = 0 [pid 5059] set_robust_list(0x7f79473309a0, 24 [pid 5058] rt_sigprocmask(SIG_SETMASK, [], [pid 5057] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5059] <... set_robust_list resumed>) = 0 [pid 5058] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5057] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5059] rt_sigprocmask(SIG_SETMASK, [], [pid 5057] <... futex resumed>) = 0 [pid 5059] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5057] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5059] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5058] memfd_create("syzkaller", 0) = 4 [pid 5059] <... openat resumed>) = 3 [pid 5059] write(3, "85", 2) = 2 [pid 5059] memfd_create("syzkaller", 0) = 5 [pid 5059] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 62.321896][ T5059] FAULT_INJECTION: forcing a failure. [ 62.321896][ T5059] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 62.335438][ T5059] CPU: 1 PID: 5059 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 62.345845][ T5059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 62.356088][ T5059] Call Trace: [ 62.359460][ T5059] [ 62.362410][ T5059] dump_stack_lvl+0x1e7/0x2d0 [ 62.367098][ T5059] ? nf_tcp_handle_invalid+0x650/0x650 [ 62.372585][ T5059] ? panic+0x770/0x770 [ 62.376684][ T5059] should_fail_ex+0x3aa/0x4e0 [ 62.381397][ T5059] prepare_alloc_pages+0x1d9/0x5b0 [ 62.386526][ T5059] __alloc_pages+0x165/0x670 [ 62.391386][ T5059] ? zone_statistics+0x170/0x170 [ 62.396413][ T5059] ? verify_lock_unused+0x140/0x140 [ 62.401626][ T5059] ? handle_mm_fault+0x11d/0x62b0 [ 62.406652][ T5059] ? __lock_acquire+0x7f70/0x7f70 [ 62.411671][ T5059] ? pte_offset_map_nolock+0x137/0x1e0 [ 62.417141][ T5059] __folio_alloc+0x13/0x30 [ 62.421555][ T5059] vma_alloc_folio+0x48a/0x9a0 [ 62.426322][ T5059] handle_mm_fault+0x2376/0x62b0 [ 62.431280][ T5059] ? handle_mm_fault+0x11d/0x62b0 [ 62.436329][ T5059] ? numa_migrate_prep+0x380/0x380 [ 62.441446][ T5059] ? mtree_range_walk+0x6a0/0x7e0 [ 62.446490][ T5059] ? lock_vma_under_rcu+0x187/0x6f0 [ 62.451688][ T5059] ? __lock_acquire+0x7f70/0x7f70 [ 62.456717][ T5059] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 62.461944][ T5059] ? lock_vma_under_rcu+0x5df/0x6f0 [ 62.467711][ T5059] ? lock_vma_under_rcu+0x187/0x6f0 [ 62.472920][ T5059] ? exc_page_fault+0x10f/0x860 [ 62.477943][ T5059] exc_page_fault+0x455/0x860 [ 62.482624][ T5059] asm_exc_page_fault+0x26/0x30 [ 62.487500][ T5059] RIP: 0033:0x7f794735bc53 [ 62.491931][ T5059] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 62.511551][ T5059] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5058] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5058] munmap(0x7f7936b10000, 138412032) = 0 [pid 5058] close(4) = 0 [pid 5058] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5059] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 62.517623][ T5059] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 62.525601][ T5059] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 62.533572][ T5059] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 62.542143][ T5059] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 62.550112][ T5059] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 62.558094][ T5059] [ 62.561672][ T5059] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5059] munmap(0x7f793ef10000, 2097152) = 0 [pid 5059] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5059] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5059] close(5) = 0 [pid 5059] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5059] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 62.605236][ T5059] loop0: detected capacity change from 0 to 4096 [ 62.622137][ T5059] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 62.629293][ T5059] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5059] ioctl(4, LOOP_CLR_FD) = 0 [pid 5059] close(4) = 0 [pid 5059] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5057] <... futex resumed>) = 0 [pid 5059] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5057] exit_group(0 [pid 5058] <... futex resumed>) = ? [pid 5058] +++ exited with 0 +++ [pid 5057] <... exit_group resumed>) = ? [pid 5059] <... futex resumed>) = ? [pid 5059] +++ exited with 0 +++ [pid 5057] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5057, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=7 /* 0.07 s */} --- umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 umount2("\x2e\x2f\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5060 attached [pid 5060] set_robust_list(0x555555f176a0, 24) = 0 [pid 5060] chdir("./9") = 0 [pid 5060] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5060] setpgid(0, 0) = 0 [pid 5060] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5060] write(3, "1000", 4) = 4 [pid 5060] close(3) = 0 [pid 5060] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5060] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5060 [pid 5060] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5060] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5060] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5060] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5060] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5060] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5061 attached [pid 5061] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5060] <... clone3 resumed> => {parent_tid=[5061]}, 88) = 5061 [pid 5061] set_robust_list(0x7f79473519a0, 24 [pid 5060] rt_sigprocmask(SIG_SETMASK, [], [pid 5061] <... set_robust_list resumed>) = 0 [pid 5060] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5061] rt_sigprocmask(SIG_SETMASK, [], [pid 5060] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5061] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5060] <... futex resumed>) = 0 [pid 5060] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] memfd_create("syzkaller", 0 [pid 5060] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5061] <... memfd_create resumed>) = 3 [pid 5060] <... mmap resumed>) = 0x7f7947310000 [pid 5061] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5060] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5061] <... mmap resumed>) = 0x7f793ef10000 [pid 5060] <... mprotect resumed>) = 0 [pid 5060] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5060] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5062 attached [pid 5062] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5062] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5060] <... clone3 resumed> => {parent_tid=[5062]}, 88) = 5062 [pid 5062] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5062] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5060] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5060] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5060] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5062] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5062] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5062] write(4, "85", 2) = 2 [pid 5062] memfd_create("syzkaller", 0) = 5 [pid 5062] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 62.763266][ T5062] FAULT_INJECTION: forcing a failure. [ 62.763266][ T5062] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 62.777925][ T5062] CPU: 0 PID: 5062 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 62.788391][ T5062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 62.798464][ T5062] Call Trace: [ 62.801745][ T5062] [ 62.804672][ T5062] dump_stack_lvl+0x1e7/0x2d0 [ 62.809363][ T5062] ? nf_tcp_handle_invalid+0x650/0x650 [ 62.814816][ T5062] ? panic+0x770/0x770 [ 62.818888][ T5062] should_fail_ex+0x3aa/0x4e0 [ 62.823569][ T5062] prepare_alloc_pages+0x1d9/0x5b0 [ 62.828689][ T5062] __alloc_pages+0x165/0x670 [ 62.833303][ T5062] ? zone_statistics+0x170/0x170 [ 62.838272][ T5062] ? verify_lock_unused+0x140/0x140 [ 62.843462][ T5062] ? handle_mm_fault+0x11d/0x62b0 [ 62.848490][ T5062] ? __lock_acquire+0x7f70/0x7f70 [ 62.853507][ T5062] ? pte_offset_map_nolock+0x137/0x1e0 [ 62.858969][ T5062] __folio_alloc+0x13/0x30 [ 62.863401][ T5062] vma_alloc_folio+0x48a/0x9a0 [ 62.868170][ T5062] handle_mm_fault+0x2376/0x62b0 [ 62.873211][ T5062] ? handle_mm_fault+0x11d/0x62b0 [ 62.878238][ T5062] ? numa_migrate_prep+0x380/0x380 [ 62.883358][ T5062] ? mtree_range_walk+0x6a0/0x7e0 [ 62.888470][ T5062] ? lock_vma_under_rcu+0x187/0x6f0 [ 62.893667][ T5062] ? __lock_acquire+0x7f70/0x7f70 [ 62.898684][ T5062] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 62.903978][ T5062] ? lock_vma_under_rcu+0x5df/0x6f0 [ 62.909173][ T5062] ? lock_vma_under_rcu+0x187/0x6f0 [ 62.914371][ T5062] ? exc_page_fault+0x10f/0x860 [ 62.919217][ T5062] exc_page_fault+0x455/0x860 [ 62.923890][ T5062] asm_exc_page_fault+0x26/0x30 [ 62.928731][ T5062] RIP: 0033:0x7f794735bc53 [ 62.933139][ T5062] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 62.952752][ T5062] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5061] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5061] munmap(0x7f793ef10000, 2097152) = 0 [pid 5061] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 62.958834][ T5062] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 62.967153][ T5062] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 62.975126][ T5062] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 62.983109][ T5062] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 62.991088][ T5062] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 62.999072][ T5062] [ 63.002676][ T5062] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5061] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5061] close(3) = 0 [pid 5061] mkdir("./file0", 0777) = 0 [pid 5061] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5062] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5061] <... mount resumed>) = 0 [pid 5061] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5061] chdir("./file0") = 0 [pid 5061] ioctl(6, LOOP_CLR_FD) = 0 [pid 5061] close(6) = 0 [pid 5061] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5061] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5062] <... write resumed>) = 2097152 [pid 5062] munmap(0x7f7936b10000, 2097152) = 0 [pid 5062] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5062] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5062] ioctl(6, LOOP_CLR_FD) = 0 [pid 5062] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5062] close(6) = 0 [ 63.018083][ T5061] loop0: detected capacity change from 0 to 4096 [ 63.036372][ T5061] ntfs: volume version 12.0. [pid 5062] close(5) = 0 [pid 5062] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5060] <... futex resumed>) = 0 [pid 5060] exit_group(0 [pid 5062] <... futex resumed>) = ? [pid 5061] <... futex resumed>) = ? [pid 5062] +++ exited with 0 +++ [pid 5061] +++ exited with 0 +++ [pid 5060] <... exit_group resumed>) = ? [pid 5060] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5060, si_uid=0, si_status=0, si_utime=0, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/binderfs") = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5063 ./strace-static-x86_64: Process 5063 attached [pid 5063] set_robust_list(0x555555f176a0, 24) = 0 [pid 5063] chdir("./10") = 0 [pid 5063] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5063] setpgid(0, 0) = 0 [pid 5063] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5063] write(3, "1000", 4) = 4 [pid 5063] close(3) = 0 [pid 5063] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5063] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5063] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5063] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5063] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5063] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5063] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5063] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5064 attached => {parent_tid=[5064]}, 88) = 5064 [pid 5063] rt_sigprocmask(SIG_SETMASK, [], [pid 5064] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5063] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5063] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5063] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5064] <... rseq resumed>) = 0 [pid 5063] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5064] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5064] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5063] <... mmap resumed>) = 0x7f7947310000 [pid 5063] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5063] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5063] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5065 attached [pid 5065] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5064] memfd_create("syzkaller", 0 [pid 5065] <... rseq resumed>) = 0 [pid 5063] <... clone3 resumed> => {parent_tid=[5065]}, 88) = 5065 [pid 5065] set_robust_list(0x7f79473309a0, 24 [pid 5063] rt_sigprocmask(SIG_SETMASK, [], [pid 5065] <... set_robust_list resumed>) = 0 [pid 5063] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5065] rt_sigprocmask(SIG_SETMASK, [], [pid 5064] <... memfd_create resumed>) = 3 [pid 5063] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5064] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5065] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5063] <... futex resumed>) = 0 [pid 5065] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5064] <... mmap resumed>) = 0x7f793ef10000 [pid 5063] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5064] munmap(0x7f793ef10000, 138412032) = 0 [pid 5064] close(3 [pid 5065] <... openat resumed>) = 4 [pid 5065] write(4, "85", 2) = 2 [pid 5065] memfd_create("syzkaller", 0) = 5 [pid 5064] <... close resumed>) = 0 [pid 5064] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5064] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5065] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 63.158864][ T5065] FAULT_INJECTION: forcing a failure. [ 63.158864][ T5065] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 63.172508][ T5065] CPU: 0 PID: 5065 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 63.182928][ T5065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 63.193011][ T5065] Call Trace: [ 63.196295][ T5065] [ 63.199218][ T5065] dump_stack_lvl+0x1e7/0x2d0 [ 63.203890][ T5065] ? nf_tcp_handle_invalid+0x650/0x650 [ 63.209346][ T5065] ? panic+0x770/0x770 [ 63.213420][ T5065] should_fail_ex+0x3aa/0x4e0 [ 63.218109][ T5065] prepare_alloc_pages+0x1d9/0x5b0 [ 63.223238][ T5065] __alloc_pages+0x165/0x670 [ 63.228261][ T5065] ? zone_statistics+0x170/0x170 [ 63.233201][ T5065] ? verify_lock_unused+0x140/0x140 [ 63.238395][ T5065] ? handle_mm_fault+0x11d/0x62b0 [ 63.243413][ T5065] ? __lock_acquire+0x7f70/0x7f70 [ 63.248428][ T5065] ? pte_offset_map_nolock+0x137/0x1e0 [ 63.253885][ T5065] __folio_alloc+0x13/0x30 [ 63.258295][ T5065] vma_alloc_folio+0x48a/0x9a0 [ 63.263056][ T5065] handle_mm_fault+0x2376/0x62b0 [ 63.268000][ T5065] ? handle_mm_fault+0x11d/0x62b0 [ 63.273029][ T5065] ? numa_migrate_prep+0x380/0x380 [ 63.278144][ T5065] ? mtree_range_walk+0x6a0/0x7e0 [ 63.283166][ T5065] ? lock_vma_under_rcu+0x187/0x6f0 [ 63.288360][ T5065] ? __lock_acquire+0x7f70/0x7f70 [ 63.293372][ T5065] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 63.298577][ T5065] ? lock_vma_under_rcu+0x5df/0x6f0 [ 63.303768][ T5065] ? lock_vma_under_rcu+0x187/0x6f0 [ 63.309060][ T5065] ? exc_page_fault+0x10f/0x860 [ 63.313910][ T5065] exc_page_fault+0x455/0x860 [ 63.318592][ T5065] asm_exc_page_fault+0x26/0x30 [ 63.323437][ T5065] RIP: 0033:0x7f794735bc53 [ 63.327848][ T5065] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 63.347557][ T5065] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5065] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5065] munmap(0x7f793ef10000, 2097152) = 0 [pid 5065] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 63.353648][ T5065] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 63.361619][ T5065] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 63.369585][ T5065] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 63.377552][ T5065] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 63.385864][ T5065] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 63.394018][ T5065] [pid 5065] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5065] close(5) = 0 [pid 5065] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5065] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 63.432169][ T5065] loop0: detected capacity change from 0 to 4096 [ 63.451147][ T5065] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 63.458217][ T5065] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5065] ioctl(3, LOOP_CLR_FD) = 0 [pid 5065] close(3) = 0 [pid 5065] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5063] <... futex resumed>) = 0 [pid 5065] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5063] exit_group(0 [pid 5064] <... futex resumed>) = ? [pid 5063] <... exit_group resumed>) = ? [pid 5064] +++ exited with 0 +++ [pid 5065] <... futex resumed>) = ? [pid 5065] +++ exited with 0 +++ [pid 5063] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5063, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/binderfs") = 0 umount2("\x2e\x2f\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5066 ./strace-static-x86_64: Process 5066 attached [pid 5066] set_robust_list(0x555555f176a0, 24) = 0 [pid 5066] chdir("./11") = 0 [pid 5066] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5066] setpgid(0, 0) = 0 [pid 5066] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5066] write(3, "1000", 4) = 4 [pid 5066] close(3) = 0 [pid 5066] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5066] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5066] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5066] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5066] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5066] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5067]}, 88) = 5067 [pid 5066] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5066] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5066] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE./strace-static-x86_64: Process 5067 attached [pid 5067] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5066] <... mprotect resumed>) = 0 [pid 5067] <... rseq resumed>) = 0 [pid 5067] set_robust_list(0x7f79473519a0, 24 [pid 5066] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5067] <... set_robust_list resumed>) = 0 [pid 5067] rt_sigprocmask(SIG_SETMASK, [], [pid 5066] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5067] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5066] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5068 attached [pid 5068] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5066] <... clone3 resumed> => {parent_tid=[5068]}, 88) = 5068 [pid 5068] <... rseq resumed>) = 0 [pid 5066] rt_sigprocmask(SIG_SETMASK, [], [pid 5068] set_robust_list(0x7f79473309a0, 24 [pid 5066] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5068] <... set_robust_list resumed>) = 0 [pid 5066] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5068] rt_sigprocmask(SIG_SETMASK, [], [pid 5067] memfd_create("syzkaller", 0 [pid 5066] <... futex resumed>) = 0 [pid 5068] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5068] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5067] <... memfd_create resumed>) = 3 [pid 5066] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5067] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5067] munmap(0x7f793ef10000, 138412032) = 0 [pid 5068] <... openat resumed>) = 4 [pid 5068] write(4, "85", 2) = 2 [pid 5067] close(3 [pid 5068] memfd_create("syzkaller", 0) = 5 [pid 5068] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5067] <... close resumed>) = 0 [pid 5067] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 63.601167][ T5068] FAULT_INJECTION: forcing a failure. [ 63.601167][ T5068] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 63.614460][ T5068] CPU: 1 PID: 5068 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 63.624875][ T5068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 63.635023][ T5068] Call Trace: [ 63.638658][ T5068] [ 63.641604][ T5068] dump_stack_lvl+0x1e7/0x2d0 [ 63.646289][ T5068] ? nf_tcp_handle_invalid+0x650/0x650 [ 63.651780][ T5068] ? panic+0x770/0x770 [ 63.655848][ T5068] should_fail_ex+0x3aa/0x4e0 [ 63.660522][ T5068] prepare_alloc_pages+0x1d9/0x5b0 [ 63.665639][ T5068] __alloc_pages+0x165/0x670 [ 63.670249][ T5068] ? zone_statistics+0x170/0x170 [ 63.675183][ T5068] ? verify_lock_unused+0x140/0x140 [ 63.680383][ T5068] ? handle_mm_fault+0x11d/0x62b0 [ 63.685414][ T5068] ? __lock_acquire+0x7f70/0x7f70 [ 63.690430][ T5068] ? pte_offset_map_nolock+0x137/0x1e0 [ 63.695891][ T5068] __folio_alloc+0x13/0x30 [ 63.700302][ T5068] vma_alloc_folio+0x48a/0x9a0 [ 63.705075][ T5068] handle_mm_fault+0x2376/0x62b0 [ 63.710012][ T5068] ? handle_mm_fault+0x11d/0x62b0 [ 63.715050][ T5068] ? numa_migrate_prep+0x380/0x380 [ 63.720358][ T5068] ? mtree_range_walk+0x6a0/0x7e0 [ 63.725389][ T5068] ? lock_vma_under_rcu+0x187/0x6f0 [ 63.730593][ T5068] ? __lock_acquire+0x7f70/0x7f70 [ 63.735624][ T5068] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 63.740863][ T5068] ? lock_vma_under_rcu+0x5df/0x6f0 [ 63.746144][ T5068] ? lock_vma_under_rcu+0x187/0x6f0 [ 63.751356][ T5068] ? exc_page_fault+0x10f/0x860 [ 63.756217][ T5068] exc_page_fault+0x455/0x860 [ 63.760990][ T5068] asm_exc_page_fault+0x26/0x30 [ 63.765967][ T5068] RIP: 0033:0x7f794735bd00 [ 63.770376][ T5068] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 63.789977][ T5068] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5067] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5068] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5068] munmap(0x7f793ef10000, 2097152) = 0 [pid 5068] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 63.796049][ T5068] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 63.804025][ T5068] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 63.812031][ T5068] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 63.820027][ T5068] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 63.828169][ T5068] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 63.836163][ T5068] [pid 5068] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5068] close(5) = 0 [pid 5068] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5068] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5068] ioctl(3, LOOP_CLR_FD) = 0 [pid 5068] close(3) = 0 [pid 5068] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5066] <... futex resumed>) = 0 [pid 5066] exit_group(0) = ? [pid 5068] <... futex resumed>) = ? [pid 5068] +++ exited with 0 +++ [ 63.871875][ T5068] loop0: detected capacity change from 0 to 4096 [ 63.891410][ T5068] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 63.898634][ T5068] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5067] <... futex resumed>) = ? [pid 5067] +++ exited with 0 +++ [pid 5066] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5066, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/binderfs") = 0 umount2("\x2e\x2f\x31\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5069 attached , child_tidptr=0x555555f17690) = 5069 [pid 5069] set_robust_list(0x555555f176a0, 24) = 0 [pid 5069] chdir("./12") = 0 [pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5069] setpgid(0, 0) = 0 [pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5069] write(3, "1000", 4) = 4 [pid 5069] close(3) = 0 [pid 5069] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5069] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5069] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5069] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5069] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5069] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5069] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5069] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5070]}, 88) = 5070 [pid 5069] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5069] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5069] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5069] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5069] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5069] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5069] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5071 attached => {parent_tid=[5071]}, 88) = 5071 [pid 5071] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5069] rt_sigprocmask(SIG_SETMASK, [], [pid 5071] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5069] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5071] rt_sigprocmask(SIG_SETMASK, [], [pid 5069] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5070 attached [pid 5071] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5069] <... futex resumed>) = 0 [pid 5069] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5071] <... openat resumed>) = 3 [pid 5070] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5070] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5071] write(3, "85", 2 [pid 5070] rt_sigprocmask(SIG_SETMASK, [], [pid 5071] <... write resumed>) = 2 [pid 5070] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5071] memfd_create("syzkaller", 0) = 4 [pid 5071] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5070] memfd_create("syzkaller", 0) = 5 [pid 5070] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 64.000604][ T5071] FAULT_INJECTION: forcing a failure. [ 64.000604][ T5071] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 64.016106][ T5071] CPU: 1 PID: 5071 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 64.026650][ T5071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 64.036758][ T5071] Call Trace: [ 64.040119][ T5071] [ 64.043054][ T5071] dump_stack_lvl+0x1e7/0x2d0 [ 64.047751][ T5071] ? nf_tcp_handle_invalid+0x650/0x650 [ 64.053219][ T5071] ? panic+0x770/0x770 [ 64.057387][ T5071] should_fail_ex+0x3aa/0x4e0 [ 64.062083][ T5071] prepare_alloc_pages+0x1d9/0x5b0 [ 64.067199][ T5071] __alloc_pages+0x165/0x670 [ 64.071816][ T5071] ? zone_statistics+0x170/0x170 [ 64.076819][ T5071] ? verify_lock_unused+0x140/0x140 [ 64.082021][ T5071] ? handle_mm_fault+0x11d/0x62b0 [ 64.087046][ T5071] ? __lock_acquire+0x7f70/0x7f70 [ 64.092062][ T5071] ? pte_offset_map_nolock+0x137/0x1e0 [ 64.097524][ T5071] __folio_alloc+0x13/0x30 [ 64.101935][ T5071] vma_alloc_folio+0x48a/0x9a0 [ 64.106726][ T5071] handle_mm_fault+0x2376/0x62b0 [ 64.111687][ T5071] ? handle_mm_fault+0x11d/0x62b0 [ 64.116723][ T5071] ? numa_migrate_prep+0x380/0x380 [ 64.121845][ T5071] ? mtree_range_walk+0x6a0/0x7e0 [ 64.126962][ T5071] ? lock_vma_under_rcu+0x187/0x6f0 [ 64.132193][ T5071] ? __lock_acquire+0x7f70/0x7f70 [ 64.137241][ T5071] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 64.142476][ T5071] ? lock_vma_under_rcu+0x5df/0x6f0 [ 64.147683][ T5071] ? lock_vma_under_rcu+0x187/0x6f0 [ 64.152887][ T5071] ? exc_page_fault+0x10f/0x860 [ 64.157817][ T5071] exc_page_fault+0x455/0x860 [ 64.162528][ T5071] asm_exc_page_fault+0x26/0x30 [ 64.167408][ T5071] RIP: 0033:0x7f794735bc53 [ 64.171839][ T5071] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 64.191528][ T5071] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 64.197592][ T5071] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 64.205554][ T5071] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 64.213518][ T5071] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 64.221491][ T5071] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 64.229458][ T5071] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 64.237983][ T5071] [ 64.243751][ T5071] pagefault_out_of_memory: 2 callbacks suppressed [pid 5070] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5071] munmap(0x7f793ef10000, 138412032) = 0 [pid 5071] close(4) = 0 [pid 5071] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5069] <... futex resumed>) = 0 [pid 5071] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5070] <... write resumed>) = 2097152 [pid 5070] munmap(0x7f7936b10000, 2097152) = 0 [pid 5070] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5070] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5070] close(5) = 0 [pid 5070] mkdir("./file0", 0777) = 0 [ 64.243763][ T5071] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 64.291456][ T5070] loop0: detected capacity change from 0 to 4096 [pid 5070] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5070] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5070] chdir("./file0") = 0 [pid 5070] ioctl(4, LOOP_CLR_FD) = 0 [pid 5070] close(4) = 0 [pid 5070] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5069] exit_group(0 [pid 5071] <... futex resumed>) = ? [pid 5070] <... futex resumed>) = ? [pid 5069] <... exit_group resumed>) = ? [pid 5071] +++ exited with 0 +++ [pid 5070] +++ exited with 0 +++ [pid 5069] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5069, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./12/binderfs") = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 [ 64.305371][ T5070] ntfs: volume version 12.0. rmdir("./12/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5072 attached , child_tidptr=0x555555f17690) = 5072 [pid 5072] set_robust_list(0x555555f176a0, 24) = 0 [pid 5072] chdir("./13") = 0 [pid 5072] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5072] setpgid(0, 0) = 0 [pid 5072] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5072] write(3, "1000", 4) = 4 [pid 5072] close(3) = 0 [pid 5072] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5072] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5072] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5072] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5072] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5072] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5072] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5072] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5073 attached [pid 5073] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5072] <... clone3 resumed> => {parent_tid=[5073]}, 88) = 5073 [pid 5073] set_robust_list(0x7f79473519a0, 24 [pid 5072] rt_sigprocmask(SIG_SETMASK, [], [pid 5073] <... set_robust_list resumed>) = 0 [pid 5072] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5073] rt_sigprocmask(SIG_SETMASK, [], [pid 5072] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5073] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5072] <... futex resumed>) = 0 [pid 5072] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5072] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5073] memfd_create("syzkaller", 0 [pid 5072] <... mmap resumed>) = 0x7f7947310000 [pid 5073] <... memfd_create resumed>) = 3 [pid 5072] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5073] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5072] <... mprotect resumed>) = 0 [pid 5072] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5072] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5074]}, 88) = 5074 [pid 5072] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5072] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5072] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5074 attached [pid 5073] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5074] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5074] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5074] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5074] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5074] write(4, "85", 2) = 2 [pid 5074] memfd_create("syzkaller", 0) = 5 [pid 5074] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5073] <... write resumed>) = 2097152 [ 64.439673][ T5074] FAULT_INJECTION: forcing a failure. [ 64.439673][ T5074] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 64.452986][ T5074] CPU: 1 PID: 5074 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 64.463424][ T5074] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 64.473479][ T5074] Call Trace: [ 64.476772][ T5074] [ 64.479710][ T5074] dump_stack_lvl+0x1e7/0x2d0 [ 64.484504][ T5074] ? nf_tcp_handle_invalid+0x650/0x650 [ 64.489981][ T5074] ? panic+0x770/0x770 [ 64.494067][ T5074] should_fail_ex+0x3aa/0x4e0 [ 64.498747][ T5074] prepare_alloc_pages+0x1d9/0x5b0 [ 64.503885][ T5074] __alloc_pages+0x165/0x670 [ 64.508482][ T5074] ? zone_statistics+0x170/0x170 [ 64.513420][ T5074] ? verify_lock_unused+0x140/0x140 [ 64.518636][ T5074] ? handle_mm_fault+0x11d/0x62b0 [ 64.523683][ T5074] ? __lock_acquire+0x7f70/0x7f70 [ 64.528715][ T5074] ? pte_offset_map_nolock+0x137/0x1e0 [ 64.534187][ T5074] __folio_alloc+0x13/0x30 [ 64.538615][ T5074] vma_alloc_folio+0x48a/0x9a0 [ 64.543383][ T5074] handle_mm_fault+0x2376/0x62b0 [ 64.548325][ T5074] ? handle_mm_fault+0x11d/0x62b0 [ 64.553385][ T5074] ? numa_migrate_prep+0x380/0x380 [ 64.558541][ T5074] ? mtree_range_walk+0x6a0/0x7e0 [ 64.563579][ T5074] ? lock_vma_under_rcu+0x187/0x6f0 [ 64.568784][ T5074] ? __lock_acquire+0x7f70/0x7f70 [ 64.573841][ T5074] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 64.579044][ T5074] ? lock_vma_under_rcu+0x5df/0x6f0 [ 64.584270][ T5074] ? lock_vma_under_rcu+0x187/0x6f0 [ 64.589513][ T5074] ? exc_page_fault+0x10f/0x860 [ 64.594619][ T5074] exc_page_fault+0x455/0x860 [ 64.599514][ T5074] asm_exc_page_fault+0x26/0x30 [ 64.604363][ T5074] RIP: 0033:0x7f794735bc53 [ 64.608863][ T5074] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 64.628503][ T5074] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5073] munmap(0x7f793ef10000, 2097152) = 0 [pid 5073] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 64.634582][ T5074] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 64.642573][ T5074] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 64.650569][ T5074] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 64.658547][ T5074] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 64.666532][ T5074] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 64.674524][ T5074] [ 64.677774][ T5074] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5073] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5073] close(3) = 0 [pid 5073] mkdir("./file0", 0777) = 0 [pid 5073] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 64.692239][ T5073] loop0: detected capacity change from 0 to 4096 [ 64.708822][ T5073] __ntfs_error: 139 callbacks suppressed [ 64.708833][ T5073] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 64.725932][ T5073] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5074] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5074] munmap(0x7f7936b10000, 2097152) = 0 [pid 5074] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5074] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5074] ioctl(3, LOOP_CLR_FD) = 0 [pid 5074] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5074] close(3) = 0 [pid 5074] close(5) = 0 [pid 5074] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5074] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5072] <... futex resumed>) = 0 [ 64.739682][ T5073] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 64.755355][ T5073] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 64.783016][ T5073] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 64.792111][ T5073] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 64.805443][ T5073] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 64.818494][ T5073] ntfs: volume version 12.0. [ 64.823260][ T5073] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [pid 5073] <... mount resumed>) = 0 [pid 5073] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5073] chdir("./file0") = 0 [pid 5073] ioctl(6, LOOP_CLR_FD) = 0 [pid 5073] close(6) = 0 [pid 5073] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5073] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5072] exit_group(0 [pid 5074] <... futex resumed>) = ? [pid 5073] <... futex resumed>) = ? [pid 5072] <... exit_group resumed>) = ? [pid 5074] +++ exited with 0 +++ [pid 5073] +++ exited with 0 +++ [pid 5072] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5072, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=19 /* 0.19 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./13/binderfs") = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5075 attached , child_tidptr=0x555555f17690) = 5075 [pid 5075] set_robust_list(0x555555f176a0, 24) = 0 [pid 5075] chdir("./14") = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5075] setpgid(0, 0) = 0 [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5075] write(3, "1000", 4) = 4 [pid 5075] close(3) = 0 [ 64.831942][ T5073] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 64.845614][ T5073] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. [pid 5075] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5075] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5075] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5075] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5075] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5075] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5076]}, 88) = 5076 ./strace-static-x86_64: Process 5076 attached [pid 5075] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5075] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5075] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5075] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5075] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5077 attached [pid 5077] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5075] <... clone3 resumed> => {parent_tid=[5077]}, 88) = 5077 [pid 5077] <... rseq resumed>) = 0 [pid 5076] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5077] set_robust_list(0x7f79473309a0, 24 [pid 5076] <... rseq resumed>) = 0 [pid 5075] rt_sigprocmask(SIG_SETMASK, [], [pid 5077] <... set_robust_list resumed>) = 0 [pid 5076] set_robust_list(0x7f79473519a0, 24 [pid 5075] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5077] rt_sigprocmask(SIG_SETMASK, [], [pid 5076] <... set_robust_list resumed>) = 0 [pid 5075] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] rt_sigprocmask(SIG_SETMASK, [], [pid 5077] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5076] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5075] <... futex resumed>) = 0 [pid 5077] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5075] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5077] <... openat resumed>) = 3 [pid 5077] write(3, "85", 2 [pid 5076] memfd_create("syzkaller", 0 [pid 5077] <... write resumed>) = 2 [pid 5077] memfd_create("syzkaller", 0) = 4 [pid 5077] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5076] <... memfd_create resumed>) = 5 [pid 5076] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5077] <... mmap resumed>) = 0x7f793ef10000 [pid 5076] <... mmap resumed>) = 0x7f7936b10000 [ 64.935205][ T5077] FAULT_INJECTION: forcing a failure. [ 64.935205][ T5077] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 64.948971][ T5077] CPU: 1 PID: 5077 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 64.959431][ T5077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 64.969485][ T5077] Call Trace: [ 64.972758][ T5077] [ 64.975684][ T5077] dump_stack_lvl+0x1e7/0x2d0 [ 64.980386][ T5077] ? nf_tcp_handle_invalid+0x650/0x650 [ 64.985865][ T5077] ? panic+0x770/0x770 [ 64.989949][ T5077] should_fail_ex+0x3aa/0x4e0 [ 64.994641][ T5077] prepare_alloc_pages+0x1d9/0x5b0 [ 64.999850][ T5077] __alloc_pages+0x165/0x670 [ 65.004442][ T5077] ? zone_statistics+0x170/0x170 [ 65.009481][ T5077] ? verify_lock_unused+0x140/0x140 [ 65.014673][ T5077] ? handle_mm_fault+0x11d/0x62b0 [ 65.019693][ T5077] ? __lock_acquire+0x7f70/0x7f70 [ 65.024707][ T5077] ? pte_offset_map_nolock+0x137/0x1e0 [ 65.030194][ T5077] __folio_alloc+0x13/0x30 [ 65.034628][ T5077] vma_alloc_folio+0x48a/0x9a0 [ 65.039393][ T5077] handle_mm_fault+0x2376/0x62b0 [ 65.044358][ T5077] ? handle_mm_fault+0x11d/0x62b0 [ 65.049385][ T5077] ? numa_migrate_prep+0x380/0x380 [ 65.054506][ T5077] ? mtree_range_walk+0x6a0/0x7e0 [ 65.059529][ T5077] ? lock_vma_under_rcu+0x187/0x6f0 [ 65.064761][ T5077] ? __lock_acquire+0x7f70/0x7f70 [ 65.069891][ T5077] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 65.075115][ T5077] ? lock_vma_under_rcu+0x5df/0x6f0 [ 65.080315][ T5077] ? lock_vma_under_rcu+0x187/0x6f0 [ 65.085525][ T5077] ? exc_page_fault+0x10f/0x860 [ 65.090381][ T5077] exc_page_fault+0x455/0x860 [ 65.095071][ T5077] asm_exc_page_fault+0x26/0x30 [ 65.100530][ T5077] RIP: 0033:0x7f794735bc53 [ 65.105030][ T5077] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 65.125239][ T5077] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 65.131317][ T5077] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 65.139299][ T5077] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 65.147276][ T5077] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 65.155261][ T5077] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 65.163224][ T5077] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 65.171202][ T5077] [pid 5076] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5076] munmap(0x7f7936b10000, 2097152 [pid 5077] munmap(0x7f793ef10000, 138412032) = 0 [pid 5076] <... munmap resumed>) = 0 [pid 5077] close(4 [pid 5076] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5077] <... close resumed>) = 0 [pid 5077] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] ioctl(6, LOOP_SET_FD, 5 [pid 5077] <... futex resumed>) = 1 [pid 5075] <... futex resumed>) = 0 [pid 5077] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5076] <... ioctl resumed>) = 0 [pid 5076] close(5) = 0 [pid 5076] mkdir("./file0", 0777) = 0 [pid 5076] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5076] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5076] chdir("./file0") = 0 [pid 5076] ioctl(6, LOOP_CLR_FD) = 0 [pid 5076] close(6) = 0 [pid 5076] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] exit_group(0 [pid 5077] <... futex resumed>) = ? [pid 5076] <... futex resumed>) = ? [pid 5075] <... exit_group resumed>) = ? [pid 5077] +++ exited with 0 +++ [pid 5076] +++ exited with 0 +++ [pid 5075] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5075, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./14/binderfs") = 0 [ 65.194454][ T5077] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 65.222970][ T5076] loop0: detected capacity change from 0 to 4096 [ 65.238238][ T5076] ntfs: volume version 12.0. umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5078 ./strace-static-x86_64: Process 5078 attached [pid 5078] set_robust_list(0x555555f176a0, 24) = 0 [pid 5078] chdir("./15") = 0 [pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5078] setpgid(0, 0) = 0 [pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5078] write(3, "1000", 4) = 4 [pid 5078] close(3) = 0 [pid 5078] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5078] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5078] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5078] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5078] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5078] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5078] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5079]}, 88) = 5079 ./strace-static-x86_64: Process 5079 attached [pid 5078] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5078] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5078] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5079] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5078] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5079] set_robust_list(0x7f79473519a0, 24 [pid 5078] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5079] <... set_robust_list resumed>) = 0 [pid 5079] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5080 attached [pid 5080] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5080] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5080] rt_sigprocmask(SIG_SETMASK, [], [pid 5078] <... clone3 resumed> => {parent_tid=[5080]}, 88) = 5080 [pid 5080] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5078] rt_sigprocmask(SIG_SETMASK, [], [pid 5080] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5078] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5080] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5078] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5080] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5079] memfd_create("syzkaller", 0 [pid 5078] <... futex resumed>) = 0 [pid 5078] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5080] <... openat resumed>) = 3 [pid 5079] <... memfd_create resumed>) = 4 [pid 5080] write(3, "85", 2 [pid 5079] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5080] <... write resumed>) = 2 [pid 5080] memfd_create("syzkaller", 0) = 5 [pid 5080] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5079] <... mmap resumed>) = 0x7f7936b10000 [pid 5079] munmap(0x7f7936b10000, 138412032) = 0 [pid 5079] close(4) = 0 [pid 5079] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 65.334534][ T5080] FAULT_INJECTION: forcing a failure. [ 65.334534][ T5080] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 65.349958][ T5080] CPU: 0 PID: 5080 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 65.360407][ T5080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 65.370483][ T5080] Call Trace: [ 65.373778][ T5080] [ 65.376715][ T5080] dump_stack_lvl+0x1e7/0x2d0 [ 65.381406][ T5080] ? nf_tcp_handle_invalid+0x650/0x650 [ 65.386887][ T5080] ? panic+0x770/0x770 [ 65.390971][ T5080] should_fail_ex+0x3aa/0x4e0 [ 65.395655][ T5080] prepare_alloc_pages+0x1d9/0x5b0 [ 65.400868][ T5080] __alloc_pages+0x165/0x670 [ 65.405471][ T5080] ? zone_statistics+0x170/0x170 [ 65.410409][ T5080] ? verify_lock_unused+0x140/0x140 [ 65.415596][ T5080] ? handle_mm_fault+0x11d/0x62b0 [ 65.420633][ T5080] ? __lock_acquire+0x7f70/0x7f70 [ 65.425687][ T5080] ? pte_offset_map_nolock+0x137/0x1e0 [ 65.431152][ T5080] __folio_alloc+0x13/0x30 [ 65.435563][ T5080] vma_alloc_folio+0x48a/0x9a0 [ 65.440352][ T5080] handle_mm_fault+0x2376/0x62b0 [ 65.445319][ T5080] ? handle_mm_fault+0x11d/0x62b0 [ 65.450365][ T5080] ? numa_migrate_prep+0x380/0x380 [ 65.455493][ T5080] ? mtree_range_walk+0x6a0/0x7e0 [ 65.460618][ T5080] ? lock_vma_under_rcu+0x187/0x6f0 [ 65.465821][ T5080] ? __lock_acquire+0x7f70/0x7f70 [ 65.471108][ T5080] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 65.476319][ T5080] ? lock_vma_under_rcu+0x5df/0x6f0 [ 65.481511][ T5080] ? lock_vma_under_rcu+0x187/0x6f0 [ 65.486708][ T5080] ? exc_page_fault+0x10f/0x860 [ 65.491560][ T5080] exc_page_fault+0x455/0x860 [ 65.496232][ T5080] asm_exc_page_fault+0x26/0x30 [ 65.501080][ T5080] RIP: 0033:0x7f794735bc53 [ 65.506632][ T5080] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 65.526257][ T5080] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5079] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5080] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5080] munmap(0x7f793ef10000, 2097152) = 0 [pid 5080] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 65.532321][ T5080] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 65.540281][ T5080] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 65.548258][ T5080] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 65.556236][ T5080] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 65.564206][ T5080] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 65.572388][ T5080] [ 65.577993][ T5080] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5080] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5080] close(5) = 0 [pid 5080] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5080] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 65.616819][ T5080] loop0: detected capacity change from 0 to 4096 [ 65.637431][ T5080] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 65.644536][ T5080] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5080] ioctl(4, LOOP_CLR_FD) = 0 [pid 5080] close(4) = 0 [pid 5080] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... futex resumed>) = 0 [pid 5078] exit_group(0 [pid 5079] <... futex resumed>) = ? [pid 5078] <... exit_group resumed>) = ? [pid 5079] +++ exited with 0 +++ [pid 5080] <... futex resumed>) = ? [pid 5080] +++ exited with 0 +++ [pid 5078] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5078, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./15/binderfs") = 0 umount2("\x2e\x2f\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5081 attached , child_tidptr=0x555555f17690) = 5081 [pid 5081] set_robust_list(0x555555f176a0, 24) = 0 [pid 5081] chdir("./16") = 0 [pid 5081] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5081] setpgid(0, 0) = 0 [pid 5081] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5081] write(3, "1000", 4) = 4 [pid 5081] close(3) = 0 [pid 5081] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5081] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5081] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5081] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5081] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5081] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5081] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5081] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5082 attached [pid 5082] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5081] <... clone3 resumed> => {parent_tid=[5082]}, 88) = 5082 [pid 5082] <... rseq resumed>) = 0 [pid 5081] rt_sigprocmask(SIG_SETMASK, [], [pid 5082] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5081] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5081] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5081] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5081] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5081] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5082] rt_sigprocmask(SIG_SETMASK, [], [pid 5081] <... mprotect resumed>) = 0 [pid 5082] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5081] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5081] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5083 attached => {parent_tid=[5083]}, 88) = 5083 [pid 5083] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5082] memfd_create("syzkaller", 0 [pid 5081] rt_sigprocmask(SIG_SETMASK, [], [pid 5083] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5083] rt_sigprocmask(SIG_SETMASK, [], [pid 5081] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5083] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5081] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5082] <... memfd_create resumed>) = 3 [pid 5081] <... futex resumed>) = 0 [pid 5081] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5082] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5083] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5083] write(4, "85", 2) = 2 [pid 5083] memfd_create("syzkaller", 0) = 5 [pid 5083] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5082] munmap(0x7f793ef10000, 138412032) = 0 [pid 5082] close(3) = 0 [pid 5082] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 65.788745][ T5083] FAULT_INJECTION: forcing a failure. [ 65.788745][ T5083] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 65.802497][ T5083] CPU: 0 PID: 5083 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 65.812939][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 65.822993][ T5083] Call Trace: [ 65.826272][ T5083] [ 65.829199][ T5083] dump_stack_lvl+0x1e7/0x2d0 [ 65.833882][ T5083] ? nf_tcp_handle_invalid+0x650/0x650 [ 65.839338][ T5083] ? panic+0x770/0x770 [ 65.843422][ T5083] should_fail_ex+0x3aa/0x4e0 [ 65.848121][ T5083] prepare_alloc_pages+0x1d9/0x5b0 [ 65.853271][ T5083] __alloc_pages+0x165/0x670 [ 65.857874][ T5083] ? zone_statistics+0x170/0x170 [ 65.862837][ T5083] ? verify_lock_unused+0x140/0x140 [ 65.868044][ T5083] ? handle_mm_fault+0x11d/0x62b0 [ 65.873074][ T5083] ? __lock_acquire+0x7f70/0x7f70 [ 65.878101][ T5083] ? pte_offset_map_nolock+0x137/0x1e0 [ 65.883586][ T5083] __folio_alloc+0x13/0x30 [ 65.888109][ T5083] vma_alloc_folio+0x48a/0x9a0 [ 65.892879][ T5083] handle_mm_fault+0x2376/0x62b0 [ 65.898022][ T5083] ? handle_mm_fault+0x11d/0x62b0 [ 65.903070][ T5083] ? numa_migrate_prep+0x380/0x380 [ 65.908196][ T5083] ? mtree_range_walk+0x6a0/0x7e0 [ 65.913837][ T5083] ? lock_vma_under_rcu+0x187/0x6f0 [ 65.919078][ T5083] ? __lock_acquire+0x7f70/0x7f70 [ 65.924100][ T5083] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 65.929311][ T5083] ? lock_vma_under_rcu+0x5df/0x6f0 [ 65.934507][ T5083] ? lock_vma_under_rcu+0x187/0x6f0 [ 65.939711][ T5083] ? exc_page_fault+0x10f/0x860 [ 65.944560][ T5083] exc_page_fault+0x455/0x860 [ 65.949244][ T5083] asm_exc_page_fault+0x26/0x30 [ 65.954120][ T5083] RIP: 0033:0x7f794735bc53 [ 65.958545][ T5083] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 65.978269][ T5083] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5082] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5083] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 65.984340][ T5083] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 65.992346][ T5083] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 66.001093][ T5083] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 66.009076][ T5083] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 66.017070][ T5083] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 66.025095][ T5083] [ 66.029773][ T5083] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5083] munmap(0x7f7936b10000, 2097152) = 0 [pid 5083] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5083] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5083] close(5) = 0 [pid 5083] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5083] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 66.071454][ T5083] loop0: detected capacity change from 0 to 4096 [ 66.091448][ T5083] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 66.098667][ T5083] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5083] ioctl(3, LOOP_CLR_FD) = 0 [pid 5083] close(3) = 0 [pid 5083] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5081] <... futex resumed>) = 0 [pid 5083] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5081] exit_group(0 [pid 5083] <... futex resumed>) = ? [pid 5081] <... exit_group resumed>) = ? [pid 5082] <... futex resumed>) = ? [pid 5083] +++ exited with 0 +++ [pid 5082] +++ exited with 0 +++ [pid 5081] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5081, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./16/binderfs") = 0 umount2("\x2e\x2f\x31\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5084 attached , child_tidptr=0x555555f17690) = 5084 [pid 5084] set_robust_list(0x555555f176a0, 24) = 0 [pid 5084] chdir("./17") = 0 [pid 5084] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5084] setpgid(0, 0) = 0 [pid 5084] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5084] write(3, "1000", 4) = 4 [pid 5084] close(3) = 0 [pid 5084] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5084] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5084] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5084] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5084] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5084] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5084] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5084] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5085 attached [pid 5085] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5084] <... clone3 resumed> => {parent_tid=[5085]}, 88) = 5085 [pid 5085] <... rseq resumed>) = 0 [pid 5084] rt_sigprocmask(SIG_SETMASK, [], [pid 5085] set_robust_list(0x7f79473519a0, 24 [pid 5084] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5085] <... set_robust_list resumed>) = 0 [pid 5084] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5085] rt_sigprocmask(SIG_SETMASK, [], [pid 5084] <... futex resumed>) = 0 [pid 5085] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5084] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5084] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5085] memfd_create("syzkaller", 0 [pid 5084] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5085] <... memfd_create resumed>) = 3 [pid 5084] <... mprotect resumed>) = 0 [pid 5085] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5084] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5085] <... mmap resumed>) = 0x7f793ef10000 [pid 5084] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5084] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5086]}, 88) = 5086 [pid 5084] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5084] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5084] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5086 attached [pid 5086] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5086] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5086] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5086] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5086] write(4, "85", 2) = 2 [pid 5086] memfd_create("syzkaller", 0) = 5 [pid 5086] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 66.244302][ T5086] FAULT_INJECTION: forcing a failure. [ 66.244302][ T5086] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 66.257855][ T5086] CPU: 1 PID: 5086 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 66.268294][ T5086] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 66.278353][ T5086] Call Trace: [ 66.281629][ T5086] [ 66.284557][ T5086] dump_stack_lvl+0x1e7/0x2d0 [ 66.289241][ T5086] ? nf_tcp_handle_invalid+0x650/0x650 [ 66.294700][ T5086] ? panic+0x770/0x770 [ 66.298918][ T5086] should_fail_ex+0x3aa/0x4e0 [ 66.303638][ T5086] prepare_alloc_pages+0x1d9/0x5b0 [ 66.308761][ T5086] __alloc_pages+0x165/0x670 [ 66.313369][ T5086] ? zone_statistics+0x170/0x170 [ 66.318310][ T5086] ? verify_lock_unused+0x140/0x140 [ 66.323525][ T5086] ? handle_mm_fault+0x11d/0x62b0 [ 66.328567][ T5086] ? __lock_acquire+0x7f70/0x7f70 [ 66.333599][ T5086] ? pte_offset_map_nolock+0x137/0x1e0 [ 66.339067][ T5086] __folio_alloc+0x13/0x30 [ 66.343486][ T5086] vma_alloc_folio+0x48a/0x9a0 [ 66.348275][ T5086] handle_mm_fault+0x2376/0x62b0 [ 66.353225][ T5086] ? handle_mm_fault+0x11d/0x62b0 [ 66.358262][ T5086] ? numa_migrate_prep+0x380/0x380 [ 66.363379][ T5086] ? mtree_range_walk+0x6a0/0x7e0 [ 66.368408][ T5086] ? lock_vma_under_rcu+0x187/0x6f0 [ 66.373604][ T5086] ? __lock_acquire+0x7f70/0x7f70 [ 66.378646][ T5086] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 66.383938][ T5086] ? lock_vma_under_rcu+0x5df/0x6f0 [ 66.389135][ T5086] ? lock_vma_under_rcu+0x187/0x6f0 [ 66.394351][ T5086] ? exc_page_fault+0x10f/0x860 [ 66.399295][ T5086] exc_page_fault+0x455/0x860 [ 66.403995][ T5086] asm_exc_page_fault+0x26/0x30 [ 66.408851][ T5086] RIP: 0033:0x7f794735bc53 [ 66.413348][ T5086] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 66.432945][ T5086] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5085] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2094090 [ 66.439008][ T5086] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 66.446973][ T5086] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 66.454936][ T5086] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 66.462901][ T5086] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 66.470866][ T5086] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 66.478925][ T5086] [ 66.483011][ T5086] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5086] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5085] <... write resumed>) = 2094090 [pid 5085] munmap(0x7f793ef10000, 2094090) = 0 [pid 5085] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5085] ioctl(6, LOOP_SET_FD, 3 [pid 5086] <... write resumed>) = 2097152 [pid 5086] munmap(0x7f7936b10000, 2097152) = 0 [pid 5085] <... ioctl resumed>) = 0 [pid 5085] close(3) = 0 [pid 5085] mkdir("./file0", 0777 [pid 5086] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5085] <... mkdir resumed>) = 0 [pid 5085] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5086] <... openat resumed>) = 3 [pid 5085] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5085] ioctl(6, LOOP_CLR_FD) = 0 [pid 5085] close(6) = 0 [pid 5085] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5085] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5086] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 66.536459][ T5085] loop0: detected capacity change from 0 to 4090 [pid 5086] ioctl(3, LOOP_CLR_FD) = 0 [pid 5086] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5086] close(5) = 0 [pid 5086] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [ 66.607649][ T5034] I/O error, dev loop0, sector 3840 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [ 66.634898][ T5086] loop0: detected capacity change from 0 to 4096 [pid 5086] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 66.653765][ T5086] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 66.660988][ T5086] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5086] ioctl(3, LOOP_CLR_FD) = 0 [pid 5086] close(3) = 0 [pid 5086] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5084] <... futex resumed>) = 0 [pid 5086] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5084] exit_group(0 [pid 5086] <... futex resumed>) = ? [pid 5085] <... futex resumed>) = ? [pid 5084] <... exit_group resumed>) = ? [pid 5086] +++ exited with 0 +++ [pid 5085] +++ exited with 0 +++ [pid 5084] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5084, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=38 /* 0.38 s */} --- umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 5 entries */, 32768) = 208 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./17/binderfs") = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./17/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./17/file0") = 0 umount2("\x2e\x2f\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5087 attached , child_tidptr=0x555555f17690) = 5087 [pid 5087] set_robust_list(0x555555f176a0, 24) = 0 [pid 5087] chdir("./18") = 0 [pid 5087] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5087] setpgid(0, 0) = 0 [pid 5087] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5087] write(3, "1000", 4) = 4 [pid 5087] close(3) = 0 [pid 5087] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5087] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5087] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5087] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5087] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5087] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5087] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5088 attached => {parent_tid=[5088]}, 88) = 5088 [pid 5088] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5087] rt_sigprocmask(SIG_SETMASK, [], [pid 5088] <... rseq resumed>) = 0 [pid 5088] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5087] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5088] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5087] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5088] memfd_create("syzkaller", 0 [pid 5087] <... futex resumed>) = 0 [pid 5087] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5087] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5087] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5087] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5088] <... memfd_create resumed>) = 3 [pid 5088] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5087] <... clone3 resumed> => {parent_tid=[5089]}, 88) = 5089 [pid 5088] <... mmap resumed>) = 0x7f793ef10000 [pid 5087] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5089 attached [pid 5087] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5089] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5089] set_robust_list(0x7f79473309a0, 24 [pid 5087] <... futex resumed>) = 0 [pid 5089] <... set_robust_list resumed>) = 0 [pid 5089] rt_sigprocmask(SIG_SETMASK, [], [pid 5087] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5089] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5089] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5089] write(4, "85", 2) = 2 [pid 5089] memfd_create("syzkaller", 0) = 5 [pid 5089] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 66.820516][ T5089] FAULT_INJECTION: forcing a failure. [ 66.820516][ T5089] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 66.834246][ T5089] CPU: 0 PID: 5089 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 66.844668][ T5089] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 66.854722][ T5089] Call Trace: [ 66.858005][ T5089] [ 66.860950][ T5089] dump_stack_lvl+0x1e7/0x2d0 [ 66.865653][ T5089] ? nf_tcp_handle_invalid+0x650/0x650 [ 66.871205][ T5089] ? panic+0x770/0x770 [ 66.875290][ T5089] should_fail_ex+0x3aa/0x4e0 [ 66.879991][ T5089] prepare_alloc_pages+0x1d9/0x5b0 [ 66.885113][ T5089] __alloc_pages+0x165/0x670 [ 66.889721][ T5089] ? zone_statistics+0x170/0x170 [ 66.894667][ T5089] ? verify_lock_unused+0x140/0x140 [ 66.899860][ T5089] ? handle_mm_fault+0x11d/0x62b0 [ 66.904882][ T5089] ? __lock_acquire+0x7f70/0x7f70 [ 66.909904][ T5089] ? pte_offset_map_nolock+0x137/0x1e0 [ 66.915371][ T5089] __folio_alloc+0x13/0x30 [ 66.919806][ T5089] vma_alloc_folio+0x48a/0x9a0 [ 66.924594][ T5089] handle_mm_fault+0x2376/0x62b0 [ 66.929569][ T5089] ? handle_mm_fault+0x11d/0x62b0 [ 66.934603][ T5089] ? numa_migrate_prep+0x380/0x380 [ 66.939727][ T5089] ? mtree_range_walk+0x6a0/0x7e0 [ 66.944761][ T5089] ? lock_vma_under_rcu+0x187/0x6f0 [ 66.949960][ T5089] ? __lock_acquire+0x7f70/0x7f70 [ 66.954976][ T5089] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 66.960181][ T5089] ? lock_vma_under_rcu+0x5df/0x6f0 [ 66.965396][ T5089] ? lock_vma_under_rcu+0x187/0x6f0 [ 66.970784][ T5089] ? exc_page_fault+0x10f/0x860 [ 66.975631][ T5089] exc_page_fault+0x455/0x860 [ 66.980310][ T5089] asm_exc_page_fault+0x26/0x30 [ 66.985152][ T5089] RIP: 0033:0x7f794735bc53 [ 66.989561][ T5089] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 67.009173][ T5089] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5088] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5088] munmap(0x7f793ef10000, 2097152) = 0 [pid 5088] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 67.015237][ T5089] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 67.023198][ T5089] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 67.031265][ T5089] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 67.039340][ T5089] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 67.047328][ T5089] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 67.055332][ T5089] [ 67.063580][ T5089] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5088] ioctl(6, LOOP_SET_FD, 3 [pid 5089] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5088] <... ioctl resumed>) = 0 [pid 5088] close(3) = 0 [pid 5088] mkdir("./file0", 0777) = 0 [pid 5088] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5088] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5088] chdir("./file0") = 0 [pid 5088] ioctl(6, LOOP_CLR_FD) = 0 [pid 5088] close(6) = 0 [pid 5088] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5088] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5089] <... write resumed>) = 2097152 [pid 5089] munmap(0x7f7936b10000, 2097152) = 0 [pid 5089] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5089] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5089] ioctl(6, LOOP_CLR_FD) = 0 [pid 5089] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5089] close(6) = 0 [ 67.091122][ T5088] loop0: detected capacity change from 0 to 4096 [ 67.107479][ T5088] ntfs: volume version 12.0. [pid 5089] close(5) = 0 [pid 5089] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5087] <... futex resumed>) = 0 [pid 5089] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5087] exit_group(0 [pid 5089] <... futex resumed>) = ? [pid 5088] <... futex resumed>) = ? [pid 5087] <... exit_group resumed>) = ? [pid 5089] +++ exited with 0 +++ [pid 5088] +++ exited with 0 +++ [pid 5087] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5087, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./18/binderfs") = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./18/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./18/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5090 attached , child_tidptr=0x555555f17690) = 5090 [pid 5090] set_robust_list(0x555555f176a0, 24) = 0 [pid 5090] chdir("./19") = 0 [pid 5090] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5090] setpgid(0, 0) = 0 [pid 5090] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5090] write(3, "1000", 4) = 4 [pid 5090] close(3) = 0 [pid 5090] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5090] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5090] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5090] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5090] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5090] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5090] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5091 attached [pid 5091] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5090] <... clone3 resumed> => {parent_tid=[5091]}, 88) = 5091 [pid 5091] set_robust_list(0x7f79473519a0, 24 [pid 5090] rt_sigprocmask(SIG_SETMASK, [], [pid 5091] <... set_robust_list resumed>) = 0 [pid 5090] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], [pid 5090] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5090] <... futex resumed>) = 0 [pid 5090] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5090] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5091] memfd_create("syzkaller", 0 [pid 5090] <... mprotect resumed>) = 0 [pid 5091] <... memfd_create resumed>) = 3 [pid 5090] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5091] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5090] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5090] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5092 attached [pid 5092] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5090] <... clone3 resumed> => {parent_tid=[5092]}, 88) = 5092 [pid 5092] <... rseq resumed>) = 0 [pid 5090] rt_sigprocmask(SIG_SETMASK, [], [pid 5092] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5090] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5092] rt_sigprocmask(SIG_SETMASK, [], [pid 5090] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5090] <... futex resumed>) = 0 [pid 5092] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5090] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5092] <... openat resumed>) = 4 [pid 5092] write(4, "85", 2) = 2 [pid 5092] memfd_create("syzkaller", 0) = 5 [pid 5092] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5091] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777) = 2028777 [ 67.251518][ T5092] FAULT_INJECTION: forcing a failure. [ 67.251518][ T5092] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 67.265054][ T5092] CPU: 0 PID: 5092 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 67.275492][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 67.285554][ T5092] Call Trace: [ 67.288841][ T5092] [ 67.291783][ T5092] dump_stack_lvl+0x1e7/0x2d0 [ 67.296451][ T5092] ? nf_tcp_handle_invalid+0x650/0x650 [ 67.301901][ T5092] ? panic+0x770/0x770 [ 67.305970][ T5092] should_fail_ex+0x3aa/0x4e0 [ 67.310645][ T5092] prepare_alloc_pages+0x1d9/0x5b0 [ 67.315773][ T5092] __alloc_pages+0x165/0x670 [ 67.320372][ T5092] ? zone_statistics+0x170/0x170 [ 67.325318][ T5092] ? verify_lock_unused+0x140/0x140 [ 67.330577][ T5092] ? handle_mm_fault+0x11d/0x62b0 [ 67.335601][ T5092] ? __lock_acquire+0x7f70/0x7f70 [ 67.340624][ T5092] ? pte_offset_map_nolock+0x137/0x1e0 [ 67.346103][ T5092] __folio_alloc+0x13/0x30 [ 67.350529][ T5092] vma_alloc_folio+0x48a/0x9a0 [ 67.355289][ T5092] handle_mm_fault+0x2376/0x62b0 [ 67.360246][ T5092] ? handle_mm_fault+0x11d/0x62b0 [ 67.365290][ T5092] ? numa_migrate_prep+0x380/0x380 [ 67.370496][ T5092] ? mtree_range_walk+0x6a0/0x7e0 [ 67.375524][ T5092] ? lock_vma_under_rcu+0x187/0x6f0 [ 67.380839][ T5092] ? __lock_acquire+0x7f70/0x7f70 [ 67.385940][ T5092] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 67.391333][ T5092] ? lock_vma_under_rcu+0x5df/0x6f0 [ 67.396549][ T5092] ? lock_vma_under_rcu+0x187/0x6f0 [ 67.401767][ T5092] ? exc_page_fault+0x10f/0x860 [ 67.406608][ T5092] exc_page_fault+0x455/0x860 [ 67.411298][ T5092] asm_exc_page_fault+0x26/0x30 [ 67.416226][ T5092] RIP: 0033:0x7f794735bc53 [ 67.420626][ T5092] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 67.440223][ T5092] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5091] munmap(0x7f793ef10000, 2028777) = 0 [pid 5091] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 67.446280][ T5092] RAX: 000000000008a001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 67.454249][ T5092] RDX: 00007f794732f8f0 RSI: 0000000000000001 RDI: 00007f794732f7f0 [ 67.462237][ T5092] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffe6 [ 67.470220][ T5092] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 67.478181][ T5092] R13: 00007f7947427f80 R14: 0000000000000016 R15: 00007f794732f7f0 [ 67.486166][ T5092] [ 67.493195][ T5092] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5091] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5091] close(3) = 0 [pid 5091] mkdir("./file0", 0777) = 0 [pid 5091] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5091] ioctl(6, LOOP_CLR_FD [pid 5092] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5092] munmap(0x7f7936b10000, 2097152) = 0 [pid 5092] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5092] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5092] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5092] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5092] close(3) = 0 [pid 5092] close(5) = 0 [pid 5092] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5090] <... futex resumed>) = 0 [pid 5092] <... futex resumed>) = 1 [ 67.508206][ T5091] loop0: detected capacity change from 0 to 3962 [pid 5092] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] <... ioctl resumed>) = 0 [pid 5091] close(6) = 0 [pid 5091] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5090] exit_group(0 [pid 5092] <... futex resumed>) = ? [pid 5091] <... futex resumed>) = ? [pid 5090] <... exit_group resumed>) = ? [pid 5092] +++ exited with 0 +++ [pid 5091] +++ exited with 0 +++ [pid 5090] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5090, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=13 /* 0.13 s */} --- umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./19/binderfs") = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./19/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./19/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5093 attached , child_tidptr=0x555555f17690) = 5093 [pid 5093] set_robust_list(0x555555f176a0, 24) = 0 [pid 5093] chdir("./20") = 0 [pid 5093] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5093] setpgid(0, 0) = 0 [pid 5093] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5093] write(3, "1000", 4) = 4 [pid 5093] close(3) = 0 [pid 5093] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5093] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5093] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5093] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5093] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5093] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5093] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5093] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5094 attached [pid 5094] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5093] <... clone3 resumed> => {parent_tid=[5094]}, 88) = 5094 [pid 5094] <... rseq resumed>) = 0 [pid 5094] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5094] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5094] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5093] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5093] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5094] <... futex resumed>) = 0 [pid 5094] memfd_create("syzkaller", 0 [pid 5093] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5094] <... memfd_create resumed>) = 3 [pid 5093] <... futex resumed>) = 0 [pid 5094] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5093] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5094] <... mmap resumed>) = 0x7f793ef31000 [pid 5093] <... mmap resumed>) = 0x7f793ef10000 [pid 5093] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5093] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5093] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5095 attached [pid 5095] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5093] <... clone3 resumed> => {parent_tid=[5095]}, 88) = 5095 [pid 5095] <... rseq resumed>) = 0 [pid 5093] rt_sigprocmask(SIG_SETMASK, [], [pid 5095] set_robust_list(0x7f793ef309a0, 24 [pid 5093] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5095] <... set_robust_list resumed>) = 0 [pid 5095] rt_sigprocmask(SIG_SETMASK, [], [pid 5093] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5095] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5093] <... futex resumed>) = 0 [pid 5093] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5095] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5095] write(4, "85", 2) = 2 [pid 5095] memfd_create("syzkaller", 0) = 5 [pid 5095] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5094] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 67.662741][ T5095] FAULT_INJECTION: forcing a failure. [ 67.662741][ T5095] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 67.676030][ T5095] CPU: 0 PID: 5095 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 67.686459][ T5095] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 67.696529][ T5095] Call Trace: [ 67.699823][ T5095] [ 67.702766][ T5095] dump_stack_lvl+0x1e7/0x2d0 [ 67.707476][ T5095] ? nf_tcp_handle_invalid+0x650/0x650 [ 67.712937][ T5095] ? panic+0x770/0x770 [ 67.717017][ T5095] should_fail_ex+0x3aa/0x4e0 [ 67.721699][ T5095] prepare_alloc_pages+0x1d9/0x5b0 [ 67.726817][ T5095] __alloc_pages+0x165/0x670 [ 67.731406][ T5095] ? zone_statistics+0x170/0x170 [ 67.736351][ T5095] ? verify_lock_unused+0x140/0x140 [ 67.741540][ T5095] ? handle_mm_fault+0x11d/0x62b0 [ 67.746564][ T5095] ? __lock_acquire+0x7f70/0x7f70 [ 67.751584][ T5095] ? pte_offset_map_nolock+0x137/0x1e0 [ 67.757074][ T5095] __folio_alloc+0x13/0x30 [ 67.761484][ T5095] vma_alloc_folio+0x48a/0x9a0 [ 67.766293][ T5095] handle_mm_fault+0x2376/0x62b0 [ 67.771667][ T5095] ? handle_mm_fault+0x11d/0x62b0 [ 67.776698][ T5095] ? numa_migrate_prep+0x380/0x380 [ 67.781821][ T5095] ? mtree_range_walk+0x6a0/0x7e0 [ 67.786841][ T5095] ? lock_vma_under_rcu+0x187/0x6f0 [ 67.792032][ T5095] ? __lock_acquire+0x7f70/0x7f70 [ 67.797045][ T5095] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 67.802251][ T5095] ? lock_vma_under_rcu+0x5df/0x6f0 [ 67.807445][ T5095] ? lock_vma_under_rcu+0x187/0x6f0 [ 67.812645][ T5095] ? exc_page_fault+0x10f/0x860 [ 67.817488][ T5095] exc_page_fault+0x455/0x860 [ 67.822169][ T5095] asm_exc_page_fault+0x26/0x30 [ 67.827012][ T5095] RIP: 0033:0x7f794735bc53 [ 67.831420][ T5095] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 67.851017][ T5095] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5094] munmap(0x7f793ef31000, 2097152) = 0 [pid 5094] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5094] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5094] close(3) = 0 [ 67.857078][ T5095] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 67.865046][ T5095] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 67.873008][ T5095] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 67.880990][ T5095] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 67.888974][ T5095] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 67.896967][ T5095] [ 67.906751][ T5094] loop0: detected capacity change from 0 to 4096 [pid 5094] mkdir("./file0", 0777) = 0 [pid 5094] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5094] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5094] chdir("./file0") = 0 [pid 5094] ioctl(6, LOOP_CLR_FD) = 0 [pid 5094] close(6) = 0 [pid 5094] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5095] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5094] <... futex resumed>) = 0 [pid 5094] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5095] <... write resumed>) = 2097152 [pid 5095] munmap(0x7f7936b10000, 2097152) = 0 [pid 5095] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5095] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5095] ioctl(6, LOOP_CLR_FD) = 0 [pid 5095] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5095] close(6) = 0 [ 67.906849][ T5095] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 67.925390][ T5094] ntfs: volume version 12.0. [pid 5095] close(5) = 0 [pid 5095] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5095] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5093] <... futex resumed>) = 0 [pid 5093] exit_group(0 [pid 5095] <... futex resumed>) = ? [pid 5093] <... exit_group resumed>) = ? [pid 5095] +++ exited with 0 +++ [pid 5094] <... futex resumed>) = ? [pid 5094] +++ exited with 0 +++ [pid 5093] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5093, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./20/binderfs") = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./20/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./20/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5096 ./strace-static-x86_64: Process 5096 attached [pid 5096] set_robust_list(0x555555f176a0, 24) = 0 [pid 5096] chdir("./21") = 0 [pid 5096] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5096] setpgid(0, 0) = 0 [pid 5096] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5096] write(3, "1000", 4) = 4 [pid 5096] close(3) = 0 [pid 5096] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5096] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5096] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5096] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5096] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5096] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5096] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5096] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5097 attached => {parent_tid=[5097]}, 88) = 5097 [pid 5096] rt_sigprocmask(SIG_SETMASK, [], [pid 5097] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5096] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5096] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5097] <... rseq resumed>) = 0 [pid 5096] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5097] set_robust_list(0x7f79473519a0, 24 [pid 5096] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5097] <... set_robust_list resumed>) = 0 [pid 5096] <... mmap resumed>) = 0x7f7947310000 [pid 5097] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5096] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5096] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5096] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5097] memfd_create("syzkaller", 0./strace-static-x86_64: Process 5098 attached ) = 3 [pid 5096] <... clone3 resumed> => {parent_tid=[5098]}, 88) = 5098 [pid 5098] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5097] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5098] <... rseq resumed>) = 0 [pid 5098] set_robust_list(0x7f79473309a0, 24 [pid 5097] <... mmap resumed>) = 0x7f793ef10000 [pid 5098] <... set_robust_list resumed>) = 0 [pid 5098] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5096] rt_sigprocmask(SIG_SETMASK, [], [pid 5098] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5096] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5096] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5098] <... futex resumed>) = 0 [pid 5096] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5098] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5097] munmap(0x7f793ef10000, 138412032 [pid 5098] write(4, "85", 2) = 2 [pid 5098] memfd_create("syzkaller", 0) = 5 [pid 5098] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5097] <... munmap resumed>) = 0 [pid 5098] <... mmap resumed>) = 0x7f793ef10000 [pid 5097] close(3) = 0 [pid 5097] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 68.076353][ T5098] FAULT_INJECTION: forcing a failure. [ 68.076353][ T5098] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 68.089749][ T5098] CPU: 1 PID: 5098 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 68.100154][ T5098] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 68.110215][ T5098] Call Trace: [ 68.113501][ T5098] [ 68.116427][ T5098] dump_stack_lvl+0x1e7/0x2d0 [ 68.121100][ T5098] ? nf_tcp_handle_invalid+0x650/0x650 [ 68.126549][ T5098] ? panic+0x770/0x770 [ 68.130627][ T5098] should_fail_ex+0x3aa/0x4e0 [ 68.135323][ T5098] prepare_alloc_pages+0x1d9/0x5b0 [ 68.140443][ T5098] __alloc_pages+0x165/0x670 [ 68.145027][ T5098] ? zone_statistics+0x170/0x170 [ 68.149969][ T5098] ? verify_lock_unused+0x140/0x140 [ 68.155168][ T5098] ? handle_mm_fault+0x11d/0x62b0 [ 68.160203][ T5098] ? __lock_acquire+0x7f70/0x7f70 [ 68.165214][ T5098] ? pte_offset_map_nolock+0x137/0x1e0 [ 68.170666][ T5098] __folio_alloc+0x13/0x30 [ 68.175075][ T5098] vma_alloc_folio+0x48a/0x9a0 [ 68.179843][ T5098] handle_mm_fault+0x2376/0x62b0 [ 68.184815][ T5098] ? handle_mm_fault+0x11d/0x62b0 [ 68.189854][ T5098] ? numa_migrate_prep+0x380/0x380 [ 68.194982][ T5098] ? mtree_range_walk+0x6a0/0x7e0 [ 68.200000][ T5098] ? lock_vma_under_rcu+0x187/0x6f0 [ 68.205212][ T5098] ? __lock_acquire+0x7f70/0x7f70 [ 68.210249][ T5098] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 68.215454][ T5098] ? lock_vma_under_rcu+0x5df/0x6f0 [ 68.220658][ T5098] ? lock_vma_under_rcu+0x187/0x6f0 [ 68.225871][ T5098] ? exc_page_fault+0x10f/0x860 [ 68.230712][ T5098] exc_page_fault+0x455/0x860 [ 68.235386][ T5098] asm_exc_page_fault+0x26/0x30 [ 68.240237][ T5098] RIP: 0033:0x7f794735bd00 [ 68.244650][ T5098] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 68.264243][ T5098] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5097] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5098] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5098] munmap(0x7f793ef10000, 2097152) = 0 [pid 5098] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 68.270307][ T5098] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 68.278269][ T5098] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 68.286237][ T5098] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 68.294206][ T5098] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 68.304788][ T5098] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 68.312772][ T5098] [ 68.316047][ T5098] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5098] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5098] close(5) = 0 [pid 5098] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5098] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 68.353851][ T5098] loop0: detected capacity change from 0 to 4096 [ 68.373390][ T5098] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 68.381208][ T5098] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5098] ioctl(3, LOOP_CLR_FD) = 0 [pid 5098] close(3) = 0 [pid 5098] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5098] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5096] <... futex resumed>) = 0 [pid 5096] exit_group(0 [pid 5098] <... futex resumed>) = ? [pid 5096] <... exit_group resumed>) = ? [pid 5098] +++ exited with 0 +++ [pid 5097] <... futex resumed>) = ? [pid 5097] +++ exited with 0 +++ [pid 5096] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5096, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./21/binderfs") = 0 umount2("\x2e\x2f\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5099 ./strace-static-x86_64: Process 5099 attached [pid 5099] set_robust_list(0x555555f176a0, 24) = 0 [pid 5099] chdir("./22") = 0 [pid 5099] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5099] setpgid(0, 0) = 0 [pid 5099] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5099] write(3, "1000", 4) = 4 [pid 5099] close(3) = 0 [pid 5099] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5099] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5099] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5099] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5099] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5099] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5099] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5100 attached [pid 5100] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5099] <... clone3 resumed> => {parent_tid=[5100]}, 88) = 5100 [pid 5100] <... rseq resumed>) = 0 [pid 5099] rt_sigprocmask(SIG_SETMASK, [], [pid 5100] set_robust_list(0x7f79473519a0, 24 [pid 5099] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5100] <... set_robust_list resumed>) = 0 [pid 5100] rt_sigprocmask(SIG_SETMASK, [], [pid 5099] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5100] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5099] <... futex resumed>) = 0 [pid 5099] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5100] memfd_create("syzkaller", 0 [pid 5099] <... futex resumed>) = 0 [pid 5100] <... memfd_create resumed>) = 3 [pid 5099] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5100] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5099] <... mmap resumed>) = 0x7f7947310000 [pid 5099] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5099] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5099] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5101]}, 88) = 5101 [pid 5099] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5099] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5101 attached [pid 5101] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5101] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5101] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5101] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5101] write(4, "85", 2) = 2 [pid 5101] memfd_create("syzkaller", 0) = 5 [pid 5101] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5100] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2053576) = 2053576 [ 68.528601][ T5101] FAULT_INJECTION: forcing a failure. [ 68.528601][ T5101] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 68.542039][ T5101] CPU: 1 PID: 5101 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 68.552474][ T5101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 68.562539][ T5101] Call Trace: [ 68.565810][ T5101] [ 68.569179][ T5101] dump_stack_lvl+0x1e7/0x2d0 [ 68.573866][ T5101] ? nf_tcp_handle_invalid+0x650/0x650 [ 68.579317][ T5101] ? panic+0x770/0x770 [ 68.583383][ T5101] should_fail_ex+0x3aa/0x4e0 [ 68.588055][ T5101] prepare_alloc_pages+0x1d9/0x5b0 [ 68.593249][ T5101] __alloc_pages+0x165/0x670 [ 68.597841][ T5101] ? zone_statistics+0x170/0x170 [ 68.602781][ T5101] ? verify_lock_unused+0x140/0x140 [ 68.607980][ T5101] ? handle_mm_fault+0x11d/0x62b0 [ 68.612999][ T5101] ? __lock_acquire+0x7f70/0x7f70 [ 68.618015][ T5101] ? pte_offset_map_nolock+0x137/0x1e0 [ 68.623484][ T5101] __folio_alloc+0x13/0x30 [ 68.627896][ T5101] vma_alloc_folio+0x48a/0x9a0 [ 68.632666][ T5101] handle_mm_fault+0x2376/0x62b0 [ 68.637607][ T5101] ? handle_mm_fault+0x11d/0x62b0 [ 68.642637][ T5101] ? numa_migrate_prep+0x380/0x380 [ 68.647758][ T5101] ? mtree_range_walk+0x6a0/0x7e0 [ 68.652779][ T5101] ? lock_vma_under_rcu+0x187/0x6f0 [ 68.657970][ T5101] ? __lock_acquire+0x7f70/0x7f70 [ 68.662980][ T5101] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 68.668215][ T5101] ? lock_vma_under_rcu+0x5df/0x6f0 [ 68.673407][ T5101] ? lock_vma_under_rcu+0x187/0x6f0 [ 68.678616][ T5101] ? exc_page_fault+0x10f/0x860 [ 68.683458][ T5101] exc_page_fault+0x455/0x860 [ 68.688132][ T5101] asm_exc_page_fault+0x26/0x30 [ 68.692973][ T5101] RIP: 0033:0x7f794735bc53 [ 68.697381][ T5101] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 68.716985][ T5101] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5100] munmap(0x7f793ef10000, 2053576) = 0 [pid 5100] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 68.723052][ T5101] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 68.731017][ T5101] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 68.738979][ T5101] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 68.746954][ T5101] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 68.754920][ T5101] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 68.762903][ T5101] [pid 5100] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5100] close(3) = 0 [pid 5100] mkdir("./file0", 0777) = 0 [pid 5100] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5100] ioctl(6, LOOP_CLR_FD [pid 5101] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5101] munmap(0x7f7936b10000, 2097152) = 0 [pid 5101] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5101] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5101] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5101] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 68.778428][ T5100] loop0: detected capacity change from 0 to 4010 [pid 5101] close(3) = 0 [pid 5101] close(5 [pid 5100] <... ioctl resumed>) = 0 [pid 5100] close(6) = 0 [pid 5100] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5101] <... close resumed>) = 0 [pid 5101] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5099] <... futex resumed>) = 0 [pid 5101] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5099] exit_group(0 [pid 5100] <... futex resumed>) = ? [pid 5099] <... exit_group resumed>) = ? [pid 5101] <... futex resumed>) = ? [pid 5100] +++ exited with 0 +++ [pid 5101] +++ exited with 0 +++ [pid 5099] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5099, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=9 /* 0.09 s */} --- umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./22/binderfs") = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./22/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./22/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5102 ./strace-static-x86_64: Process 5102 attached [pid 5102] set_robust_list(0x555555f176a0, 24) = 0 [pid 5102] chdir("./23") = 0 [pid 5102] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5102] setpgid(0, 0) = 0 [pid 5102] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5102] write(3, "1000", 4) = 4 [pid 5102] close(3) = 0 [pid 5102] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5102] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5102] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5102] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5102] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5102] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5102] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5102] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5103]}, 88) = 5103 [pid 5102] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5102] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5103 attached ) = 0 [pid 5102] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [ 68.830914][ T5034] I/O error, dev loop0, sector 3840 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5103] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5102] <... futex resumed>) = 0 [pid 5103] set_robust_list(0x7f79473519a0, 24 [pid 5102] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5103] <... set_robust_list resumed>) = 0 [pid 5103] rt_sigprocmask(SIG_SETMASK, [], [pid 5102] <... mmap resumed>) = 0x7f7947310000 [pid 5103] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5102] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5102] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5102] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5104 attached [pid 5103] memfd_create("syzkaller", 0 [pid 5104] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5103] <... memfd_create resumed>) = 3 [pid 5102] <... clone3 resumed> => {parent_tid=[5104]}, 88) = 5104 [pid 5104] <... rseq resumed>) = 0 [pid 5102] rt_sigprocmask(SIG_SETMASK, [], [pid 5104] set_robust_list(0x7f79473309a0, 24 [pid 5103] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5102] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5104] <... set_robust_list resumed>) = 0 [pid 5102] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5104] rt_sigprocmask(SIG_SETMASK, [], [pid 5103] <... mmap resumed>) = 0x7f793ef10000 [pid 5104] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5102] <... futex resumed>) = 0 [pid 5104] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5102] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5104] <... openat resumed>) = 4 [pid 5104] write(4, "85", 2) = 2 [pid 5104] memfd_create("syzkaller", 0) = 5 [pid 5104] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5103] munmap(0x7f793ef10000, 138412032) = 0 [pid 5103] close(3) = 0 [pid 5103] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 68.911676][ T5104] FAULT_INJECTION: forcing a failure. [ 68.911676][ T5104] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 68.925001][ T5104] CPU: 1 PID: 5104 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 68.935403][ T5104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 68.945458][ T5104] Call Trace: [ 68.948744][ T5104] [ 68.951676][ T5104] dump_stack_lvl+0x1e7/0x2d0 [ 68.956356][ T5104] ? nf_tcp_handle_invalid+0x650/0x650 [ 68.961811][ T5104] ? panic+0x770/0x770 [ 68.965888][ T5104] should_fail_ex+0x3aa/0x4e0 [ 68.970922][ T5104] prepare_alloc_pages+0x1d9/0x5b0 [ 68.976064][ T5104] __alloc_pages+0x165/0x670 [ 68.980698][ T5104] ? zone_statistics+0x170/0x170 [ 68.985760][ T5104] ? verify_lock_unused+0x140/0x140 [ 68.990972][ T5104] ? handle_mm_fault+0x11d/0x62b0 [ 68.996020][ T5104] ? __lock_acquire+0x7f70/0x7f70 [ 69.001032][ T5104] ? pte_offset_map_nolock+0x137/0x1e0 [ 69.006483][ T5104] __folio_alloc+0x13/0x30 [ 69.010912][ T5104] vma_alloc_folio+0x48a/0x9a0 [ 69.015690][ T5104] handle_mm_fault+0x2376/0x62b0 [ 69.020713][ T5104] ? handle_mm_fault+0x11d/0x62b0 [ 69.025747][ T5104] ? numa_migrate_prep+0x380/0x380 [ 69.030871][ T5104] ? mtree_range_walk+0x6a0/0x7e0 [ 69.035906][ T5104] ? lock_vma_under_rcu+0x187/0x6f0 [ 69.041116][ T5104] ? __lock_acquire+0x7f70/0x7f70 [ 69.046157][ T5104] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 69.051359][ T5104] ? lock_vma_under_rcu+0x5df/0x6f0 [ 69.056561][ T5104] ? lock_vma_under_rcu+0x187/0x6f0 [ 69.061798][ T5104] ? exc_page_fault+0x10f/0x860 [ 69.066641][ T5104] exc_page_fault+0x455/0x860 [ 69.071312][ T5104] asm_exc_page_fault+0x26/0x30 [ 69.076165][ T5104] RIP: 0033:0x7f794735bc53 [ 69.080583][ T5104] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 69.100207][ T5104] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5103] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5104] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5104] munmap(0x7f7936b10000, 2097152) = 0 [pid 5104] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 69.106292][ T5104] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 69.114270][ T5104] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 69.122268][ T5104] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 69.130234][ T5104] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 69.138193][ T5104] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 69.146184][ T5104] [pid 5104] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5104] close(5) = 0 [pid 5104] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5104] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5104] ioctl(3, LOOP_CLR_FD) = 0 [pid 5104] close(3) = 0 [pid 5104] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5104] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5102] <... futex resumed>) = 0 [pid 5102] exit_group(0) = ? [ 69.180973][ T5104] loop0: detected capacity change from 0 to 4096 [ 69.200123][ T5104] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 69.207329][ T5104] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5104] <... futex resumed>) = ? [pid 5103] <... futex resumed>) = ? [pid 5104] +++ exited with 0 +++ [pid 5103] +++ exited with 0 +++ [pid 5102] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5102, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=8 /* 0.08 s */} --- umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./23/binderfs") = 0 umount2("\x2e\x2f\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5105 attached , child_tidptr=0x555555f17690) = 5105 [pid 5105] set_robust_list(0x555555f176a0, 24) = 0 [pid 5105] chdir("./24") = 0 [pid 5105] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5105] setpgid(0, 0) = 0 [pid 5105] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5105] write(3, "1000", 4) = 4 [pid 5105] close(3) = 0 [pid 5105] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5105] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5105] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5105] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5105] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5105] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5105] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5106]}, 88) = 5106 [pid 5105] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5105] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5105] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5105] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5105] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5105] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5107 attached ./strace-static-x86_64: Process 5106 attached [pid 5107] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5107] set_robust_list(0x7f79473309a0, 24 [pid 5106] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5105] <... clone3 resumed> => {parent_tid=[5107]}, 88) = 5107 [pid 5107] <... set_robust_list resumed>) = 0 [pid 5105] rt_sigprocmask(SIG_SETMASK, [], [pid 5107] rt_sigprocmask(SIG_SETMASK, [], [pid 5106] <... rseq resumed>) = 0 [pid 5105] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5107] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5106] set_robust_list(0x7f79473519a0, 24 [pid 5105] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5106] <... set_robust_list resumed>) = 0 [pid 5106] rt_sigprocmask(SIG_SETMASK, [], [pid 5105] <... futex resumed>) = 0 [pid 5107] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5106] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5107] <... openat resumed>) = 3 [pid 5106] memfd_create("syzkaller", 0 [pid 5105] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5107] write(3, "85", 2 [pid 5106] <... memfd_create resumed>) = 4 [pid 5107] <... write resumed>) = 2 [pid 5106] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5107] memfd_create("syzkaller", 0 [pid 5106] <... mmap resumed>) = 0x7f793ef10000 [pid 5107] <... memfd_create resumed>) = 5 [pid 5107] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 69.323561][ T5107] FAULT_INJECTION: forcing a failure. [ 69.323561][ T5107] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 69.337344][ T5107] CPU: 1 PID: 5107 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 69.347778][ T5107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 69.357830][ T5107] Call Trace: [ 69.361103][ T5107] [ 69.364086][ T5107] dump_stack_lvl+0x1e7/0x2d0 [ 69.368766][ T5107] ? nf_tcp_handle_invalid+0x650/0x650 [ 69.374221][ T5107] ? panic+0x770/0x770 [ 69.378298][ T5107] should_fail_ex+0x3aa/0x4e0 [ 69.382973][ T5107] prepare_alloc_pages+0x1d9/0x5b0 [ 69.388119][ T5107] __alloc_pages+0x165/0x670 [ 69.392705][ T5107] ? zone_statistics+0x170/0x170 [ 69.397640][ T5107] ? verify_lock_unused+0x140/0x140 [ 69.402829][ T5107] ? handle_mm_fault+0x11d/0x62b0 [ 69.407848][ T5107] ? __lock_acquire+0x7f70/0x7f70 [ 69.412862][ T5107] ? pte_offset_map_nolock+0x137/0x1e0 [ 69.418419][ T5107] __folio_alloc+0x13/0x30 [ 69.422828][ T5107] vma_alloc_folio+0x48a/0x9a0 [ 69.427591][ T5107] handle_mm_fault+0x2376/0x62b0 [ 69.432530][ T5107] ? handle_mm_fault+0x11d/0x62b0 [ 69.437562][ T5107] ? numa_migrate_prep+0x380/0x380 [ 69.442679][ T5107] ? mtree_range_walk+0x6a0/0x7e0 [ 69.447701][ T5107] ? lock_vma_under_rcu+0x187/0x6f0 [ 69.452896][ T5107] ? __lock_acquire+0x7f70/0x7f70 [ 69.457914][ T5107] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 69.463117][ T5107] ? lock_vma_under_rcu+0x5df/0x6f0 [ 69.468310][ T5107] ? lock_vma_under_rcu+0x187/0x6f0 [ 69.473511][ T5107] ? exc_page_fault+0x10f/0x860 [ 69.478357][ T5107] exc_page_fault+0x455/0x860 [ 69.483033][ T5107] asm_exc_page_fault+0x26/0x30 [ 69.487877][ T5107] RIP: 0033:0x7f794735bc53 [ 69.492290][ T5107] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 69.512004][ T5107] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 69.518084][ T5107] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 69.528049][ T5107] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 69.536052][ T5107] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 69.544019][ T5107] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 69.551978][ T5107] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 69.559953][ T5107] [ 69.564200][ T5107] pagefault_out_of_memory: 2 callbacks suppressed [pid 5106] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5107] munmap(0x7f7936b10000, 138412032 [pid 5106] munmap(0x7f793ef10000, 2097152) = 0 [pid 5107] <... munmap resumed>) = 0 [ 69.564281][ T5107] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5106] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5107] close(5 [pid 5106] <... openat resumed>) = 6 [pid 5106] ioctl(6, LOOP_SET_FD, 4 [pid 5107] <... close resumed>) = 0 [pid 5107] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5106] <... ioctl resumed>) = 0 [pid 5107] <... futex resumed>) = 1 [pid 5106] close(4 [pid 5107] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5106] <... close resumed>) = 0 [pid 5105] <... futex resumed>) = 0 [pid 5106] mkdir("./file0", 0777) = 0 [pid 5106] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5106] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5106] chdir("./file0") = 0 [pid 5106] ioctl(6, LOOP_CLR_FD) = 0 [pid 5106] close(6) = 0 [pid 5106] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5106] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5105] exit_group(0 [pid 5106] <... futex resumed>) = ? [pid 5105] <... exit_group resumed>) = ? [pid 5107] <... futex resumed>) = ? [pid 5106] +++ exited with 0 +++ [pid 5107] +++ exited with 0 +++ [pid 5105] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5105, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./24/binderfs") = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./24/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./24/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 69.595851][ T5106] loop0: detected capacity change from 0 to 4096 [ 69.610710][ T5106] ntfs: volume version 12.0. ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5108 attached , child_tidptr=0x555555f17690) = 5108 [pid 5108] set_robust_list(0x555555f176a0, 24) = 0 [pid 5108] chdir("./25") = 0 [pid 5108] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5108] setpgid(0, 0) = 0 [pid 5108] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5108] write(3, "1000", 4) = 4 [pid 5108] close(3) = 0 [pid 5108] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5108] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5108] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5108] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5108] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5108] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5108] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5108] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5109]}, 88) = 5109 [pid 5108] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5108] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5108] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5108] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5108] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5108] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5108] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5110 attached [pid 5110] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5108] <... clone3 resumed> => {parent_tid=[5110]}, 88) = 5110 [pid 5110] set_robust_list(0x7f79473309a0, 24 [pid 5108] rt_sigprocmask(SIG_SETMASK, [], [pid 5110] <... set_robust_list resumed>) = 0 [pid 5110] rt_sigprocmask(SIG_SETMASK, [], [pid 5108] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5110] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5108] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5110] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5108] <... futex resumed>) = 0 [pid 5108] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5110] <... openat resumed>) = 3 [pid 5110] write(3, "85", 2) = 2 [pid 5110] memfd_create("syzkaller", 0./strace-static-x86_64: Process 5109 attached ) = 4 [pid 5110] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5109] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5109] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5109] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5109] memfd_create("syzkaller", 0) = 5 [ 69.731919][ T5110] FAULT_INJECTION: forcing a failure. [ 69.731919][ T5110] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 69.745478][ T5110] CPU: 1 PID: 5110 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 69.755900][ T5110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 69.765966][ T5110] Call Trace: [ 69.769241][ T5110] [ 69.772162][ T5110] dump_stack_lvl+0x1e7/0x2d0 [ 69.776844][ T5110] ? nf_tcp_handle_invalid+0x650/0x650 [ 69.782320][ T5110] ? panic+0x770/0x770 [ 69.786511][ T5110] should_fail_ex+0x3aa/0x4e0 [ 69.791204][ T5110] prepare_alloc_pages+0x1d9/0x5b0 [ 69.796328][ T5110] __alloc_pages+0x165/0x670 [ 69.800933][ T5110] ? zone_statistics+0x170/0x170 [ 69.805906][ T5110] ? verify_lock_unused+0x140/0x140 [ 69.811102][ T5110] ? handle_mm_fault+0x11d/0x62b0 [ 69.816135][ T5110] ? __lock_acquire+0x7f70/0x7f70 [ 69.821167][ T5110] ? pte_offset_map_nolock+0x137/0x1e0 [ 69.826624][ T5110] __folio_alloc+0x13/0x30 [ 69.831036][ T5110] vma_alloc_folio+0x48a/0x9a0 [ 69.835800][ T5110] handle_mm_fault+0x2376/0x62b0 [ 69.840736][ T5110] ? handle_mm_fault+0x11d/0x62b0 [ 69.845772][ T5110] ? numa_migrate_prep+0x380/0x380 [ 69.850902][ T5110] ? mtree_range_walk+0x6a0/0x7e0 [ 69.855932][ T5110] ? lock_vma_under_rcu+0x187/0x6f0 [ 69.861131][ T5110] ? __lock_acquire+0x7f70/0x7f70 [ 69.866152][ T5110] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 69.871359][ T5110] ? lock_vma_under_rcu+0x5df/0x6f0 [ 69.877510][ T5110] ? lock_vma_under_rcu+0x187/0x6f0 [ 69.882718][ T5110] ? exc_page_fault+0x10f/0x860 [ 69.887565][ T5110] exc_page_fault+0x455/0x860 [ 69.892251][ T5110] asm_exc_page_fault+0x26/0x30 [ 69.897096][ T5110] RIP: 0033:0x7f794735bc53 [ 69.903504][ T5110] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 69.923107][ T5110] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5109] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5110] munmap(0x7f793ef10000, 138412032) = 0 [pid 5110] close(4) = 0 [pid 5110] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5110] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5108] <... futex resumed>) = 0 [ 69.929271][ T5110] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 69.937245][ T5110] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 69.945307][ T5110] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 69.953364][ T5110] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 69.961328][ T5110] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 69.969308][ T5110] [ 69.972885][ T5110] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5109] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5109] munmap(0x7f7936b10000, 2097152) = 0 [pid 5109] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5109] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5109] close(5) = 0 [pid 5109] mkdir("./file0", 0777) = 0 [ 70.023314][ T5109] loop0: detected capacity change from 0 to 4096 [ 70.034767][ T5109] __ntfs_error: 101 callbacks suppressed [ 70.034778][ T5109] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 70.051697][ T5109] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 70.065039][ T5109] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 70.079997][ T5109] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 70.089869][ T5109] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 70.098263][ T5109] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 70.112723][ T5109] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [pid 5109] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5109] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5109] chdir("./file0") = 0 [pid 5109] ioctl(4, LOOP_CLR_FD) = 0 [pid 5109] close(4) = 0 [pid 5109] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5108] exit_group(0) = ? [pid 5109] +++ exited with 0 +++ [pid 5110] <... futex resumed>) = ? [pid 5110] +++ exited with 0 +++ [pid 5108] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5108, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=18 /* 0.18 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./25/binderfs") = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./25/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./25/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 [ 70.125085][ T5109] ntfs: volume version 12.0. [ 70.130090][ T5109] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 70.138849][ T5109] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 70.152134][ T5109] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. mkdir("./26", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5111 ./strace-static-x86_64: Process 5111 attached [pid 5111] set_robust_list(0x555555f176a0, 24) = 0 [pid 5111] chdir("./26") = 0 [pid 5111] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5111] setpgid(0, 0) = 0 [pid 5111] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5111] write(3, "1000", 4) = 4 [pid 5111] close(3) = 0 [pid 5111] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5111] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5111] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5111] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5111] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5111] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5111] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5112 attached [pid 5112] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5112] set_robust_list(0x7f79473519a0, 24 [pid 5111] <... clone3 resumed> => {parent_tid=[5112]}, 88) = 5112 [pid 5112] <... set_robust_list resumed>) = 0 [pid 5111] rt_sigprocmask(SIG_SETMASK, [], [pid 5112] rt_sigprocmask(SIG_SETMASK, [], [pid 5111] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5112] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5111] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5112] memfd_create("syzkaller", 0 [pid 5111] <... futex resumed>) = 0 [pid 5111] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5112] <... memfd_create resumed>) = 3 [pid 5112] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5111] <... futex resumed>) = 0 [pid 5111] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5111] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5111] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5111] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5113 attached => {parent_tid=[5113]}, 88) = 5113 [pid 5111] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5111] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5113] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5113] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5113] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5113] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5112] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5113] <... openat resumed>) = 4 [pid 5113] write(4, "85", 2) = 2 [pid 5113] memfd_create("syzkaller", 0) = 5 [pid 5113] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5112] <... write resumed>) = 2097152 [ 70.262306][ T5113] FAULT_INJECTION: forcing a failure. [ 70.262306][ T5113] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 70.275848][ T5113] CPU: 1 PID: 5113 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 70.286295][ T5113] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 70.297475][ T5113] Call Trace: [ 70.300762][ T5113] [ 70.303685][ T5113] dump_stack_lvl+0x1e7/0x2d0 [ 70.308361][ T5113] ? nf_tcp_handle_invalid+0x650/0x650 [ 70.313919][ T5113] ? panic+0x770/0x770 [ 70.318271][ T5113] should_fail_ex+0x3aa/0x4e0 [ 70.322946][ T5113] prepare_alloc_pages+0x1d9/0x5b0 [ 70.328063][ T5113] __alloc_pages+0x165/0x670 [ 70.332653][ T5113] ? zone_statistics+0x170/0x170 [ 70.337591][ T5113] ? verify_lock_unused+0x140/0x140 [ 70.342788][ T5113] ? handle_mm_fault+0x11d/0x62b0 [ 70.347809][ T5113] ? __lock_acquire+0x7f70/0x7f70 [ 70.352998][ T5113] ? pte_offset_map_nolock+0x137/0x1e0 [ 70.358457][ T5113] __folio_alloc+0x13/0x30 [ 70.362872][ T5113] vma_alloc_folio+0x48a/0x9a0 [ 70.367635][ T5113] handle_mm_fault+0x2376/0x62b0 [ 70.372579][ T5113] ? handle_mm_fault+0x11d/0x62b0 [ 70.377647][ T5113] ? numa_migrate_prep+0x380/0x380 [ 70.382763][ T5113] ? mtree_range_walk+0x6a0/0x7e0 [ 70.387792][ T5113] ? lock_vma_under_rcu+0x187/0x6f0 [ 70.393330][ T5113] ? __lock_acquire+0x7f70/0x7f70 [ 70.398355][ T5113] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 70.403821][ T5113] ? lock_vma_under_rcu+0x5df/0x6f0 [ 70.409134][ T5113] ? lock_vma_under_rcu+0x187/0x6f0 [ 70.414343][ T5113] ? exc_page_fault+0x10f/0x860 [ 70.419189][ T5113] exc_page_fault+0x455/0x860 [ 70.424301][ T5113] asm_exc_page_fault+0x26/0x30 [ 70.429512][ T5113] RIP: 0033:0x7f794735bc53 [ 70.433922][ T5113] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 70.453608][ T5113] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5112] munmap(0x7f793ef31000, 2097152) = 0 [pid 5112] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 70.459673][ T5113] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 70.467636][ T5113] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 70.475609][ T5113] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 70.483920][ T5113] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 70.491884][ T5113] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 70.500039][ T5113] [ 70.505880][ T5113] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5112] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5112] close(3) = 0 [pid 5112] mkdir("./file0", 0777) = 0 [pid 5112] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5113] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5113] munmap(0x7f7936b10000, 2097152) = 0 [pid 5113] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5113] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5113] ioctl(3, LOOP_CLR_FD) = 0 [pid 5112] <... mount resumed>) = 0 [pid 5112] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5113] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5113] close(3) = 0 [pid 5113] close(5 [pid 5112] <... openat resumed>) = 3 [pid 5112] chdir("./file0") = 0 [pid 5112] ioctl(6, LOOP_CLR_FD) = 0 [pid 5112] close(6) = 0 [pid 5112] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5112] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5113] <... close resumed>) = 0 [pid 5113] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [ 70.510160][ T5112] loop0: detected capacity change from 0 to 4096 [ 70.532077][ T5112] ntfs: volume version 12.0. [pid 5113] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5111] <... futex resumed>) = 0 [pid 5111] exit_group(0 [pid 5113] <... futex resumed>) = ? [pid 5112] <... futex resumed>) = ? [pid 5111] <... exit_group resumed>) = ? [pid 5113] +++ exited with 0 +++ [pid 5112] +++ exited with 0 +++ [pid 5111] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5111, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./26/binderfs") = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./26/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./26/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5114 attached , child_tidptr=0x555555f17690) = 5114 [pid 5114] set_robust_list(0x555555f176a0, 24) = 0 [pid 5114] chdir("./27") = 0 [pid 5114] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5114] setpgid(0, 0) = 0 [pid 5114] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5114] write(3, "1000", 4) = 4 [pid 5114] close(3) = 0 [pid 5114] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5114] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5114] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5114] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5114] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5114] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5114] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5115 attached [pid 5115] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5115] set_robust_list(0x7f79473519a0, 24 [pid 5114] <... clone3 resumed> => {parent_tid=[5115]}, 88) = 5115 [pid 5115] <... set_robust_list resumed>) = 0 [pid 5114] rt_sigprocmask(SIG_SETMASK, [], [pid 5115] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5114] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5115] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5114] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5115] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5115] memfd_create("syzkaller", 0 [pid 5114] <... futex resumed>) = 0 [pid 5114] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5114] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5114] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5115] <... memfd_create resumed>) = 3 [pid 5114] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5115] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5114] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5115] <... mmap resumed>) = 0x7f793ef10000 ./strace-static-x86_64: Process 5116 attached [pid 5114] <... clone3 resumed> => {parent_tid=[5116]}, 88) = 5116 [pid 5114] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5114] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5116] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5116] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5116] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5116] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5116] write(4, "85", 2) = 2 [pid 5116] memfd_create("syzkaller", 0) = 5 [pid 5116] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5115] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 70.635533][ T5116] FAULT_INJECTION: forcing a failure. [ 70.635533][ T5116] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 70.677798][ T5116] CPU: 0 PID: 5116 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 70.688255][ T5116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 70.698404][ T5116] Call Trace: [ 70.701678][ T5116] [ 70.704627][ T5116] dump_stack_lvl+0x1e7/0x2d0 [ 70.709355][ T5116] ? nf_tcp_handle_invalid+0x650/0x650 [ 70.714897][ T5116] ? panic+0x770/0x770 [ 70.719073][ T5116] should_fail_ex+0x3aa/0x4e0 [ 70.723749][ T5116] prepare_alloc_pages+0x1d9/0x5b0 [ 70.728860][ T5116] __alloc_pages+0x165/0x670 [ 70.733471][ T5116] ? zone_statistics+0x170/0x170 [ 70.738418][ T5116] ? verify_lock_unused+0x140/0x140 [ 70.743623][ T5116] ? handle_mm_fault+0x11d/0x62b0 [ 70.748643][ T5116] ? __lock_acquire+0x7f70/0x7f70 [ 70.753666][ T5116] ? pte_offset_map_nolock+0x137/0x1e0 [ 70.759153][ T5116] __folio_alloc+0x13/0x30 [ 70.763582][ T5116] vma_alloc_folio+0x48a/0x9a0 [ 70.768340][ T5116] handle_mm_fault+0x2376/0x62b0 [ 70.773277][ T5116] ? handle_mm_fault+0x11d/0x62b0 [ 70.778300][ T5116] ? numa_migrate_prep+0x380/0x380 [ 70.783426][ T5116] ? mtree_range_walk+0x6a0/0x7e0 [ 70.788459][ T5116] ? lock_vma_under_rcu+0x187/0x6f0 [ 70.793677][ T5116] ? __lock_acquire+0x7f70/0x7f70 [ 70.798691][ T5116] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 70.803890][ T5116] ? lock_vma_under_rcu+0x5df/0x6f0 [ 70.809094][ T5116] ? lock_vma_under_rcu+0x187/0x6f0 [ 70.814313][ T5116] ? exc_page_fault+0x10f/0x860 [ 70.819160][ T5116] exc_page_fault+0x455/0x860 [ 70.823835][ T5116] asm_exc_page_fault+0x26/0x30 [ 70.828686][ T5116] RIP: 0033:0x7f794735bc53 [ 70.833107][ T5116] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 70.852952][ T5116] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 70.859651][ T5116] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 70.867643][ T5116] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [pid 5115] munmap(0x7f793ef10000, 2097152) = 0 [pid 5115] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5115] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5115] close(3) = 0 [pid 5115] mkdir("./file0", 0777) = 0 [ 70.876054][ T5116] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 70.884023][ T5116] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 70.892010][ T5116] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 70.900016][ T5116] [ 70.903470][ T5116] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 70.921762][ T5115] loop0: detected capacity change from 0 to 4096 [pid 5115] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5115] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5115] chdir("./file0") = 0 [pid 5115] ioctl(6, LOOP_CLR_FD) = 0 [pid 5115] close(6 [pid 5116] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5115] <... close resumed>) = 0 [pid 5116] <... write resumed>) = 2097152 [pid 5115] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5116] munmap(0x7f7936b10000, 2097152 [pid 5115] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5116] <... munmap resumed>) = 0 [pid 5116] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5116] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5116] ioctl(6, LOOP_CLR_FD) = 0 [ 70.937110][ T5115] ntfs: volume version 12.0. [pid 5116] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5116] close(6) = 0 [pid 5116] close(5) = 0 [pid 5116] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5114] <... futex resumed>) = 0 [pid 5114] exit_group(0 [pid 5116] exit_group(0 [pid 5115] <... futex resumed>) = ? [pid 5114] <... exit_group resumed>) = ? [pid 5116] +++ exited with 0 +++ [pid 5115] +++ exited with 0 +++ [pid 5114] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5114, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=14 /* 0.14 s */} --- umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./27/binderfs") = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./27/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./27/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5117 ./strace-static-x86_64: Process 5117 attached [pid 5117] set_robust_list(0x555555f176a0, 24) = 0 [pid 5117] chdir("./28") = 0 [pid 5117] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5117] setpgid(0, 0) = 0 [pid 5117] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5117] write(3, "1000", 4) = 4 [pid 5117] close(3) = 0 [pid 5117] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5117] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5117] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5117] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5117] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5117] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5117] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5117] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5118 attached [pid 5118] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5117] <... clone3 resumed> => {parent_tid=[5118]}, 88) = 5118 [pid 5118] <... rseq resumed>) = 0 [pid 5117] rt_sigprocmask(SIG_SETMASK, [], [pid 5118] set_robust_list(0x7f79473519a0, 24 [pid 5117] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5118] <... set_robust_list resumed>) = 0 [pid 5117] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5118] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5117] <... futex resumed>) = 0 [pid 5117] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5117] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5118] memfd_create("syzkaller", 0) = 3 [pid 5118] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5117] <... mmap resumed>) = 0x7f793ef10000 [pid 5117] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5117] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5117] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0} => {parent_tid=[5119]}, 88) = 5119 [pid 5117] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5117] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5117] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5119 attached [pid 5119] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5119] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5119] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5119] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5119] write(4, "85", 2) = 2 [pid 5119] memfd_create("syzkaller", 0) = 5 [pid 5119] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 71.066807][ T5119] FAULT_INJECTION: forcing a failure. [ 71.066807][ T5119] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 71.082307][ T5119] CPU: 0 PID: 5119 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 71.092841][ T5119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 71.103495][ T5119] Call Trace: [ 71.106780][ T5119] [ 71.109717][ T5119] dump_stack_lvl+0x1e7/0x2d0 [ 71.114482][ T5119] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.119939][ T5119] ? panic+0x770/0x770 [ 71.124029][ T5119] should_fail_ex+0x3aa/0x4e0 [ 71.128797][ T5119] prepare_alloc_pages+0x1d9/0x5b0 [ 71.133913][ T5119] __alloc_pages+0x165/0x670 [ 71.138517][ T5119] ? zone_statistics+0x170/0x170 [ 71.143457][ T5119] ? verify_lock_unused+0x140/0x140 [ 71.148653][ T5119] ? handle_mm_fault+0x11d/0x62b0 [ 71.153673][ T5119] ? __lock_acquire+0x7f70/0x7f70 [ 71.158701][ T5119] ? pte_offset_map_nolock+0x137/0x1e0 [ 71.164158][ T5119] __folio_alloc+0x13/0x30 [ 71.168580][ T5119] vma_alloc_folio+0x48a/0x9a0 [ 71.173345][ T5119] handle_mm_fault+0x2376/0x62b0 [ 71.178290][ T5119] ? handle_mm_fault+0x11d/0x62b0 [ 71.183319][ T5119] ? numa_migrate_prep+0x380/0x380 [ 71.188436][ T5119] ? mtree_range_walk+0x6a0/0x7e0 [ 71.193460][ T5119] ? lock_vma_under_rcu+0x187/0x6f0 [ 71.198654][ T5119] ? __lock_acquire+0x7f70/0x7f70 [ 71.203670][ T5119] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 71.208876][ T5119] ? lock_vma_under_rcu+0x5df/0x6f0 [ 71.214693][ T5119] ? lock_vma_under_rcu+0x187/0x6f0 [ 71.219900][ T5119] ? exc_page_fault+0x10f/0x860 [ 71.224758][ T5119] exc_page_fault+0x455/0x860 [ 71.229438][ T5119] asm_exc_page_fault+0x26/0x30 [ 71.234289][ T5119] RIP: 0033:0x7f794735bc53 [ 71.238699][ T5119] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 71.258298][ T5119] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5118] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5118] munmap(0x7f793ef31000, 2097152) = 0 [pid 5119] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5118] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 71.264376][ T5119] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 71.272429][ T5119] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 71.280481][ T5119] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 71.288447][ T5119] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 71.296414][ T5119] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 71.304997][ T5119] [ 71.308796][ T5119] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5118] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5118] close(3) = 0 [pid 5118] mkdir("./file0", 0777) = 0 [pid 5118] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5119] <... write resumed>) = 2097152 [pid 5119] munmap(0x7f7936b10000, 2097152) = 0 [pid 5119] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5119] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5119] ioctl(3, LOOP_CLR_FD) = 0 [pid 5118] <... mount resumed>) = 0 [pid 5118] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5119] ioctl(3, LOOP_SET_FD, 5 [pid 5118] <... openat resumed>) = 7 [pid 5119] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5118] chdir("./file0" [pid 5119] close(3 [pid 5118] <... chdir resumed>) = 0 [pid 5119] <... close resumed>) = 0 [pid 5118] ioctl(6, LOOP_CLR_FD [pid 5119] close(5 [pid 5118] <... ioctl resumed>) = 0 [pid 5118] close(6) = 0 [pid 5118] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5119] <... close resumed>) = 0 [pid 5119] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5117] <... futex resumed>) = 0 [ 71.337989][ T5118] loop0: detected capacity change from 0 to 4096 [ 71.353599][ T5118] ntfs: volume version 12.0. [pid 5119] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5117] exit_group(0) = ? [pid 5118] <... futex resumed>) = ? [pid 5118] +++ exited with 0 +++ [pid 5119] <... futex resumed>) = ? [pid 5119] +++ exited with 0 +++ [pid 5117] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5117, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./28/binderfs") = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./28/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./28/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5120 ./strace-static-x86_64: Process 5120 attached [pid 5120] set_robust_list(0x555555f176a0, 24) = 0 [pid 5120] chdir("./29") = 0 [pid 5120] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5120] setpgid(0, 0) = 0 [pid 5120] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5120] write(3, "1000", 4) = 4 [pid 5120] close(3) = 0 [pid 5120] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5120] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5120] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5120] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5120] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5120] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5120] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5120] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5121]}, 88) = 5121 ./strace-static-x86_64: Process 5121 attached [pid 5120] rt_sigprocmask(SIG_SETMASK, [], [pid 5121] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5121] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5120] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5121] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5120] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5120] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5120] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5121] memfd_create("syzkaller", 0 [pid 5120] <... mmap resumed>) = 0x7f7947310000 [pid 5120] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5120] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5120] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5121] <... memfd_create resumed>) = 3 [pid 5121] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5120] <... clone3 resumed> => {parent_tid=[5122]}, 88) = 5122 [pid 5120] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5120] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5120] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5122 attached [pid 5122] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5122] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5122] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5122] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5122] write(4, "85", 2) = 2 [pid 5122] memfd_create("syzkaller", 0) = 5 [pid 5122] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 71.484851][ T5122] FAULT_INJECTION: forcing a failure. [ 71.484851][ T5122] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 71.498439][ T5122] CPU: 1 PID: 5122 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 71.508868][ T5122] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 71.519093][ T5122] Call Trace: [ 71.522367][ T5122] [ 71.525287][ T5122] dump_stack_lvl+0x1e7/0x2d0 [ 71.529963][ T5122] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.535415][ T5122] ? panic+0x770/0x770 [ 71.539486][ T5122] should_fail_ex+0x3aa/0x4e0 [ 71.544160][ T5122] prepare_alloc_pages+0x1d9/0x5b0 [ 71.549276][ T5122] __alloc_pages+0x165/0x670 [ 71.553864][ T5122] ? zone_statistics+0x170/0x170 [ 71.558805][ T5122] ? verify_lock_unused+0x140/0x140 [ 71.564008][ T5122] ? handle_mm_fault+0x11d/0x62b0 [ 71.569028][ T5122] ? __lock_acquire+0x7f70/0x7f70 [ 71.574045][ T5122] ? pte_offset_map_nolock+0x137/0x1e0 [ 71.579500][ T5122] __folio_alloc+0x13/0x30 [ 71.583912][ T5122] vma_alloc_folio+0x48a/0x9a0 [ 71.588674][ T5122] handle_mm_fault+0x2376/0x62b0 [ 71.594098][ T5122] ? handle_mm_fault+0x11d/0x62b0 [ 71.599149][ T5122] ? numa_migrate_prep+0x380/0x380 [ 71.604266][ T5122] ? mtree_range_walk+0x6a0/0x7e0 [ 71.609292][ T5122] ? lock_vma_under_rcu+0x187/0x6f0 [ 71.614485][ T5122] ? __lock_acquire+0x7f70/0x7f70 [ 71.619508][ T5122] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 71.624709][ T5122] ? lock_vma_under_rcu+0x5df/0x6f0 [ 71.629904][ T5122] ? lock_vma_under_rcu+0x187/0x6f0 [ 71.635103][ T5122] ? exc_page_fault+0x10f/0x860 [ 71.639957][ T5122] exc_page_fault+0x455/0x860 [ 71.644634][ T5122] asm_exc_page_fault+0x26/0x30 [ 71.649477][ T5122] RIP: 0033:0x7f794735bc53 [ 71.653900][ T5122] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 71.673511][ T5122] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 71.679657][ T5122] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 71.687623][ T5122] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 71.696814][ T5122] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 71.704775][ T5122] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 71.713536][ T5122] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 71.721518][ T5122] [pid 5121] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5121] munmap(0x7f793ef10000, 2097152) = 0 [pid 5121] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5122] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5121] <... openat resumed>) = 6 [ 71.731831][ T5122] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5121] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5121] close(3) = 0 [pid 5121] mkdir("./file0", 0777) = 0 [pid 5121] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5122] <... write resumed>) = 2097152 [pid 5122] munmap(0x7f7936b10000, 2097152 [pid 5121] <... mount resumed>) = 0 [pid 5121] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5121] chdir("./file0") = 0 [pid 5121] ioctl(6, LOOP_CLR_FD) = 0 [pid 5121] close(6) = 0 [pid 5121] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] <... munmap resumed>) = 0 [pid 5122] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5122] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5122] ioctl(6, LOOP_CLR_FD) = 0 [pid 5122] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5122] close(6) = 0 [pid 5122] close(5) = 0 [pid 5122] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5122] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5120] <... futex resumed>) = 0 [pid 5120] exit_group(0 [pid 5122] <... futex resumed>) = ? [pid 5120] <... exit_group resumed>) = ? [pid 5122] +++ exited with 0 +++ [pid 5121] <... futex resumed>) = ? [pid 5121] +++ exited with 0 +++ [pid 5120] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5120, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [ 71.760136][ T5121] loop0: detected capacity change from 0 to 4096 [ 71.777033][ T5121] ntfs: volume version 12.0. getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./29/binderfs") = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./29/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./29/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5123 attached , child_tidptr=0x555555f17690) = 5123 [pid 5123] set_robust_list(0x555555f176a0, 24) = 0 [pid 5123] chdir("./30") = 0 [pid 5123] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5123] setpgid(0, 0) = 0 [pid 5123] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5123] write(3, "1000", 4) = 4 [pid 5123] close(3) = 0 [pid 5123] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5123] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5123] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5123] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5123] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5123] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5123] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5123] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5124 attached [pid 5124] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5123] <... clone3 resumed> => {parent_tid=[5124]}, 88) = 5124 [pid 5124] set_robust_list(0x7f79473519a0, 24 [pid 5123] rt_sigprocmask(SIG_SETMASK, [], [pid 5124] <... set_robust_list resumed>) = 0 [pid 5123] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5124] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5123] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5124] memfd_create("syzkaller", 0 [pid 5123] <... futex resumed>) = 0 [pid 5123] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5123] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5123] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5123] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5124] <... memfd_create resumed>) = 3 [pid 5123] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5124] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5123] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5124] <... mmap resumed>) = 0x7f793ef10000 ./strace-static-x86_64: Process 5125 attached [pid 5125] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5123] <... clone3 resumed> => {parent_tid=[5125]}, 88) = 5125 [pid 5125] <... rseq resumed>) = 0 [pid 5123] rt_sigprocmask(SIG_SETMASK, [], [pid 5125] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5123] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5125] rt_sigprocmask(SIG_SETMASK, [], [pid 5123] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5125] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5123] <... futex resumed>) = 0 [pid 5125] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5123] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5125] <... openat resumed>) = 4 [pid 5125] write(4, "85", 2 [pid 5124] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5125] <... write resumed>) = 2 [pid 5125] memfd_create("syzkaller", 0) = 5 [pid 5125] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5124] <... write resumed>) = 2097152 [ 71.915081][ T5125] FAULT_INJECTION: forcing a failure. [ 71.915081][ T5125] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 71.928598][ T5125] CPU: 1 PID: 5125 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 71.939041][ T5125] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 71.949101][ T5125] Call Trace: [ 71.952385][ T5125] [ 71.955318][ T5125] dump_stack_lvl+0x1e7/0x2d0 [ 71.960085][ T5125] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.965535][ T5125] ? panic+0x770/0x770 [ 71.969619][ T5125] should_fail_ex+0x3aa/0x4e0 [ 71.974301][ T5125] prepare_alloc_pages+0x1d9/0x5b0 [ 71.979421][ T5125] __alloc_pages+0x165/0x670 [ 71.984009][ T5125] ? zone_statistics+0x170/0x170 [ 71.988954][ T5125] ? verify_lock_unused+0x140/0x140 [ 71.994160][ T5125] ? handle_mm_fault+0x11d/0x62b0 [ 71.999197][ T5125] ? __lock_acquire+0x7f70/0x7f70 [ 72.004225][ T5125] ? pte_offset_map_nolock+0x137/0x1e0 [ 72.009722][ T5125] __folio_alloc+0x13/0x30 [ 72.014154][ T5125] vma_alloc_folio+0x48a/0x9a0 [ 72.018917][ T5125] handle_mm_fault+0x2376/0x62b0 [ 72.023886][ T5125] ? handle_mm_fault+0x11d/0x62b0 [ 72.028946][ T5125] ? numa_migrate_prep+0x380/0x380 [ 72.034061][ T5125] ? mtree_range_walk+0x6a0/0x7e0 [ 72.039101][ T5125] ? lock_vma_under_rcu+0x187/0x6f0 [ 72.044313][ T5125] ? __lock_acquire+0x7f70/0x7f70 [ 72.049327][ T5125] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 72.054544][ T5125] ? lock_vma_under_rcu+0x5df/0x6f0 [ 72.059758][ T5125] ? lock_vma_under_rcu+0x187/0x6f0 [ 72.064978][ T5125] ? exc_page_fault+0x10f/0x860 [ 72.069822][ T5125] exc_page_fault+0x455/0x860 [ 72.074503][ T5125] asm_exc_page_fault+0x26/0x30 [ 72.079430][ T5125] RIP: 0033:0x7f794735bc53 [ 72.083836][ T5125] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 72.103441][ T5125] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5124] munmap(0x7f793ef10000, 2097152) = 0 [pid 5124] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 72.109589][ T5125] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 72.117568][ T5125] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 72.125538][ T5125] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 72.133518][ T5125] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 72.141506][ T5125] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 72.149508][ T5125] [ 72.152927][ T5125] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5124] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5124] close(3) = 0 [pid 5124] mkdir("./file0", 0777) = 0 [pid 5124] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5125] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5125] munmap(0x7f7936b10000, 2097152 [pid 5124] <... mount resumed>) = 0 [pid 5124] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5124] chdir("./file0") = 0 [pid 5124] ioctl(6, LOOP_CLR_FD) = 0 [pid 5124] close(6) = 0 [pid 5124] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5124] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5125] <... munmap resumed>) = 0 [pid 5125] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5125] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5125] ioctl(6, LOOP_CLR_FD) = 0 [pid 5125] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5125] close(6) = 0 [pid 5125] close(5) = 0 [pid 5125] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5123] <... futex resumed>) = 0 [pid 5125] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5123] exit_group(0) = ? [pid 5124] <... futex resumed>) = ? [pid 5125] <... futex resumed>) = ? [pid 5124] +++ exited with 0 +++ [ 72.167928][ T5124] loop0: detected capacity change from 0 to 4096 [ 72.199164][ T5124] ntfs: volume version 12.0. [pid 5125] +++ exited with 0 +++ [pid 5123] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5123, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=10 /* 0.10 s */} --- umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./30/binderfs") = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./30/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./30/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5126 attached , child_tidptr=0x555555f17690) = 5126 [pid 5126] set_robust_list(0x555555f176a0, 24) = 0 [pid 5126] chdir("./31") = 0 [pid 5126] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5126] setpgid(0, 0) = 0 [pid 5126] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5126] write(3, "1000", 4) = 4 [pid 5126] close(3) = 0 [pid 5126] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5126] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5126] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5126] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5126] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5126] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5126] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5127 attached => {parent_tid=[5127]}, 88) = 5127 [pid 5126] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5127] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5126] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5126] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5127] <... rseq resumed>) = 0 [pid 5126] <... mprotect resumed>) = 0 [pid 5126] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5127] set_robust_list(0x7f79473519a0, 24 [pid 5126] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5127] <... set_robust_list resumed>) = 0 [pid 5126] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5128 attached [pid 5127] rt_sigprocmask(SIG_SETMASK, [], [pid 5128] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5127] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5126] <... clone3 resumed> => {parent_tid=[5128]}, 88) = 5128 [pid 5126] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5126] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5128] <... rseq resumed>) = 0 [pid 5127] memfd_create("syzkaller", 0 [pid 5128] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5128] rt_sigprocmask(SIG_SETMASK, [], [pid 5127] <... memfd_create resumed>) = 3 [pid 5128] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5127] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5128] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5127] <... mmap resumed>) = 0x7f793ef10000 [pid 5128] <... openat resumed>) = 4 [pid 5127] munmap(0x7f793ef10000, 138412032) = 0 [pid 5128] write(4, "85", 2 [pid 5127] close(3 [pid 5128] <... write resumed>) = 2 [pid 5127] <... close resumed>) = 0 [pid 5128] memfd_create("syzkaller", 0) = 3 [pid 5127] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5128] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5127] <... futex resumed>) = 0 [pid 5128] <... mmap resumed>) = 0x7f793ef10000 [ 72.318768][ T5128] FAULT_INJECTION: forcing a failure. [ 72.318768][ T5128] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 72.332213][ T5128] CPU: 1 PID: 5128 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 72.342637][ T5128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 72.352688][ T5128] Call Trace: [ 72.355989][ T5128] [ 72.358923][ T5128] dump_stack_lvl+0x1e7/0x2d0 [ 72.363598][ T5128] ? nf_tcp_handle_invalid+0x650/0x650 [ 72.369225][ T5128] ? panic+0x770/0x770 [ 72.373296][ T5128] should_fail_ex+0x3aa/0x4e0 [ 72.377973][ T5128] prepare_alloc_pages+0x1d9/0x5b0 [ 72.383312][ T5128] __alloc_pages+0x165/0x670 [ 72.387929][ T5128] ? zone_statistics+0x170/0x170 [ 72.392934][ T5128] ? verify_lock_unused+0x140/0x140 [ 72.398216][ T5128] ? handle_mm_fault+0x11d/0x62b0 [ 72.403237][ T5128] ? __lock_acquire+0x7f70/0x7f70 [ 72.408268][ T5128] ? pte_offset_map_nolock+0x137/0x1e0 [ 72.413722][ T5128] __folio_alloc+0x13/0x30 [ 72.418130][ T5128] vma_alloc_folio+0x48a/0x9a0 [ 72.422994][ T5128] handle_mm_fault+0x2376/0x62b0 [ 72.427997][ T5128] ? handle_mm_fault+0x11d/0x62b0 [ 72.433126][ T5128] ? numa_migrate_prep+0x380/0x380 [ 72.438260][ T5128] ? mtree_range_walk+0x6a0/0x7e0 [ 72.443292][ T5128] ? lock_vma_under_rcu+0x187/0x6f0 [ 72.448480][ T5128] ? __lock_acquire+0x7f70/0x7f70 [ 72.453500][ T5128] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 72.458722][ T5128] ? lock_vma_under_rcu+0x5df/0x6f0 [ 72.464085][ T5128] ? lock_vma_under_rcu+0x187/0x6f0 [ 72.469284][ T5128] ? exc_page_fault+0x10f/0x860 [ 72.474147][ T5128] exc_page_fault+0x455/0x860 [ 72.478832][ T5128] asm_exc_page_fault+0x26/0x30 [ 72.483726][ T5128] RIP: 0033:0x7f794735bd00 [ 72.488151][ T5128] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 72.507770][ T5128] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5127] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5128] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5128] munmap(0x7f793ef10000, 2097152) = 0 [pid 5128] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 72.513871][ T5128] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 72.521840][ T5128] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 72.529818][ T5128] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 72.537878][ T5128] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 72.546184][ T5128] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 72.554177][ T5128] [ 72.557525][ T5128] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5128] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5128] close(3) = 0 [pid 5128] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5128] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5128] ioctl(5, LOOP_CLR_FD) = 0 [ 72.596505][ T5128] loop0: detected capacity change from 0 to 4096 [ 72.615028][ T5128] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 72.622402][ T5128] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5128] close(5) = 0 [pid 5128] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5128] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5126] <... futex resumed>) = 0 [pid 5126] exit_group(0 [pid 5128] <... futex resumed>) = ? [pid 5126] <... exit_group resumed>) = ? [pid 5128] +++ exited with 0 +++ [pid 5127] <... futex resumed>) = ? [pid 5127] +++ exited with 0 +++ [pid 5126] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5126, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./31/binderfs") = 0 umount2("\x2e\x2f\x33\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x33\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x33\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x33\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5129 attached , child_tidptr=0x555555f17690) = 5129 [pid 5129] set_robust_list(0x555555f176a0, 24) = 0 [pid 5129] chdir("./32") = 0 [pid 5129] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5129] setpgid(0, 0) = 0 [pid 5129] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5129] write(3, "1000", 4) = 4 [pid 5129] close(3) = 0 [pid 5129] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5129] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5129] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5129] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5129] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5129] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5129] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5130 attached => {parent_tid=[5130]}, 88) = 5130 [pid 5130] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5129] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5130] set_robust_list(0x7f79473519a0, 24 [pid 5129] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5129] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5130] <... set_robust_list resumed>) = 0 [pid 5129] <... mprotect resumed>) = 0 [pid 5130] rt_sigprocmask(SIG_SETMASK, [], [pid 5129] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5129] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5131 attached [pid 5130] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5131] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5129] <... clone3 resumed> => {parent_tid=[5131]}, 88) = 5131 [pid 5131] <... rseq resumed>) = 0 [pid 5129] rt_sigprocmask(SIG_SETMASK, [], [pid 5131] set_robust_list(0x7f79473309a0, 24 [pid 5129] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5131] <... set_robust_list resumed>) = 0 [pid 5129] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5131] rt_sigprocmask(SIG_SETMASK, [], [pid 5129] <... futex resumed>) = 0 [pid 5131] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5129] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5131] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5130] memfd_create("syzkaller", 0) = 4 [pid 5130] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5131] <... openat resumed>) = 3 [pid 5131] write(3, "85", 2 [pid 5130] <... mmap resumed>) = 0x7f793ef10000 [pid 5130] munmap(0x7f793ef10000, 138412032 [pid 5131] <... write resumed>) = 2 [pid 5131] memfd_create("syzkaller", 0 [pid 5130] <... munmap resumed>) = 0 [pid 5131] <... memfd_create resumed>) = 5 [pid 5131] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5130] close(4 [pid 5131] <... mmap resumed>) = 0x7f793ef10000 [pid 5130] <... close resumed>) = 0 [pid 5130] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 72.738921][ T5131] FAULT_INJECTION: forcing a failure. [ 72.738921][ T5131] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 72.752488][ T5131] CPU: 0 PID: 5131 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 72.762931][ T5131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 72.773000][ T5131] Call Trace: [ 72.776285][ T5131] [ 72.779219][ T5131] dump_stack_lvl+0x1e7/0x2d0 [ 72.783895][ T5131] ? nf_tcp_handle_invalid+0x650/0x650 [ 72.789367][ T5131] ? panic+0x770/0x770 [ 72.793439][ T5131] should_fail_ex+0x3aa/0x4e0 [ 72.798118][ T5131] prepare_alloc_pages+0x1d9/0x5b0 [ 72.803232][ T5131] __alloc_pages+0x165/0x670 [ 72.807855][ T5131] ? zone_statistics+0x170/0x170 [ 72.812804][ T5131] ? verify_lock_unused+0x140/0x140 [ 72.818007][ T5131] ? handle_mm_fault+0x11d/0x62b0 [ 72.823037][ T5131] ? __lock_acquire+0x7f70/0x7f70 [ 72.828064][ T5131] ? pte_offset_map_nolock+0x137/0x1e0 [ 72.833525][ T5131] __folio_alloc+0x13/0x30 [ 72.837949][ T5131] vma_alloc_folio+0x48a/0x9a0 [ 72.842715][ T5131] handle_mm_fault+0x2376/0x62b0 [ 72.847657][ T5131] ? handle_mm_fault+0x11d/0x62b0 [ 72.852681][ T5131] ? numa_migrate_prep+0x380/0x380 [ 72.857845][ T5131] ? mtree_range_walk+0x6a0/0x7e0 [ 72.862871][ T5131] ? lock_vma_under_rcu+0x187/0x6f0 [ 72.868062][ T5131] ? __lock_acquire+0x7f70/0x7f70 [ 72.873095][ T5131] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 72.878327][ T5131] ? lock_vma_under_rcu+0x5df/0x6f0 [ 72.883546][ T5131] ? lock_vma_under_rcu+0x187/0x6f0 [ 72.888766][ T5131] ? exc_page_fault+0x10f/0x860 [ 72.893623][ T5131] exc_page_fault+0x455/0x860 [ 72.898315][ T5131] asm_exc_page_fault+0x26/0x30 [ 72.903173][ T5131] RIP: 0033:0x7f794735bd00 [ 72.907592][ T5131] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 72.927198][ T5131] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5130] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5131] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5131] munmap(0x7f793ef10000, 2097152) = 0 [pid 5131] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 72.933281][ T5131] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 72.941340][ T5131] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 72.949312][ T5131] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 72.957279][ T5131] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 72.965245][ T5131] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 72.973233][ T5131] [ 72.976726][ T5131] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5131] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5131] close(5) = 0 [pid 5131] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5131] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 73.016258][ T5131] loop0: detected capacity change from 0 to 4096 [ 73.034106][ T5131] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 73.041178][ T5131] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5131] ioctl(4, LOOP_CLR_FD) = 0 [pid 5131] close(4) = 0 [pid 5131] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5129] <... futex resumed>) = 0 [pid 5131] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5129] exit_group(0 [pid 5131] <... futex resumed>) = ? [pid 5130] <... futex resumed>) = ? [pid 5129] <... exit_group resumed>) = ? [pid 5130] +++ exited with 0 +++ [pid 5131] +++ exited with 0 +++ [pid 5129] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5129, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./32", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./32/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./32/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./32/binderfs") = 0 umount2("\x2e\x2f\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./32") = 0 mkdir("./33", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5132 ./strace-static-x86_64: Process 5132 attached [pid 5132] set_robust_list(0x555555f176a0, 24) = 0 [pid 5132] chdir("./33") = 0 [pid 5132] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5132] setpgid(0, 0) = 0 [pid 5132] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5132] write(3, "1000", 4) = 4 [pid 5132] close(3) = 0 [pid 5132] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5132] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5132] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5132] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5132] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5132] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5132] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5132] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5133 attached [pid 5133] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5132] <... clone3 resumed> => {parent_tid=[5133]}, 88) = 5133 [pid 5133] <... rseq resumed>) = 0 [pid 5132] rt_sigprocmask(SIG_SETMASK, [], [pid 5133] set_robust_list(0x7f79473519a0, 24 [pid 5132] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5133] <... set_robust_list resumed>) = 0 [pid 5132] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5133] rt_sigprocmask(SIG_SETMASK, [], [pid 5132] <... futex resumed>) = 0 [pid 5133] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5132] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5132] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5133] memfd_create("syzkaller", 0 [pid 5132] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5133] <... memfd_create resumed>) = 3 [pid 5133] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5132] <... mprotect resumed>) = 0 [pid 5133] <... mmap resumed>) = 0x7f793ef10000 [pid 5132] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5132] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5134]}, 88) = 5134 [pid 5132] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5132] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5134 attached [pid 5134] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5134] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5132] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5134] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5134] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5134] write(4, "85", 2) = 2 [pid 5134] memfd_create("syzkaller", 0) = 5 [pid 5134] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5133] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 73.195260][ T5134] FAULT_INJECTION: forcing a failure. [ 73.195260][ T5134] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 73.209181][ T5134] CPU: 1 PID: 5134 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 73.220142][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 73.230213][ T5134] Call Trace: [ 73.233493][ T5134] [ 73.236418][ T5134] dump_stack_lvl+0x1e7/0x2d0 [ 73.241097][ T5134] ? nf_tcp_handle_invalid+0x650/0x650 [ 73.246549][ T5134] ? panic+0x770/0x770 [ 73.250621][ T5134] should_fail_ex+0x3aa/0x4e0 [ 73.255301][ T5134] prepare_alloc_pages+0x1d9/0x5b0 [ 73.260416][ T5134] __alloc_pages+0x165/0x670 [ 73.265013][ T5134] ? zone_statistics+0x170/0x170 [ 73.269950][ T5134] ? verify_lock_unused+0x140/0x140 [ 73.275229][ T5134] ? handle_mm_fault+0x11d/0x62b0 [ 73.280247][ T5134] ? __lock_acquire+0x7f70/0x7f70 [ 73.285260][ T5134] ? pte_offset_map_nolock+0x137/0x1e0 [ 73.290715][ T5134] __folio_alloc+0x13/0x30 [ 73.295125][ T5134] vma_alloc_folio+0x48a/0x9a0 [ 73.299886][ T5134] handle_mm_fault+0x2376/0x62b0 [ 73.304824][ T5134] ? handle_mm_fault+0x11d/0x62b0 [ 73.309857][ T5134] ? numa_migrate_prep+0x380/0x380 [ 73.315063][ T5134] ? mtree_range_walk+0x6a0/0x7e0 [ 73.320170][ T5134] ? lock_vma_under_rcu+0x187/0x6f0 [ 73.325362][ T5134] ? __lock_acquire+0x7f70/0x7f70 [ 73.330376][ T5134] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 73.335577][ T5134] ? lock_vma_under_rcu+0x5df/0x6f0 [ 73.340772][ T5134] ? lock_vma_under_rcu+0x187/0x6f0 [ 73.345972][ T5134] ? exc_page_fault+0x10f/0x860 [ 73.350826][ T5134] exc_page_fault+0x455/0x860 [ 73.355501][ T5134] asm_exc_page_fault+0x26/0x30 [ 73.360431][ T5134] RIP: 0033:0x7f794735bc53 [ 73.364839][ T5134] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 73.384443][ T5134] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 73.390681][ T5134] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 73.398734][ T5134] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 73.406784][ T5134] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 73.414758][ T5134] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 73.422720][ T5134] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 73.430784][ T5134] [ 73.434529][ T5134] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5133] munmap(0x7f793ef10000, 2097152) = 0 [pid 5133] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5133] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5133] close(3) = 0 [pid 5133] mkdir("./file0", 0777) = 0 [pid 5133] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5133] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5133] chdir("./file0" [pid 5134] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5133] <... chdir resumed>) = 0 [pid 5133] ioctl(6, LOOP_CLR_FD) = 0 [pid 5133] close(6) = 0 [pid 5133] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5133] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5134] <... write resumed>) = 2097152 [pid 5134] munmap(0x7f7936b10000, 2097152) = 0 [pid 5134] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5134] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5134] ioctl(6, LOOP_CLR_FD) = 0 [pid 5134] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 73.444367][ T5133] loop0: detected capacity change from 0 to 4096 [ 73.461590][ T5133] ntfs: volume version 12.0. [pid 5134] close(6) = 0 [pid 5134] close(5) = 0 [pid 5134] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5132] <... futex resumed>) = 0 [pid 5134] <... futex resumed>) = 1 [pid 5132] exit_group(0) = ? [pid 5133] <... futex resumed>) = ? [pid 5133] +++ exited with 0 +++ [pid 5134] +++ exited with 0 +++ [pid 5132] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5132, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./33", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./33/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./33/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./33/binderfs") = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./33/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./33/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./33") = 0 mkdir("./34", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5135 attached , child_tidptr=0x555555f17690) = 5135 [pid 5135] set_robust_list(0x555555f176a0, 24) = 0 [pid 5135] chdir("./34") = 0 [pid 5135] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5135] setpgid(0, 0) = 0 [pid 5135] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5135] write(3, "1000", 4) = 4 [pid 5135] close(3) = 0 [pid 5135] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5135] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5135] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5135] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5135] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5135] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5135] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5136 attached => {parent_tid=[5136]}, 88) = 5136 [pid 5136] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5135] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5135] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5136] <... rseq resumed>) = 0 [pid 5135] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5136] set_robust_list(0x7f79473519a0, 24 [pid 5135] <... mmap resumed>) = 0x7f7947310000 [pid 5136] <... set_robust_list resumed>) = 0 [pid 5136] rt_sigprocmask(SIG_SETMASK, [], [pid 5135] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5136] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5135] <... mprotect resumed>) = 0 [pid 5135] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5135] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5137 attached [pid 5137] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5135] <... clone3 resumed> => {parent_tid=[5137]}, 88) = 5137 [pid 5137] <... rseq resumed>) = 0 [pid 5136] memfd_create("syzkaller", 0 [pid 5137] set_robust_list(0x7f79473309a0, 24 [pid 5135] rt_sigprocmask(SIG_SETMASK, [], [pid 5137] <... set_robust_list resumed>) = 0 [pid 5136] <... memfd_create resumed>) = 3 [pid 5137] rt_sigprocmask(SIG_SETMASK, [], [pid 5135] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5137] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5135] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5137] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5136] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5135] <... futex resumed>) = 0 [pid 5135] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5136] <... mmap resumed>) = 0x7f793ef10000 [pid 5136] munmap(0x7f793ef10000, 138412032) = 0 [pid 5137] <... openat resumed>) = 4 [pid 5137] write(4, "85", 2) = 2 [pid 5136] close(3 [pid 5137] memfd_create("syzkaller", 0) = 5 [pid 5137] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5136] <... close resumed>) = 0 [pid 5136] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 73.601430][ T5137] FAULT_INJECTION: forcing a failure. [ 73.601430][ T5137] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 73.615573][ T5137] CPU: 0 PID: 5137 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 73.626183][ T5137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 73.636335][ T5137] Call Trace: [ 73.639708][ T5137] [ 73.642630][ T5137] dump_stack_lvl+0x1e7/0x2d0 [ 73.647490][ T5137] ? nf_tcp_handle_invalid+0x650/0x650 [ 73.652998][ T5137] ? panic+0x770/0x770 [ 73.657081][ T5137] should_fail_ex+0x3aa/0x4e0 [ 73.661775][ T5137] prepare_alloc_pages+0x1d9/0x5b0 [ 73.666896][ T5137] __alloc_pages+0x165/0x670 [ 73.671488][ T5137] ? zone_statistics+0x170/0x170 [ 73.676433][ T5137] ? verify_lock_unused+0x140/0x140 [ 73.681620][ T5137] ? handle_mm_fault+0x11d/0x62b0 [ 73.686647][ T5137] ? __lock_acquire+0x7f70/0x7f70 [ 73.691709][ T5137] ? pte_offset_map_nolock+0x137/0x1e0 [ 73.697270][ T5137] __folio_alloc+0x13/0x30 [ 73.701736][ T5137] vma_alloc_folio+0x48a/0x9a0 [ 73.706517][ T5137] handle_mm_fault+0x2376/0x62b0 [ 73.711455][ T5137] ? handle_mm_fault+0x11d/0x62b0 [ 73.716494][ T5137] ? numa_migrate_prep+0x380/0x380 [ 73.721692][ T5137] ? mtree_range_walk+0x6a0/0x7e0 [ 73.726719][ T5137] ? lock_vma_under_rcu+0x187/0x6f0 [ 73.731911][ T5137] ? __lock_acquire+0x7f70/0x7f70 [ 73.736930][ T5137] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 73.742146][ T5137] ? lock_vma_under_rcu+0x5df/0x6f0 [ 73.747374][ T5137] ? lock_vma_under_rcu+0x187/0x6f0 [ 73.752660][ T5137] ? exc_page_fault+0x10f/0x860 [ 73.757530][ T5137] exc_page_fault+0x455/0x860 [ 73.762247][ T5137] asm_exc_page_fault+0x26/0x30 [ 73.767233][ T5137] RIP: 0033:0x7f794735bd00 [ 73.771741][ T5137] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 73.791428][ T5137] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5136] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5137] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5137] munmap(0x7f793ef10000, 2097152) = 0 [pid 5137] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 73.797495][ T5137] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 73.805542][ T5137] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 73.813609][ T5137] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 73.821661][ T5137] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 73.829895][ T5137] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 73.837903][ T5137] [pid 5137] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5137] close(5) = 0 [pid 5137] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5137] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 73.875126][ T5137] loop0: detected capacity change from 0 to 4096 [ 73.894099][ T5137] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 73.901293][ T5137] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5137] ioctl(3, LOOP_CLR_FD) = 0 [pid 5137] close(3) = 0 [pid 5137] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5137] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5135] <... futex resumed>) = 0 [pid 5135] exit_group(0 [pid 5137] <... futex resumed>) = ? [pid 5136] <... futex resumed>) = ? [pid 5137] +++ exited with 0 +++ [pid 5136] +++ exited with 0 +++ [pid 5135] <... exit_group resumed>) = ? [pid 5135] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5135, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=8 /* 0.08 s */} --- umount2("./34", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./34/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./34/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./34/binderfs") = 0 umount2("\x2e\x2f\x33\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x33\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x33\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x33\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./34") = 0 mkdir("./35", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5138 attached , child_tidptr=0x555555f17690) = 5138 [pid 5138] set_robust_list(0x555555f176a0, 24) = 0 [pid 5138] chdir("./35") = 0 [pid 5138] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5138] setpgid(0, 0) = 0 [pid 5138] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5138] write(3, "1000", 4) = 4 [pid 5138] close(3) = 0 [pid 5138] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5138] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5138] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5138] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5138] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5138] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5138] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5139 attached => {parent_tid=[5139]}, 88) = 5139 [pid 5139] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5138] rt_sigprocmask(SIG_SETMASK, [], [pid 5139] <... rseq resumed>) = 0 [pid 5138] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5138] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5139] set_robust_list(0x7f79473519a0, 24 [pid 5138] <... futex resumed>) = 0 [pid 5138] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5138] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5138] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5138] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5140 attached [pid 5140] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5140] set_robust_list(0x7f79473309a0, 24 [pid 5138] <... clone3 resumed> => {parent_tid=[5140]}, 88) = 5140 [pid 5140] <... set_robust_list resumed>) = 0 [pid 5139] <... set_robust_list resumed>) = 0 [pid 5138] rt_sigprocmask(SIG_SETMASK, [], [pid 5140] rt_sigprocmask(SIG_SETMASK, [], [pid 5139] rt_sigprocmask(SIG_SETMASK, [], [pid 5138] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5140] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5138] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5140] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5139] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5138] <... futex resumed>) = 0 [pid 5138] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5140] <... openat resumed>) = 3 [pid 5140] write(3, "85", 2) = 2 [pid 5140] memfd_create("syzkaller", 0) = 4 [pid 5140] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5139] memfd_create("syzkaller", 0) = 5 [ 74.015917][ T5140] FAULT_INJECTION: forcing a failure. [ 74.015917][ T5140] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 74.029713][ T5140] CPU: 0 PID: 5140 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 74.040166][ T5140] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 74.050244][ T5140] Call Trace: [ 74.053546][ T5140] [ 74.056514][ T5140] dump_stack_lvl+0x1e7/0x2d0 [ 74.061206][ T5140] ? nf_tcp_handle_invalid+0x650/0x650 [ 74.066706][ T5140] ? panic+0x770/0x770 [ 74.070903][ T5140] should_fail_ex+0x3aa/0x4e0 [ 74.075817][ T5140] prepare_alloc_pages+0x1d9/0x5b0 [ 74.080966][ T5140] __alloc_pages+0x165/0x670 [ 74.085572][ T5140] ? zone_statistics+0x170/0x170 [ 74.090535][ T5140] ? verify_lock_unused+0x140/0x140 [ 74.095755][ T5140] ? handle_mm_fault+0x11d/0x62b0 [ 74.100790][ T5140] ? __lock_acquire+0x7f70/0x7f70 [ 74.105824][ T5140] ? pte_offset_map_nolock+0x137/0x1e0 [ 74.111819][ T5140] __folio_alloc+0x13/0x30 [ 74.116231][ T5140] vma_alloc_folio+0x48a/0x9a0 [ 74.120994][ T5140] handle_mm_fault+0x2376/0x62b0 [ 74.125943][ T5140] ? handle_mm_fault+0x11d/0x62b0 [ 74.130983][ T5140] ? numa_migrate_prep+0x380/0x380 [ 74.136107][ T5140] ? mtree_range_walk+0x6a0/0x7e0 [ 74.141214][ T5140] ? lock_vma_under_rcu+0x187/0x6f0 [ 74.146420][ T5140] ? __lock_acquire+0x7f70/0x7f70 [ 74.151538][ T5140] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 74.156735][ T5140] ? lock_vma_under_rcu+0x5df/0x6f0 [ 74.161927][ T5140] ? lock_vma_under_rcu+0x187/0x6f0 [ 74.167269][ T5140] ? exc_page_fault+0x10f/0x860 [ 74.172135][ T5140] exc_page_fault+0x455/0x860 [ 74.176994][ T5140] asm_exc_page_fault+0x26/0x30 [ 74.181850][ T5140] RIP: 0033:0x7f794735bc53 [ 74.186275][ T5140] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 74.205883][ T5140] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5139] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5140] munmap(0x7f793ef10000, 138412032) = 0 [pid 5140] close(4) = 0 [pid 5140] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5140] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5138] <... futex resumed>) = 0 [ 74.211960][ T5140] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 74.220189][ T5140] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 74.228165][ T5140] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 74.236169][ T5140] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 74.244392][ T5140] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 74.252389][ T5140] [pid 5139] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5139] munmap(0x7f7936b10000, 2097152) = 0 [pid 5139] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5139] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5139] close(5) = 0 [pid 5139] mkdir("./file0", 0777) = 0 [pid 5139] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5139] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5139] chdir("./file0") = 0 [pid 5139] ioctl(4, LOOP_CLR_FD) = 0 [pid 5139] close(4) = 0 [pid 5139] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5139] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5138] exit_group(0 [pid 5140] <... futex resumed>) = ? [pid 5139] <... futex resumed>) = ? [pid 5138] <... exit_group resumed>) = ? [pid 5139] +++ exited with 0 +++ [pid 5140] +++ exited with 0 +++ [pid 5138] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5138, si_uid=0, si_status=0, si_utime=0, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./35", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./35/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./35/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./35/binderfs") = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./35/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./35/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./35") = 0 [ 74.306017][ T5139] loop0: detected capacity change from 0 to 4096 [ 74.318315][ T5139] ntfs: volume version 12.0. mkdir("./36", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5141 ./strace-static-x86_64: Process 5141 attached [pid 5141] set_robust_list(0x555555f176a0, 24) = 0 [pid 5141] chdir("./36") = 0 [pid 5141] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5141] setpgid(0, 0) = 0 [pid 5141] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5141] write(3, "1000", 4) = 4 [pid 5141] close(3) = 0 [pid 5141] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5141] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5141] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5141] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5141] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5141] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5141] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5141] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5142]}, 88) = 5142 [pid 5141] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5141] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5142 attached [pid 5141] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5141] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5142] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5141] <... mmap resumed>) = 0x7f7947310000 [pid 5142] <... rseq resumed>) = 0 [pid 5142] set_robust_list(0x7f79473519a0, 24 [pid 5141] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5142] <... set_robust_list resumed>) = 0 [pid 5141] <... mprotect resumed>) = 0 [pid 5142] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5141] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5141] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5143 attached [pid 5143] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5141] <... clone3 resumed> => {parent_tid=[5143]}, 88) = 5143 [pid 5143] <... rseq resumed>) = 0 [pid 5142] memfd_create("syzkaller", 0 [pid 5143] set_robust_list(0x7f79473309a0, 24 [pid 5141] rt_sigprocmask(SIG_SETMASK, [], [pid 5143] <... set_robust_list resumed>) = 0 [pid 5141] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5143] rt_sigprocmask(SIG_SETMASK, [], [pid 5141] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5143] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5143] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5142] <... memfd_create resumed>) = 3 [pid 5141] <... futex resumed>) = 0 [pid 5142] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5141] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5143] <... openat resumed>) = 4 [pid 5143] write(4, "85", 2) = 2 [pid 5143] memfd_create("syzkaller", 0) = 5 [pid 5143] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5142] munmap(0x7f793ef10000, 138412032) = 0 [pid 5142] close(3) = 0 [pid 5142] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 74.418975][ T5143] FAULT_INJECTION: forcing a failure. [ 74.418975][ T5143] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 74.432910][ T5143] CPU: 1 PID: 5143 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 74.443329][ T5143] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 74.453386][ T5143] Call Trace: [ 74.456652][ T5143] [ 74.459656][ T5143] dump_stack_lvl+0x1e7/0x2d0 [ 74.464320][ T5143] ? nf_tcp_handle_invalid+0x650/0x650 [ 74.469772][ T5143] ? panic+0x770/0x770 [ 74.473836][ T5143] should_fail_ex+0x3aa/0x4e0 [ 74.478697][ T5143] prepare_alloc_pages+0x1d9/0x5b0 [ 74.483804][ T5143] __alloc_pages+0x165/0x670 [ 74.488405][ T5143] ? zone_statistics+0x170/0x170 [ 74.493447][ T5143] ? verify_lock_unused+0x140/0x140 [ 74.498629][ T5143] ? handle_mm_fault+0x11d/0x62b0 [ 74.503741][ T5143] ? __lock_acquire+0x7f70/0x7f70 [ 74.508751][ T5143] ? pte_offset_map_nolock+0x137/0x1e0 [ 74.514221][ T5143] __folio_alloc+0x13/0x30 [ 74.518644][ T5143] vma_alloc_folio+0x48a/0x9a0 [ 74.523410][ T5143] handle_mm_fault+0x2376/0x62b0 [ 74.528340][ T5143] ? handle_mm_fault+0x11d/0x62b0 [ 74.533356][ T5143] ? numa_migrate_prep+0x380/0x380 [ 74.538485][ T5143] ? mtree_range_walk+0x6a0/0x7e0 [ 74.543515][ T5143] ? lock_vma_under_rcu+0x187/0x6f0 [ 74.548722][ T5143] ? __lock_acquire+0x7f70/0x7f70 [ 74.553729][ T5143] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 74.559191][ T5143] ? lock_vma_under_rcu+0x5df/0x6f0 [ 74.564482][ T5143] ? lock_vma_under_rcu+0x187/0x6f0 [ 74.569761][ T5143] ? exc_page_fault+0x10f/0x860 [ 74.574601][ T5143] exc_page_fault+0x455/0x860 [ 74.579267][ T5143] asm_exc_page_fault+0x26/0x30 [ 74.584115][ T5143] RIP: 0033:0x7f794735bc53 [ 74.588532][ T5143] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 74.608271][ T5143] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 74.614928][ T5143] RAX: 0000000000047000 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 74.623072][ T5143] RDX: 00007f794732f8f0 RSI: 000000000000002e RDI: 00007f794732f7f0 [ 74.631029][ T5143] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 74.638984][ T5143] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 74.646939][ T5143] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f794732f7f0 [ 74.654901][ T5143] [ 74.658585][ T5143] pagefault_out_of_memory: 2 callbacks suppressed [pid 5142] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5143] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5143] munmap(0x7f7936b10000, 2097152) = 0 [pid 5143] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 74.658595][ T5143] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5143] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5143] close(5) = 0 [pid 5143] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5143] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 74.702777][ T5143] loop0: detected capacity change from 0 to 4096 [ 74.720658][ T5143] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 74.728001][ T5143] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5143] ioctl(3, LOOP_CLR_FD) = 0 [pid 5143] close(3) = 0 [pid 5143] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5141] <... futex resumed>) = 0 [pid 5141] exit_group(0) = ? [pid 5142] <... futex resumed>) = ? [pid 5142] +++ exited with 0 +++ [pid 5143] +++ exited with 0 +++ [pid 5141] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5141, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=8 /* 0.08 s */} --- umount2("./36", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./36/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./36/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./36/binderfs") = 0 umount2("\x2e\x2f\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./36") = 0 mkdir("./37", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5144 attached , child_tidptr=0x555555f17690) = 5144 [pid 5144] set_robust_list(0x555555f176a0, 24) = 0 [pid 5144] chdir("./37") = 0 [pid 5144] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5144] setpgid(0, 0) = 0 [pid 5144] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5144] write(3, "1000", 4) = 4 [pid 5144] close(3) = 0 [pid 5144] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5144] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5144] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5144] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5144] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5144] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5144] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5144] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5145]}, 88) = 5145 ./strace-static-x86_64: Process 5145 attached [pid 5144] rt_sigprocmask(SIG_SETMASK, [], [pid 5145] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5145] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5144] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5144] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5144] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5145] rt_sigprocmask(SIG_SETMASK, [], [pid 5144] <... futex resumed>) = 0 [pid 5145] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5144] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5144] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5144] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5144] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5146 attached => {parent_tid=[5146]}, 88) = 5146 [pid 5146] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5146] set_robust_list(0x7f79473309a0, 24 [pid 5144] rt_sigprocmask(SIG_SETMASK, [], [pid 5146] <... set_robust_list resumed>) = 0 [pid 5144] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5146] rt_sigprocmask(SIG_SETMASK, [], [pid 5144] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5146] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5144] <... futex resumed>) = 0 [pid 5145] memfd_create("syzkaller", 0 [pid 5146] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5144] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5146] <... openat resumed>) = 3 [pid 5145] <... memfd_create resumed>) = 4 [pid 5145] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5146] write(3, "85", 2 [pid 5145] <... mmap resumed>) = 0x7f793ef10000 [pid 5145] munmap(0x7f793ef10000, 138412032 [pid 5146] <... write resumed>) = 2 [pid 5146] memfd_create("syzkaller", 0) = 5 [pid 5145] <... munmap resumed>) = 0 [pid 5145] close(4 [pid 5146] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5145] <... close resumed>) = 0 [pid 5146] <... mmap resumed>) = 0x7f793ef10000 [pid 5145] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 74.860874][ T5146] FAULT_INJECTION: forcing a failure. [ 74.860874][ T5146] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 74.874238][ T5146] CPU: 1 PID: 5146 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 74.884757][ T5146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 74.894806][ T5146] Call Trace: [ 74.898083][ T5146] [ 74.901014][ T5146] dump_stack_lvl+0x1e7/0x2d0 [ 74.905707][ T5146] ? nf_tcp_handle_invalid+0x650/0x650 [ 74.911252][ T5146] ? panic+0x770/0x770 [ 74.915327][ T5146] should_fail_ex+0x3aa/0x4e0 [ 74.920134][ T5146] prepare_alloc_pages+0x1d9/0x5b0 [ 74.925419][ T5146] __alloc_pages+0x165/0x670 [ 74.930005][ T5146] ? zone_statistics+0x170/0x170 [ 74.934973][ T5146] ? verify_lock_unused+0x140/0x140 [ 74.940172][ T5146] ? handle_mm_fault+0x11d/0x62b0 [ 74.945200][ T5146] ? __lock_acquire+0x7f70/0x7f70 [ 74.950232][ T5146] ? pte_offset_map_nolock+0x137/0x1e0 [ 74.955684][ T5146] __folio_alloc+0x13/0x30 [ 74.960113][ T5146] vma_alloc_folio+0x48a/0x9a0 [ 74.964885][ T5146] handle_mm_fault+0x2376/0x62b0 [ 74.969926][ T5146] ? handle_mm_fault+0x11d/0x62b0 [ 74.974949][ T5146] ? numa_migrate_prep+0x380/0x380 [ 74.980059][ T5146] ? mtree_range_walk+0x6a0/0x7e0 [ 74.985106][ T5146] ? lock_vma_under_rcu+0x187/0x6f0 [ 74.990297][ T5146] ? __lock_acquire+0x7f70/0x7f70 [ 74.995832][ T5146] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 75.001056][ T5146] ? lock_vma_under_rcu+0x5df/0x6f0 [ 75.006290][ T5146] ? lock_vma_under_rcu+0x187/0x6f0 [ 75.011504][ T5146] ? exc_page_fault+0x10f/0x860 [ 75.016454][ T5146] exc_page_fault+0x455/0x860 [ 75.021144][ T5146] asm_exc_page_fault+0x26/0x30 [ 75.026685][ T5146] RIP: 0033:0x7f794735bd00 [ 75.031089][ T5146] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 75.050694][ T5146] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5145] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5146] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5146] munmap(0x7f793ef10000, 2097152) = 0 [pid 5146] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 75.056767][ T5146] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 75.064746][ T5146] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 75.072711][ T5146] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 75.080714][ T5146] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 75.088706][ T5146] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 75.096688][ T5146] [ 75.100140][ T5146] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5146] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5146] close(5) = 0 [pid 5146] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5146] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5146] ioctl(4, LOOP_CLR_FD) = 0 [ 75.142889][ T5146] loop0: detected capacity change from 0 to 4096 [ 75.161341][ T5146] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 75.168628][ T5146] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5146] close(4) = 0 [pid 5146] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5144] <... futex resumed>) = 0 [pid 5146] <... futex resumed>) = 1 [pid 5144] exit_group(0) = ? [pid 5145] <... futex resumed>) = ? [pid 5146] +++ exited with 0 +++ [pid 5145] +++ exited with 0 +++ [pid 5144] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5144, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- umount2("./37", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./37/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./37/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./37/binderfs") = 0 umount2("\x2e\x2f\x33\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x33\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x33\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x33\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./37") = 0 mkdir("./38", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5147 attached , child_tidptr=0x555555f17690) = 5147 [pid 5147] set_robust_list(0x555555f176a0, 24) = 0 [pid 5147] chdir("./38") = 0 [pid 5147] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5147] setpgid(0, 0) = 0 [pid 5147] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5147] write(3, "1000", 4) = 4 [pid 5147] close(3) = 0 [pid 5147] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5147] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5147] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5147] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5147] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5147] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5147] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5147] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5148 attached [pid 5148] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5147] <... clone3 resumed> => {parent_tid=[5148]}, 88) = 5148 [pid 5148] <... rseq resumed>) = 0 [pid 5148] set_robust_list(0x7f79473519a0, 24 [pid 5147] rt_sigprocmask(SIG_SETMASK, [], [pid 5148] <... set_robust_list resumed>) = 0 [pid 5147] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5148] rt_sigprocmask(SIG_SETMASK, [], [pid 5147] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5148] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5147] <... futex resumed>) = 0 [pid 5147] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5148] memfd_create("syzkaller", 0 [pid 5147] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5148] <... memfd_create resumed>) = 3 [pid 5148] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5147] <... mmap resumed>) = 0x7f7947310000 [pid 5148] <... mmap resumed>) = 0x7f793ef10000 [pid 5147] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5147] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5147] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5149]}, 88) = 5149 [pid 5147] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5147] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5147] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5149 attached [pid 5149] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5149] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5149] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5149] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5149] write(4, "85", 2) = 2 [pid 5149] memfd_create("syzkaller", 0) = 5 [pid 5149] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5148] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 75.320066][ T5149] FAULT_INJECTION: forcing a failure. [ 75.320066][ T5149] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 75.333774][ T5149] CPU: 0 PID: 5149 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 75.344316][ T5149] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 75.354381][ T5149] Call Trace: [ 75.357668][ T5149] [ 75.360597][ T5149] dump_stack_lvl+0x1e7/0x2d0 [ 75.365291][ T5149] ? nf_tcp_handle_invalid+0x650/0x650 [ 75.370768][ T5149] ? panic+0x770/0x770 [ 75.374844][ T5149] should_fail_ex+0x3aa/0x4e0 [ 75.379700][ T5149] prepare_alloc_pages+0x1d9/0x5b0 [ 75.384819][ T5149] __alloc_pages+0x165/0x670 [ 75.389410][ T5149] ? zone_statistics+0x170/0x170 [ 75.394352][ T5149] ? verify_lock_unused+0x140/0x140 [ 75.399737][ T5149] ? handle_mm_fault+0x11d/0x62b0 [ 75.404760][ T5149] ? __lock_acquire+0x7f70/0x7f70 [ 75.409783][ T5149] ? pte_offset_map_nolock+0x137/0x1e0 [ 75.415343][ T5149] __folio_alloc+0x13/0x30 [ 75.419757][ T5149] vma_alloc_folio+0x48a/0x9a0 [ 75.424521][ T5149] handle_mm_fault+0x2376/0x62b0 [ 75.429464][ T5149] ? handle_mm_fault+0x11d/0x62b0 [ 75.434494][ T5149] ? numa_migrate_prep+0x380/0x380 [ 75.439695][ T5149] ? mtree_range_walk+0x6a0/0x7e0 [ 75.444726][ T5149] ? lock_vma_under_rcu+0x187/0x6f0 [ 75.449920][ T5149] ? __lock_acquire+0x7f70/0x7f70 [ 75.454936][ T5149] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 75.460144][ T5149] ? lock_vma_under_rcu+0x5df/0x6f0 [ 75.465335][ T5149] ? lock_vma_under_rcu+0x187/0x6f0 [ 75.470536][ T5149] ? exc_page_fault+0x10f/0x860 [ 75.475379][ T5149] exc_page_fault+0x455/0x860 [ 75.480055][ T5149] asm_exc_page_fault+0x26/0x30 [ 75.484900][ T5149] RIP: 0033:0x7f794735bc53 [ 75.489394][ T5149] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 75.508990][ T5149] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5148] munmap(0x7f793ef10000, 2097152) = 0 [pid 5148] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 75.515047][ T5149] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 75.523043][ T5149] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 75.531007][ T5149] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 75.538971][ T5149] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 75.547042][ T5149] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 75.555192][ T5149] [ 75.561695][ T5149] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5148] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5148] close(3) = 0 [pid 5148] mkdir("./file0", 0777) = 0 [pid 5148] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5149] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5149] munmap(0x7f7936b10000, 2097152) = 0 [pid 5149] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5149] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5149] ioctl(3, LOOP_CLR_FD) = 0 [ 75.573379][ T5148] loop0: detected capacity change from 0 to 4096 [ 75.588417][ T5148] __ntfs_error: 158 callbacks suppressed [ 75.588431][ T5148] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 75.605263][ T5148] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5149] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5149] close(3) = 0 [pid 5149] close(5) = 0 [pid 5149] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5147] <... futex resumed>) = 0 [ 75.618736][ T5148] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 75.642761][ T5148] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 75.653922][ T5148] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 75.663326][ T5148] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 75.677204][ T5148] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 75.689764][ T5148] ntfs: volume version 12.0. [ 75.696364][ T5148] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 75.704824][ T5148] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [pid 5149] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5148] <... mount resumed>) = 0 [pid 5148] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5148] chdir("./file0") = 0 [pid 5148] ioctl(6, LOOP_CLR_FD) = 0 [pid 5148] close(6) = 0 [pid 5148] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5148] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5147] exit_group(0 [pid 5149] <... futex resumed>) = ? [pid 5148] <... futex resumed>) = ? [pid 5149] +++ exited with 0 +++ [pid 5148] +++ exited with 0 +++ [pid 5147] <... exit_group resumed>) = ? [pid 5147] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5147, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=24 /* 0.24 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./38/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./38/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./38/binderfs") = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./38/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./38/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./38") = 0 [ 75.718427][ T5148] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. mkdir("./39", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5150 attached , child_tidptr=0x555555f17690) = 5150 [pid 5150] set_robust_list(0x555555f176a0, 24) = 0 [pid 5150] chdir("./39") = 0 [pid 5150] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5150] setpgid(0, 0) = 0 [pid 5150] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5150] write(3, "1000", 4) = 4 [pid 5150] close(3) = 0 [pid 5150] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5150] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5150] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5150] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5150] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5150] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5150] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5151]}, 88) = 5151 [pid 5150] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5150] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5150] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5150] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5150] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5152 attached [pid 5152] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5150] <... clone3 resumed> => {parent_tid=[5152]}, 88) = 5152 [pid 5152] <... rseq resumed>) = 0 [pid 5152] set_robust_list(0x7f79473309a0, 24 [pid 5150] rt_sigprocmask(SIG_SETMASK, [], [pid 5152] <... set_robust_list resumed>) = 0 [pid 5150] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5151 attached [pid 5152] rt_sigprocmask(SIG_SETMASK, [], [pid 5150] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5152] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5150] <... futex resumed>) = 0 [pid 5152] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5151] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5150] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5151] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5151] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5152] <... openat resumed>) = 3 [pid 5152] write(3, "85", 2 [pid 5151] memfd_create("syzkaller", 0 [pid 5152] <... write resumed>) = 2 [pid 5152] memfd_create("syzkaller", 0 [pid 5151] <... memfd_create resumed>) = 4 [pid 5151] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5152] <... memfd_create resumed>) = 5 [pid 5151] <... mmap resumed>) = 0x7f793ef10000 [pid 5152] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 75.832604][ T5152] FAULT_INJECTION: forcing a failure. [ 75.832604][ T5152] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 75.847922][ T5152] CPU: 1 PID: 5152 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 75.858476][ T5152] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 75.868546][ T5152] Call Trace: [ 75.871820][ T5152] [ 75.874870][ T5152] dump_stack_lvl+0x1e7/0x2d0 [ 75.879549][ T5152] ? nf_tcp_handle_invalid+0x650/0x650 [ 75.885001][ T5152] ? panic+0x770/0x770 [ 75.889082][ T5152] should_fail_ex+0x3aa/0x4e0 [ 75.893768][ T5152] prepare_alloc_pages+0x1d9/0x5b0 [ 75.898896][ T5152] __alloc_pages+0x165/0x670 [ 75.903482][ T5152] ? zone_statistics+0x170/0x170 [ 75.908422][ T5152] ? verify_lock_unused+0x140/0x140 [ 75.913615][ T5152] ? handle_mm_fault+0x11d/0x62b0 [ 75.918639][ T5152] ? __lock_acquire+0x7f70/0x7f70 [ 75.923666][ T5152] ? pte_offset_map_nolock+0x137/0x1e0 [ 75.929131][ T5152] __folio_alloc+0x13/0x30 [ 75.933718][ T5152] vma_alloc_folio+0x48a/0x9a0 [ 75.938484][ T5152] handle_mm_fault+0x2376/0x62b0 [ 75.943622][ T5152] ? handle_mm_fault+0x11d/0x62b0 [ 75.948675][ T5152] ? numa_migrate_prep+0x380/0x380 [ 75.953811][ T5152] ? mtree_range_walk+0x6a0/0x7e0 [ 75.958839][ T5152] ? lock_vma_under_rcu+0x187/0x6f0 [ 75.964040][ T5152] ? __lock_acquire+0x7f70/0x7f70 [ 75.969152][ T5152] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 75.974376][ T5152] ? lock_vma_under_rcu+0x5df/0x6f0 [ 75.980661][ T5152] ? lock_vma_under_rcu+0x187/0x6f0 [ 75.985879][ T5152] ? exc_page_fault+0x10f/0x860 [ 75.990743][ T5152] exc_page_fault+0x455/0x860 [ 75.995619][ T5152] asm_exc_page_fault+0x26/0x30 [ 76.000483][ T5152] RIP: 0033:0x7f794735bc53 [ 76.004908][ T5152] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 76.024628][ T5152] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5151] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5152] munmap(0x7f7936b10000, 138412032) = 0 [pid 5152] close(5) = 0 [pid 5152] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] <... futex resumed>) = 0 [pid 5152] <... futex resumed>) = 1 [pid 5152] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5151] <... write resumed>) = 2097152 [pid 5151] munmap(0x7f793ef10000, 2097152) = 0 [ 76.031413][ T5152] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 76.039378][ T5152] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 76.047515][ T5152] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 76.055477][ T5152] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 76.063556][ T5152] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 76.071538][ T5152] [ 76.074919][ T5152] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5151] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 5151] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5151] close(4) = 0 [pid 5151] mkdir("./file0", 0777) = 0 [pid 5151] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5151] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5151] chdir("./file0") = 0 [pid 5151] ioctl(5, LOOP_CLR_FD) = 0 [pid 5151] close(5) = 0 [pid 5151] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5151] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] exit_group(0 [pid 5152] <... futex resumed>) = ? [pid 5151] <... futex resumed>) = ? [pid 5150] <... exit_group resumed>) = ? [pid 5152] +++ exited with 0 +++ [pid 5151] +++ exited with 0 +++ [pid 5150] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5150, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./39", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./39/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./39/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./39/binderfs") = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./39/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [ 76.119379][ T5151] loop0: detected capacity change from 0 to 4096 [ 76.131834][ T5151] ntfs: volume version 12.0. newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./39/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./39") = 0 mkdir("./40", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5153 attached , child_tidptr=0x555555f17690) = 5153 [pid 5153] set_robust_list(0x555555f176a0, 24) = 0 [pid 5153] chdir("./40") = 0 [pid 5153] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5153] setpgid(0, 0) = 0 [pid 5153] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5153] write(3, "1000", 4) = 4 [pid 5153] close(3) = 0 [pid 5153] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5153] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5153] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5153] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5153] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5153] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5153] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5153] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5154 attached => {parent_tid=[5154]}, 88) = 5154 [pid 5154] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5153] rt_sigprocmask(SIG_SETMASK, [], [pid 5154] <... rseq resumed>) = 0 [pid 5153] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5154] set_robust_list(0x7f79473519a0, 24 [pid 5153] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5154] <... set_robust_list resumed>) = 0 [pid 5153] <... futex resumed>) = 0 [pid 5154] rt_sigprocmask(SIG_SETMASK, [], [pid 5153] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5154] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5153] <... futex resumed>) = 0 [pid 5154] memfd_create("syzkaller", 0 [pid 5153] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5154] <... memfd_create resumed>) = 3 [pid 5154] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5153] <... mmap resumed>) = 0x7f7947310000 [pid 5153] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5153] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5153] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5155 attached [pid 5155] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5153] <... clone3 resumed> => {parent_tid=[5155]}, 88) = 5155 [pid 5155] <... rseq resumed>) = 0 [pid 5153] rt_sigprocmask(SIG_SETMASK, [], [pid 5155] set_robust_list(0x7f79473309a0, 24 [pid 5153] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5155] <... set_robust_list resumed>) = 0 [pid 5155] rt_sigprocmask(SIG_SETMASK, [], [pid 5153] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5155] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5153] <... futex resumed>) = 0 [pid 5155] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5153] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5155] <... openat resumed>) = 4 [pid 5155] write(4, "85", 2) = 2 [pid 5155] memfd_create("syzkaller", 0) = 5 [pid 5155] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5154] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 76.235091][ T5155] FAULT_INJECTION: forcing a failure. [ 76.235091][ T5155] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 76.248491][ T5155] CPU: 1 PID: 5155 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 76.258950][ T5155] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 76.269202][ T5155] Call Trace: [ 76.272501][ T5155] [ 76.275459][ T5155] dump_stack_lvl+0x1e7/0x2d0 [ 76.280151][ T5155] ? nf_tcp_handle_invalid+0x650/0x650 [ 76.285602][ T5155] ? panic+0x770/0x770 [ 76.289676][ T5155] should_fail_ex+0x3aa/0x4e0 [ 76.295162][ T5155] prepare_alloc_pages+0x1d9/0x5b0 [ 76.300294][ T5155] __alloc_pages+0x165/0x670 [ 76.304891][ T5155] ? zone_statistics+0x170/0x170 [ 76.309829][ T5155] ? verify_lock_unused+0x140/0x140 [ 76.315197][ T5155] ? handle_mm_fault+0x11d/0x62b0 [ 76.320219][ T5155] ? __lock_acquire+0x7f70/0x7f70 [ 76.325270][ T5155] ? pte_offset_map_nolock+0x137/0x1e0 [ 76.330817][ T5155] __folio_alloc+0x13/0x30 [ 76.335316][ T5155] vma_alloc_folio+0x48a/0x9a0 [ 76.340189][ T5155] handle_mm_fault+0x2376/0x62b0 [ 76.345257][ T5155] ? handle_mm_fault+0x11d/0x62b0 [ 76.350306][ T5155] ? numa_migrate_prep+0x380/0x380 [ 76.355436][ T5155] ? mtree_range_walk+0x6a0/0x7e0 [ 76.360471][ T5155] ? lock_vma_under_rcu+0x187/0x6f0 [ 76.365669][ T5155] ? __lock_acquire+0x7f70/0x7f70 [ 76.371558][ T5155] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 76.376850][ T5155] ? lock_vma_under_rcu+0x5df/0x6f0 [ 76.382055][ T5155] ? lock_vma_under_rcu+0x187/0x6f0 [ 76.387442][ T5155] ? exc_page_fault+0x10f/0x860 [ 76.392290][ T5155] exc_page_fault+0x455/0x860 [ 76.397057][ T5155] asm_exc_page_fault+0x26/0x30 [ 76.402357][ T5155] RIP: 0033:0x7f794735bc53 [ 76.406773][ T5155] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 76.426374][ T5155] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5154] munmap(0x7f793ef10000, 2097152) = 0 [pid 5154] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 76.432447][ T5155] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 76.440499][ T5155] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 76.448725][ T5155] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 76.456697][ T5155] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 76.464665][ T5155] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 76.472645][ T5155] [ 76.476429][ T5155] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5154] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5154] close(3) = 0 [pid 5154] mkdir("./file0", 0777) = 0 [pid 5154] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5154] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5154] chdir("./file0") = 0 [pid 5154] ioctl(6, LOOP_CLR_FD) = 0 [pid 5154] close(6 [pid 5155] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5154] <... close resumed>) = 0 [pid 5154] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5155] <... write resumed>) = 2097152 [ 76.488578][ T5154] loop0: detected capacity change from 0 to 4096 [ 76.503759][ T5154] ntfs: volume version 12.0. [pid 5155] munmap(0x7f7936b10000, 2097152) = 0 [pid 5155] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5155] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5155] ioctl(6, LOOP_CLR_FD) = 0 [pid 5155] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5155] close(6) = 0 [pid 5155] close(5) = 0 [pid 5155] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5155] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5153] <... futex resumed>) = 0 [pid 5153] exit_group(0 [pid 5155] <... futex resumed>) = ? [pid 5154] <... futex resumed>) = ? [pid 5155] +++ exited with 0 +++ [pid 5154] +++ exited with 0 +++ [pid 5153] <... exit_group resumed>) = ? [pid 5153] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5153, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./40", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./40/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./40/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./40/binderfs") = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./40/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./40/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./40") = 0 mkdir("./41", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5156 attached , child_tidptr=0x555555f17690) = 5156 [pid 5156] set_robust_list(0x555555f176a0, 24) = 0 [pid 5156] chdir("./41") = 0 [pid 5156] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5156] setpgid(0, 0) = 0 [pid 5156] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5156] write(3, "1000", 4) = 4 [pid 5156] close(3) = 0 [pid 5156] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5156] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5156] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5156] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5156] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5156] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5156] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5156] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5157 attached => {parent_tid=[5157]}, 88) = 5157 [pid 5157] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5156] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5156] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5157] <... rseq resumed>) = 0 [pid 5156] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5157] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5156] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5156] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5157] rt_sigprocmask(SIG_SETMASK, [], [pid 5156] <... mprotect resumed>) = 0 [pid 5156] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5157] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5156] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5158 attached => {parent_tid=[5158]}, 88) = 5158 [pid 5158] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5156] rt_sigprocmask(SIG_SETMASK, [], [pid 5158] set_robust_list(0x7f79473309a0, 24 [pid 5156] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5157] memfd_create("syzkaller", 0 [pid 5158] <... set_robust_list resumed>) = 0 [pid 5156] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5158] rt_sigprocmask(SIG_SETMASK, [], [pid 5156] <... futex resumed>) = 0 [pid 5158] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5157] <... memfd_create resumed>) = 3 [pid 5156] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5157] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5158] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5157] <... mmap resumed>) = 0x7f793ef10000 [pid 5157] munmap(0x7f793ef10000, 138412032 [pid 5158] <... openat resumed>) = 4 [pid 5157] <... munmap resumed>) = 0 [pid 5157] close(3 [pid 5158] write(4, "85", 2) = 2 [pid 5157] <... close resumed>) = 0 [pid 5158] memfd_create("syzkaller", 0 [pid 5157] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5158] <... memfd_create resumed>) = 3 [pid 5158] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5157] <... futex resumed>) = 0 [pid 5157] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5158] <... mmap resumed>) = 0x7f793ef10000 [ 76.648996][ T5158] FAULT_INJECTION: forcing a failure. [ 76.648996][ T5158] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 76.662684][ T5158] CPU: 0 PID: 5158 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 76.673087][ T5158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 76.683134][ T5158] Call Trace: [ 76.686427][ T5158] [ 76.689389][ T5158] dump_stack_lvl+0x1e7/0x2d0 [ 76.694141][ T5158] ? nf_tcp_handle_invalid+0x650/0x650 [ 76.699604][ T5158] ? panic+0x770/0x770 [ 76.703866][ T5158] should_fail_ex+0x3aa/0x4e0 [ 76.708548][ T5158] prepare_alloc_pages+0x1d9/0x5b0 [ 76.713665][ T5158] __alloc_pages+0x165/0x670 [ 76.718253][ T5158] ? zone_statistics+0x170/0x170 [ 76.723192][ T5158] ? verify_lock_unused+0x140/0x140 [ 76.728882][ T5158] ? handle_mm_fault+0x11d/0x62b0 [ 76.733916][ T5158] ? __lock_acquire+0x7f70/0x7f70 [ 76.738934][ T5158] ? pte_offset_map_nolock+0x137/0x1e0 [ 76.745435][ T5158] __folio_alloc+0x13/0x30 [ 76.749940][ T5158] vma_alloc_folio+0x48a/0x9a0 [ 76.754726][ T5158] handle_mm_fault+0x2376/0x62b0 [ 76.759672][ T5158] ? handle_mm_fault+0x11d/0x62b0 [ 76.764710][ T5158] ? numa_migrate_prep+0x380/0x380 [ 76.769842][ T5158] ? mtree_range_walk+0x6a0/0x7e0 [ 76.774867][ T5158] ? lock_vma_under_rcu+0x187/0x6f0 [ 76.780586][ T5158] ? __lock_acquire+0x7f70/0x7f70 [ 76.785606][ T5158] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 76.790832][ T5158] ? lock_vma_under_rcu+0x5df/0x6f0 [ 76.796030][ T5158] ? lock_vma_under_rcu+0x187/0x6f0 [ 76.801237][ T5158] ? exc_page_fault+0x10f/0x860 [ 76.806259][ T5158] exc_page_fault+0x455/0x860 [ 76.810937][ T5158] asm_exc_page_fault+0x26/0x30 [ 76.815787][ T5158] RIP: 0033:0x7f794735bd00 [ 76.820204][ T5158] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 76.840029][ T5158] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 76.848301][ T5158] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 76.856323][ T5158] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 76.864402][ T5158] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 76.872371][ T5158] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 76.880944][ T5158] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 76.888925][ T5158] [ 76.895810][ T5158] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5158] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5158] munmap(0x7f793ef10000, 2097152) = 0 [pid 5158] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 5158] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5158] close(3) = 0 [pid 5158] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [ 76.961391][ T5158] loop0: detected capacity change from 0 to 4096 [pid 5158] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 77.009280][ T5158] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 77.016564][ T5158] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5158] ioctl(5, LOOP_CLR_FD) = 0 [pid 5158] close(5) = 0 [pid 5158] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5156] <... futex resumed>) = 0 [pid 5158] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5156] exit_group(0 [pid 5158] <... futex resumed>) = ? [pid 5156] <... exit_group resumed>) = ? [pid 5158] +++ exited with 0 +++ [pid 5157] <... futex resumed>) = ? [pid 5157] +++ exited with 0 +++ [pid 5156] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5156, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- umount2("./41", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./41/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./41/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./41/binderfs") = 0 umount2("\x2e\x2f\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./41") = 0 mkdir("./42", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5159 attached , child_tidptr=0x555555f17690) = 5159 [pid 5159] set_robust_list(0x555555f176a0, 24) = 0 [pid 5159] chdir("./42") = 0 [pid 5159] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5159] setpgid(0, 0) = 0 [pid 5159] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5159] write(3, "1000", 4) = 4 [pid 5159] close(3) = 0 [pid 5159] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5159] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5159] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5159] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5159] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5159] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5159] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5160]}, 88) = 5160 [pid 5159] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5159] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5159] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5160 attached ) = 0 [pid 5159] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5160] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5159] <... mmap resumed>) = 0x7f7947310000 [pid 5160] <... rseq resumed>) = 0 [pid 5159] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5160] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5160] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5160] memfd_create("syzkaller", 0 [pid 5159] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5159] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5161 attached => {parent_tid=[5161]}, 88) = 5161 [pid 5161] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5159] rt_sigprocmask(SIG_SETMASK, [], [pid 5161] set_robust_list(0x7f79473309a0, 24 [pid 5159] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5161] <... set_robust_list resumed>) = 0 [pid 5159] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5161] rt_sigprocmask(SIG_SETMASK, [], [pid 5159] <... futex resumed>) = 0 [pid 5161] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5159] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5161] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5160] <... memfd_create resumed>) = 3 [pid 5160] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5160] munmap(0x7f793ef10000, 138412032 [pid 5161] <... openat resumed>) = 4 [pid 5160] <... munmap resumed>) = 0 [pid 5160] close(3) = 0 [pid 5160] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] write(4, "85", 2 [pid 5160] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5161] <... write resumed>) = 2 [pid 5161] memfd_create("syzkaller", 0) = 3 [pid 5161] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 77.201851][ T5161] FAULT_INJECTION: forcing a failure. [ 77.201851][ T5161] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 77.216186][ T5161] CPU: 1 PID: 5161 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 77.226634][ T5161] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 77.236702][ T5161] Call Trace: [ 77.239998][ T5161] [ 77.242937][ T5161] dump_stack_lvl+0x1e7/0x2d0 [ 77.248242][ T5161] ? nf_tcp_handle_invalid+0x650/0x650 [ 77.253709][ T5161] ? panic+0x770/0x770 [ 77.257803][ T5161] should_fail_ex+0x3aa/0x4e0 [ 77.262509][ T5161] prepare_alloc_pages+0x1d9/0x5b0 [ 77.267646][ T5161] __alloc_pages+0x165/0x670 [ 77.272277][ T5161] ? zone_statistics+0x170/0x170 [ 77.277235][ T5161] ? verify_lock_unused+0x140/0x140 [ 77.282449][ T5161] ? handle_mm_fault+0x11d/0x62b0 [ 77.287494][ T5161] ? __lock_acquire+0x7f70/0x7f70 [ 77.292526][ T5161] ? pte_offset_map_nolock+0x137/0x1e0 [ 77.298099][ T5161] __folio_alloc+0x13/0x30 [ 77.302569][ T5161] vma_alloc_folio+0x48a/0x9a0 [ 77.307450][ T5161] handle_mm_fault+0x2376/0x62b0 [ 77.312507][ T5161] ? handle_mm_fault+0x11d/0x62b0 [ 77.317569][ T5161] ? numa_migrate_prep+0x380/0x380 [ 77.322756][ T5161] ? mtree_range_walk+0x6a0/0x7e0 [ 77.327817][ T5161] ? lock_vma_under_rcu+0x187/0x6f0 [ 77.333140][ T5161] ? __lock_acquire+0x7f70/0x7f70 [ 77.338174][ T5161] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 77.343403][ T5161] ? lock_vma_under_rcu+0x5df/0x6f0 [ 77.348621][ T5161] ? lock_vma_under_rcu+0x187/0x6f0 [ 77.353849][ T5161] ? exc_page_fault+0x10f/0x860 [ 77.358718][ T5161] exc_page_fault+0x455/0x860 [ 77.363418][ T5161] asm_exc_page_fault+0x26/0x30 [ 77.368292][ T5161] RIP: 0033:0x7f794735bd00 [ 77.373155][ T5161] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 77.393292][ T5161] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5161] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5161] munmap(0x7f793ef10000, 2097152) = 0 [pid 5161] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 77.399388][ T5161] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 77.407359][ T5161] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 77.415973][ T5161] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 77.423940][ T5161] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 77.432012][ T5161] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 77.439985][ T5161] [ 77.443386][ T5161] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5161] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5161] close(3) = 0 [pid 5161] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5161] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5161] ioctl(5, LOOP_CLR_FD) = 0 [pid 5161] close(5) = 0 [pid 5161] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5159] <... futex resumed>) = 0 [pid 5159] exit_group(0) = ? [pid 5160] <... futex resumed>) = ? [pid 5160] +++ exited with 0 +++ [pid 5161] +++ exited with 0 +++ [pid 5159] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5159, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=6 /* 0.06 s */} --- [ 77.482400][ T5161] loop0: detected capacity change from 0 to 4096 [ 77.500642][ T5161] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 77.507717][ T5161] ntfs3: loop0: Failed to load $AttrDef (-22) umount2("./42", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./42/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./42/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./42/binderfs") = 0 umount2("\x2e\x2f\x34\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x34\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x34\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x34\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x34\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./42") = 0 mkdir("./43", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5162 ./strace-static-x86_64: Process 5162 attached [pid 5162] set_robust_list(0x555555f176a0, 24) = 0 [pid 5162] chdir("./43") = 0 [pid 5162] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5162] setpgid(0, 0) = 0 [pid 5162] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5162] write(3, "1000", 4) = 4 [pid 5162] close(3) = 0 [pid 5162] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5162] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5162] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5162] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5162] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5162] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5162] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5162] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5163 attached => {parent_tid=[5163]}, 88) = 5163 [pid 5163] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5162] rt_sigprocmask(SIG_SETMASK, [], [pid 5163] set_robust_list(0x7f79473519a0, 24 [pid 5162] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5163] <... set_robust_list resumed>) = 0 [pid 5162] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5163] rt_sigprocmask(SIG_SETMASK, [], [pid 5162] <... futex resumed>) = 0 [pid 5163] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5162] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5163] memfd_create("syzkaller", 0 [pid 5162] <... futex resumed>) = 0 [pid 5162] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5162] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5162] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5162] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5164]}, 88) = 5164 [pid 5162] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5162] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5162] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5164 attached [pid 5164] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5164] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5163] <... memfd_create resumed>) = 3 [pid 5164] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5163] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5164] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5163] munmap(0x7f793ef10000, 138412032 [pid 5164] write(4, "85", 2) = 2 [pid 5164] memfd_create("syzkaller", 0) = 5 [pid 5164] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5163] <... munmap resumed>) = 0 [pid 5164] <... mmap resumed>) = 0x7f793ef10000 [pid 5163] close(3) = 0 [pid 5163] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 77.628312][ T5164] FAULT_INJECTION: forcing a failure. [ 77.628312][ T5164] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 77.642270][ T5164] CPU: 0 PID: 5164 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 77.652680][ T5164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 77.662824][ T5164] Call Trace: [ 77.666106][ T5164] [ 77.669028][ T5164] dump_stack_lvl+0x1e7/0x2d0 [ 77.674309][ T5164] ? nf_tcp_handle_invalid+0x650/0x650 [ 77.679764][ T5164] ? panic+0x770/0x770 [ 77.685662][ T5164] should_fail_ex+0x3aa/0x4e0 [ 77.690341][ T5164] prepare_alloc_pages+0x1d9/0x5b0 [ 77.695456][ T5164] __alloc_pages+0x165/0x670 [ 77.700043][ T5164] ? zone_statistics+0x170/0x170 [ 77.704981][ T5164] ? verify_lock_unused+0x140/0x140 [ 77.710170][ T5164] ? handle_mm_fault+0x11d/0x62b0 [ 77.715188][ T5164] ? __lock_acquire+0x7f70/0x7f70 [ 77.720205][ T5164] ? pte_offset_map_nolock+0x137/0x1e0 [ 77.725751][ T5164] __folio_alloc+0x13/0x30 [ 77.730167][ T5164] vma_alloc_folio+0x48a/0x9a0 [ 77.735107][ T5164] handle_mm_fault+0x2376/0x62b0 [ 77.740048][ T5164] ? handle_mm_fault+0x11d/0x62b0 [ 77.745077][ T5164] ? numa_migrate_prep+0x380/0x380 [ 77.750206][ T5164] ? mtree_range_walk+0x6a0/0x7e0 [ 77.755228][ T5164] ? lock_vma_under_rcu+0x187/0x6f0 [ 77.760511][ T5164] ? __lock_acquire+0x7f70/0x7f70 [ 77.765699][ T5164] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 77.770906][ T5164] ? lock_vma_under_rcu+0x5df/0x6f0 [ 77.776099][ T5164] ? lock_vma_under_rcu+0x187/0x6f0 [ 77.781385][ T5164] ? exc_page_fault+0x10f/0x860 [ 77.786238][ T5164] exc_page_fault+0x455/0x860 [ 77.790912][ T5164] asm_exc_page_fault+0x26/0x30 [ 77.795759][ T5164] RIP: 0033:0x7f794735bd00 [ 77.800171][ T5164] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 77.819766][ T5164] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5163] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5164] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5164] munmap(0x7f793ef10000, 2097152) = 0 [pid 5164] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 77.825827][ T5164] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 77.833797][ T5164] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 77.841763][ T5164] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 77.849729][ T5164] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 77.857694][ T5164] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 77.865697][ T5164] [ 77.869118][ T5164] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5164] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5164] close(5) = 0 [pid 5164] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5164] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 77.919864][ T5164] loop0: detected capacity change from 0 to 4096 [ 77.936733][ T5164] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 77.944156][ T5164] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5164] ioctl(3, LOOP_CLR_FD) = 0 [pid 5164] close(3) = 0 [pid 5164] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5162] <... futex resumed>) = 0 [pid 5162] exit_group(0 [pid 5164] <... futex resumed>) = ? [pid 5163] <... futex resumed>) = ? [pid 5164] +++ exited with 0 +++ [pid 5163] +++ exited with 0 +++ [pid 5162] <... exit_group resumed>) = ? [pid 5162] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5162, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./43", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./43/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./43/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./43/binderfs") = 0 umount2("\x2e\x2f\x34\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x34\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x34\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x34\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x34\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./43") = 0 mkdir("./44", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5165 attached , child_tidptr=0x555555f17690) = 5165 [pid 5165] set_robust_list(0x555555f176a0, 24) = 0 [pid 5165] chdir("./44") = 0 [pid 5165] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5165] setpgid(0, 0) = 0 [pid 5165] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5165] write(3, "1000", 4) = 4 [pid 5165] close(3) = 0 [pid 5165] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5165] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5165] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5165] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5165] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5165] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5165] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5165] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5166 attached [pid 5166] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5166] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5166] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5166] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5165] <... clone3 resumed> => {parent_tid=[5166]}, 88) = 5166 [pid 5165] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5165] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5166] <... futex resumed>) = 0 [pid 5165] <... futex resumed>) = 1 [pid 5165] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5166] memfd_create("syzkaller", 0 [pid 5165] <... futex resumed>) = 0 [pid 5166] <... memfd_create resumed>) = 3 [pid 5165] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5166] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5165] <... mmap resumed>) = 0x7f7947310000 [pid 5166] <... mmap resumed>) = 0x7f793ef10000 [pid 5165] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5165] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5165] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5167 attached [pid 5167] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5165] <... clone3 resumed> => {parent_tid=[5167]}, 88) = 5167 [pid 5167] <... rseq resumed>) = 0 [pid 5165] rt_sigprocmask(SIG_SETMASK, [], [pid 5167] set_robust_list(0x7f79473309a0, 24 [pid 5165] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5167] <... set_robust_list resumed>) = 0 [pid 5167] rt_sigprocmask(SIG_SETMASK, [], [pid 5165] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5167] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5165] <... futex resumed>) = 0 [pid 5167] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5165] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5167] <... openat resumed>) = 4 [pid 5167] write(4, "85", 2) = 2 [pid 5167] memfd_create("syzkaller", 0) = 5 [pid 5167] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5166] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 78.096074][ T5167] FAULT_INJECTION: forcing a failure. [ 78.096074][ T5167] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 78.109807][ T5167] CPU: 0 PID: 5167 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 78.120257][ T5167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 78.130339][ T5167] Call Trace: [ 78.133630][ T5167] [ 78.136557][ T5167] dump_stack_lvl+0x1e7/0x2d0 [ 78.141230][ T5167] ? nf_tcp_handle_invalid+0x650/0x650 [ 78.146679][ T5167] ? panic+0x770/0x770 [ 78.150746][ T5167] should_fail_ex+0x3aa/0x4e0 [ 78.155531][ T5167] prepare_alloc_pages+0x1d9/0x5b0 [ 78.160666][ T5167] __alloc_pages+0x165/0x670 [ 78.165255][ T5167] ? zone_statistics+0x170/0x170 [ 78.170207][ T5167] ? verify_lock_unused+0x140/0x140 [ 78.175407][ T5167] ? handle_mm_fault+0x11d/0x62b0 [ 78.180431][ T5167] ? __lock_acquire+0x7f70/0x7f70 [ 78.185453][ T5167] ? pte_offset_map_nolock+0x137/0x1e0 [ 78.190917][ T5167] __folio_alloc+0x13/0x30 [ 78.195329][ T5167] vma_alloc_folio+0x48a/0x9a0 [ 78.200097][ T5167] handle_mm_fault+0x2376/0x62b0 [ 78.205038][ T5167] ? handle_mm_fault+0x11d/0x62b0 [ 78.210152][ T5167] ? numa_migrate_prep+0x380/0x380 [ 78.215357][ T5167] ? mtree_range_walk+0x6a0/0x7e0 [ 78.220383][ T5167] ? lock_vma_under_rcu+0x187/0x6f0 [ 78.225578][ T5167] ? __lock_acquire+0x7f70/0x7f70 [ 78.230594][ T5167] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 78.235799][ T5167] ? lock_vma_under_rcu+0x5df/0x6f0 [ 78.241006][ T5167] ? lock_vma_under_rcu+0x187/0x6f0 [ 78.246209][ T5167] ? exc_page_fault+0x10f/0x860 [ 78.251055][ T5167] exc_page_fault+0x455/0x860 [ 78.255731][ T5167] asm_exc_page_fault+0x26/0x30 [ 78.260585][ T5167] RIP: 0033:0x7f794735bc53 [ 78.264990][ T5167] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 78.284587][ T5167] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5166] munmap(0x7f793ef10000, 2097152) = 0 [pid 5166] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 78.290650][ T5167] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 78.298612][ T5167] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 78.306574][ T5167] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 78.314537][ T5167] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 78.322530][ T5167] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 78.330506][ T5167] [ 78.336774][ T5167] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5166] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5166] close(3) = 0 [pid 5166] mkdir("./file0", 0777) = 0 [pid 5166] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5167] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5166] <... mount resumed>) = 0 [pid 5166] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5166] chdir("./file0") = 0 [pid 5166] ioctl(6, LOOP_CLR_FD) = 0 [pid 5166] close(6 [pid 5167] <... write resumed>) = 2097152 [pid 5166] <... close resumed>) = 0 [pid 5167] munmap(0x7f7936b10000, 2097152 [pid 5166] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5166] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5167] <... munmap resumed>) = 0 [pid 5167] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5167] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5167] ioctl(6, LOOP_CLR_FD) = 0 [pid 5167] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5167] close(6) = 0 [pid 5167] close(5) = 0 [pid 5167] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5165] <... futex resumed>) = 0 [pid 5165] exit_group(0 [pid 5166] <... futex resumed>) = ? [pid 5165] <... exit_group resumed>) = ? [pid 5166] +++ exited with 0 +++ [pid 5167] <... futex resumed>) = ? [pid 5167] +++ exited with 0 +++ [pid 5165] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5165, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./44", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 [ 78.350030][ T5166] loop0: detected capacity change from 0 to 4096 [ 78.376815][ T5166] ntfs: volume version 12.0. umount2("./44/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./44/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./44/binderfs") = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./44/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./44/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./44") = 0 mkdir("./45", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5168 attached , child_tidptr=0x555555f17690) = 5168 [pid 5168] set_robust_list(0x555555f176a0, 24) = 0 [pid 5168] chdir("./45") = 0 [pid 5168] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5168] setpgid(0, 0) = 0 [pid 5168] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5168] write(3, "1000", 4) = 4 [pid 5168] close(3) = 0 [pid 5168] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5168] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5168] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5168] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5168] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5168] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5168] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5169]}, 88) = 5169 ./strace-static-x86_64: Process 5169 attached [pid 5169] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5168] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5168] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5168] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5168] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5169] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5169] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5168] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5168] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5170 attached [pid 5170] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5168] <... clone3 resumed> => {parent_tid=[5170]}, 88) = 5170 [pid 5170] <... rseq resumed>) = 0 [pid 5168] rt_sigprocmask(SIG_SETMASK, [], [pid 5170] set_robust_list(0x7f79473309a0, 24 [pid 5168] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5170] <... set_robust_list resumed>) = 0 [pid 5168] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5170] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5168] <... futex resumed>) = 0 [pid 5170] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5169] memfd_create("syzkaller", 0 [pid 5168] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5169] <... memfd_create resumed>) = 4 [pid 5169] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5170] <... openat resumed>) = 3 [pid 5169] <... mmap resumed>) = 0x7f793ef10000 [pid 5170] write(3, "85", 2 [pid 5169] munmap(0x7f793ef10000, 138412032 [pid 5170] <... write resumed>) = 2 [pid 5170] memfd_create("syzkaller", 0 [pid 5169] <... munmap resumed>) = 0 [pid 5170] <... memfd_create resumed>) = 5 [pid 5169] close(4 [pid 5170] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5169] <... close resumed>) = 0 [pid 5170] <... mmap resumed>) = 0x7f793ef10000 [pid 5169] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 78.491391][ T5170] FAULT_INJECTION: forcing a failure. [ 78.491391][ T5170] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 78.504983][ T5170] CPU: 0 PID: 5170 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 78.515431][ T5170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 78.525493][ T5170] Call Trace: [ 78.528789][ T5170] [ 78.531728][ T5170] dump_stack_lvl+0x1e7/0x2d0 [ 78.536420][ T5170] ? nf_tcp_handle_invalid+0x650/0x650 [ 78.541879][ T5170] ? panic+0x770/0x770 [ 78.545981][ T5170] should_fail_ex+0x3aa/0x4e0 [ 78.550675][ T5170] prepare_alloc_pages+0x1d9/0x5b0 [ 78.555795][ T5170] __alloc_pages+0x165/0x670 [ 78.560520][ T5170] ? zone_statistics+0x170/0x170 [ 78.565558][ T5170] ? verify_lock_unused+0x140/0x140 [ 78.570761][ T5170] ? handle_mm_fault+0x11d/0x62b0 [ 78.575796][ T5170] ? __lock_acquire+0x7f70/0x7f70 [ 78.580829][ T5170] ? pte_offset_map_nolock+0x137/0x1e0 [ 78.586286][ T5170] __folio_alloc+0x13/0x30 [ 78.590795][ T5170] vma_alloc_folio+0x48a/0x9a0 [ 78.595577][ T5170] handle_mm_fault+0x2376/0x62b0 [ 78.600535][ T5170] ? handle_mm_fault+0x11d/0x62b0 [ 78.605573][ T5170] ? numa_migrate_prep+0x380/0x380 [ 78.610710][ T5170] ? mtree_range_walk+0x6a0/0x7e0 [ 78.615736][ T5170] ? lock_vma_under_rcu+0x187/0x6f0 [ 78.620964][ T5170] ? __lock_acquire+0x7f70/0x7f70 [ 78.626011][ T5170] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 78.631216][ T5170] ? lock_vma_under_rcu+0x5df/0x6f0 [ 78.636421][ T5170] ? lock_vma_under_rcu+0x187/0x6f0 [ 78.641639][ T5170] ? exc_page_fault+0x10f/0x860 [ 78.646526][ T5170] exc_page_fault+0x455/0x860 [ 78.651302][ T5170] asm_exc_page_fault+0x26/0x30 [ 78.656155][ T5170] RIP: 0033:0x7f794735bd00 [ 78.660568][ T5170] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 78.680285][ T5170] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5169] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5170] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5170] munmap(0x7f793ef10000, 2097152) = 0 [pid 5170] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 78.686358][ T5170] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 78.694415][ T5170] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 78.702484][ T5170] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 78.710469][ T5170] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 78.718475][ T5170] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 78.726456][ T5170] [ 78.732547][ T5170] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5170] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5170] close(5) = 0 [pid 5170] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5170] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 78.770122][ T5170] loop0: detected capacity change from 0 to 4096 [ 78.788149][ T5170] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 78.795125][ T5170] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5170] ioctl(4, LOOP_CLR_FD) = 0 [pid 5170] close(4) = 0 [pid 5170] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5168] <... futex resumed>) = 0 [pid 5170] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5168] exit_group(0 [pid 5170] <... futex resumed>) = ? [pid 5169] <... futex resumed>) = ? [pid 5168] <... exit_group resumed>) = ? [pid 5170] +++ exited with 0 +++ [pid 5169] +++ exited with 0 +++ [pid 5168] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5168, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./45", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./45/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./45/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./45/binderfs") = 0 umount2("\x2e\x2f\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./45") = 0 mkdir("./46", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5171 attached , child_tidptr=0x555555f17690) = 5171 [pid 5171] set_robust_list(0x555555f176a0, 24) = 0 [pid 5171] chdir("./46") = 0 [pid 5171] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5171] setpgid(0, 0) = 0 [pid 5171] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5171] write(3, "1000", 4) = 4 [pid 5171] close(3) = 0 [pid 5171] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5171] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5171] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5171] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5171] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5171] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5171] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5171] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5172 attached [pid 5172] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5171] <... clone3 resumed> => {parent_tid=[5172]}, 88) = 5172 [pid 5172] set_robust_list(0x7f79473519a0, 24 [pid 5171] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5171] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] <... set_robust_list resumed>) = 0 [pid 5172] rt_sigprocmask(SIG_SETMASK, [], [pid 5171] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5172] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5171] <... futex resumed>) = 0 [pid 5172] memfd_create("syzkaller", 0 [pid 5171] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5171] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5172] <... memfd_create resumed>) = 3 [pid 5171] <... mprotect resumed>) = 0 [pid 5171] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5171] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5173]}, 88) = 5173 [pid 5171] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5173 attached NULL, 8) = 0 [pid 5173] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5171] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5173] <... rseq resumed>) = 0 [pid 5172] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5171] <... futex resumed>) = 0 [pid 5173] set_robust_list(0x7f79473309a0, 24 [pid 5171] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5173] <... set_robust_list resumed>) = 0 [pid 5173] rt_sigprocmask(SIG_SETMASK, [], [pid 5172] <... mmap resumed>) = 0x7f793ef10000 [pid 5173] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5173] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5173] write(4, "85", 2) = 2 [pid 5173] memfd_create("syzkaller", 0) = 5 [pid 5173] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5172] munmap(0x7f793ef10000, 138412032) = 0 [pid 5172] close(3) = 0 [pid 5172] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 78.932492][ T5173] FAULT_INJECTION: forcing a failure. [ 78.932492][ T5173] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 78.946842][ T5173] CPU: 0 PID: 5173 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 78.957307][ T5173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 78.967396][ T5173] Call Trace: [ 78.970671][ T5173] [ 78.973601][ T5173] dump_stack_lvl+0x1e7/0x2d0 [ 78.978278][ T5173] ? nf_tcp_handle_invalid+0x650/0x650 [ 78.983735][ T5173] ? panic+0x770/0x770 [ 78.987809][ T5173] should_fail_ex+0x3aa/0x4e0 [ 78.992493][ T5173] prepare_alloc_pages+0x1d9/0x5b0 [ 78.997605][ T5173] __alloc_pages+0x165/0x670 [ 79.002190][ T5173] ? zone_statistics+0x170/0x170 [ 79.007127][ T5173] ? verify_lock_unused+0x140/0x140 [ 79.012317][ T5173] ? handle_mm_fault+0x11d/0x62b0 [ 79.017356][ T5173] ? __lock_acquire+0x7f70/0x7f70 [ 79.022426][ T5173] ? pte_offset_map_nolock+0x137/0x1e0 [ 79.027896][ T5173] __folio_alloc+0x13/0x30 [ 79.032317][ T5173] vma_alloc_folio+0x48a/0x9a0 [ 79.037081][ T5173] handle_mm_fault+0x2376/0x62b0 [ 79.042025][ T5173] ? handle_mm_fault+0x11d/0x62b0 [ 79.047141][ T5173] ? numa_migrate_prep+0x380/0x380 [ 79.052254][ T5173] ? mtree_range_walk+0x6a0/0x7e0 [ 79.057275][ T5173] ? lock_vma_under_rcu+0x187/0x6f0 [ 79.062472][ T5173] ? __lock_acquire+0x7f70/0x7f70 [ 79.067489][ T5173] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 79.072692][ T5173] ? lock_vma_under_rcu+0x5df/0x6f0 [ 79.077935][ T5173] ? lock_vma_under_rcu+0x187/0x6f0 [ 79.083281][ T5173] ? exc_page_fault+0x10f/0x860 [ 79.088149][ T5173] exc_page_fault+0x455/0x860 [ 79.092837][ T5173] asm_exc_page_fault+0x26/0x30 [ 79.097686][ T5173] RIP: 0033:0x7f794735bc53 [ 79.102096][ T5173] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 79.122126][ T5173] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5172] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5173] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5173] munmap(0x7f7936b10000, 2097152) = 0 [pid 5173] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 79.128273][ T5173] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 79.136238][ T5173] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 79.144202][ T5173] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 79.152166][ T5173] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 79.160129][ T5173] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 79.168107][ T5173] [pid 5173] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5173] close(5) = 0 [pid 5173] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5173] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 79.211534][ T5173] loop0: detected capacity change from 0 to 4096 [ 79.240468][ T5173] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 79.247587][ T5173] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5173] ioctl(3, LOOP_CLR_FD) = 0 [pid 5173] close(3) = 0 [pid 5173] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5171] <... futex resumed>) = 0 [pid 5171] exit_group(0 [pid 5173] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5171] <... exit_group resumed>) = ? [pid 5173] <... futex resumed>) = ? [pid 5173] +++ exited with 0 +++ [pid 5172] <... futex resumed>) = ? [pid 5172] +++ exited with 0 +++ [pid 5171] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5171, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- umount2("./46", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./46/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./46/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./46/binderfs") = 0 umount2("\x2e\x2f\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./46") = 0 mkdir("./47", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5174 ./strace-static-x86_64: Process 5174 attached [pid 5174] set_robust_list(0x555555f176a0, 24) = 0 [pid 5174] chdir("./47") = 0 [pid 5174] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5174] setpgid(0, 0) = 0 [pid 5174] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5174] write(3, "1000", 4) = 4 [pid 5174] close(3) = 0 [pid 5174] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5174] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5174] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5174] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5174] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5174] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5174] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5175]}, 88) = 5175 ./strace-static-x86_64: Process 5175 attached [pid 5175] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5174] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5174] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5175] <... rseq resumed>) = 0 [pid 5175] set_robust_list(0x7f79473519a0, 24 [pid 5174] <... mmap resumed>) = 0x7f7947310000 [pid 5175] <... set_robust_list resumed>) = 0 [pid 5175] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5174] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5174] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5174] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5176 attached => {parent_tid=[5176]}, 88) = 5176 [pid 5176] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5174] rt_sigprocmask(SIG_SETMASK, [], [pid 5176] set_robust_list(0x7f79473309a0, 24 [pid 5174] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5175] memfd_create("syzkaller", 0 [pid 5176] <... set_robust_list resumed>) = 0 [pid 5174] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5176] rt_sigprocmask(SIG_SETMASK, [], [pid 5174] <... futex resumed>) = 0 [pid 5176] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5175] <... memfd_create resumed>) = 3 [pid 5174] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5176] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5175] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5176] <... openat resumed>) = 4 [pid 5175] munmap(0x7f793ef10000, 138412032 [pid 5176] write(4, "85", 2) = 2 [pid 5175] <... munmap resumed>) = 0 [pid 5176] memfd_create("syzkaller", 0 [pid 5175] close(3 [pid 5176] <... memfd_create resumed>) = 5 [pid 5175] <... close resumed>) = 0 [pid 5176] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5175] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5175] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5176] <... mmap resumed>) = 0x7f793ef10000 [ 79.404752][ T5176] FAULT_INJECTION: forcing a failure. [ 79.404752][ T5176] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 79.419338][ T5176] CPU: 0 PID: 5176 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 79.429843][ T5176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 79.439898][ T5176] Call Trace: [ 79.443259][ T5176] [ 79.446179][ T5176] dump_stack_lvl+0x1e7/0x2d0 [ 79.450851][ T5176] ? nf_tcp_handle_invalid+0x650/0x650 [ 79.456302][ T5176] ? panic+0x770/0x770 [ 79.460406][ T5176] should_fail_ex+0x3aa/0x4e0 [ 79.465103][ T5176] prepare_alloc_pages+0x1d9/0x5b0 [ 79.470233][ T5176] __alloc_pages+0x165/0x670 [ 79.474828][ T5176] ? zone_statistics+0x170/0x170 [ 79.479779][ T5176] ? verify_lock_unused+0x140/0x140 [ 79.484973][ T5176] ? handle_mm_fault+0x11d/0x62b0 [ 79.489997][ T5176] ? __lock_acquire+0x7f70/0x7f70 [ 79.495026][ T5176] ? pte_offset_map_nolock+0x137/0x1e0 [ 79.500481][ T5176] __folio_alloc+0x13/0x30 [ 79.504891][ T5176] vma_alloc_folio+0x48a/0x9a0 [ 79.509688][ T5176] handle_mm_fault+0x2376/0x62b0 [ 79.514639][ T5176] ? handle_mm_fault+0x11d/0x62b0 [ 79.519660][ T5176] ? numa_migrate_prep+0x380/0x380 [ 79.524778][ T5176] ? mtree_range_walk+0x6a0/0x7e0 [ 79.529821][ T5176] ? lock_vma_under_rcu+0x187/0x6f0 [ 79.535008][ T5176] ? __lock_acquire+0x7f70/0x7f70 [ 79.540027][ T5176] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 79.545242][ T5176] ? lock_vma_under_rcu+0x5df/0x6f0 [ 79.550434][ T5176] ? lock_vma_under_rcu+0x187/0x6f0 [ 79.555652][ T5176] ? exc_page_fault+0x10f/0x860 [ 79.560766][ T5176] exc_page_fault+0x455/0x860 [ 79.565440][ T5176] asm_exc_page_fault+0x26/0x30 [ 79.570279][ T5176] RIP: 0033:0x7f794735bd00 [ 79.574681][ T5176] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 79.594287][ T5176] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5176] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5176] munmap(0x7f793ef10000, 2097152) = 0 [pid 5176] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 79.600366][ T5176] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 79.608350][ T5176] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 79.616326][ T5176] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 79.624289][ T5176] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 79.632249][ T5176] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 79.640239][ T5176] [pid 5176] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5176] close(5) = 0 [pid 5176] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5176] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5176] ioctl(3, LOOP_CLR_FD) = 0 [ 79.676930][ T5176] loop0: detected capacity change from 0 to 4096 [ 79.695329][ T5176] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 79.702626][ T5176] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5176] close(3) = 0 [pid 5176] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5174] <... futex resumed>) = 0 [pid 5176] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5174] exit_group(0 [pid 5176] <... futex resumed>) = ? [pid 5175] <... futex resumed>) = ? [pid 5175] +++ exited with 0 +++ [pid 5176] +++ exited with 0 +++ [pid 5174] <... exit_group resumed>) = ? [pid 5174] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5174, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./47", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./47/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./47/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./47/binderfs") = 0 umount2("\x2e\x2f\x34\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x34\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x34\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x34\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x34\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./47") = 0 mkdir("./48", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5177 attached , child_tidptr=0x555555f17690) = 5177 [pid 5177] set_robust_list(0x555555f176a0, 24) = 0 [pid 5177] chdir("./48") = 0 [pid 5177] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5177] setpgid(0, 0) = 0 [pid 5177] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5177] write(3, "1000", 4) = 4 [pid 5177] close(3) = 0 [pid 5177] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5177] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5177] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5177] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5177] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5177] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5177] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5177] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5178 attached => {parent_tid=[5178]}, 88) = 5178 [pid 5177] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5177] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5177] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5178] set_robust_list(0x7f79473519a0, 24 [pid 5177] <... futex resumed>) = 0 [pid 5178] <... set_robust_list resumed>) = 0 [pid 5177] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5178] rt_sigprocmask(SIG_SETMASK, [], [pid 5177] <... mmap resumed>) = 0x7f7947310000 [pid 5178] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5177] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5177] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5178] memfd_create("syzkaller", 0 [pid 5177] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5178] <... memfd_create resumed>) = 3 [pid 5177] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5178] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5179 attached [pid 5179] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5177] <... clone3 resumed> => {parent_tid=[5179]}, 88) = 5179 [pid 5177] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5177] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5177] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5179] <... rseq resumed>) = 0 [pid 5179] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5179] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5179] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5179] write(4, "85", 2) = 2 [pid 5179] memfd_create("syzkaller", 0) = 5 [pid 5179] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 79.846788][ T5179] FAULT_INJECTION: forcing a failure. [ 79.846788][ T5179] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 79.860952][ T5179] CPU: 0 PID: 5179 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 79.871401][ T5179] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 79.881470][ T5179] Call Trace: [ 79.884785][ T5179] [ 79.887713][ T5179] dump_stack_lvl+0x1e7/0x2d0 [ 79.892411][ T5179] ? nf_tcp_handle_invalid+0x650/0x650 [ 79.897869][ T5179] ? panic+0x770/0x770 [ 79.901947][ T5179] should_fail_ex+0x3aa/0x4e0 [ 79.906629][ T5179] prepare_alloc_pages+0x1d9/0x5b0 [ 79.911763][ T5179] __alloc_pages+0x165/0x670 [ 79.916478][ T5179] ? zone_statistics+0x170/0x170 [ 79.921437][ T5179] ? verify_lock_unused+0x140/0x140 [ 79.926642][ T5179] ? handle_mm_fault+0x11d/0x62b0 [ 79.931674][ T5179] ? __lock_acquire+0x7f70/0x7f70 [ 79.936727][ T5179] ? pte_offset_map_nolock+0x137/0x1e0 [ 79.942189][ T5179] __folio_alloc+0x13/0x30 [ 79.946604][ T5179] vma_alloc_folio+0x48a/0x9a0 [ 79.951367][ T5179] handle_mm_fault+0x2376/0x62b0 [ 79.956307][ T5179] ? handle_mm_fault+0x11d/0x62b0 [ 79.961336][ T5179] ? numa_migrate_prep+0x380/0x380 [ 79.966468][ T5179] ? mtree_range_walk+0x6a0/0x7e0 [ 79.971574][ T5179] ? lock_vma_under_rcu+0x187/0x6f0 [ 79.976859][ T5179] ? __lock_acquire+0x7f70/0x7f70 [ 79.981873][ T5179] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 79.988037][ T5179] ? lock_vma_under_rcu+0x5df/0x6f0 [ 79.993231][ T5179] ? lock_vma_under_rcu+0x187/0x6f0 [ 79.998451][ T5179] ? exc_page_fault+0x10f/0x860 [ 80.003294][ T5179] exc_page_fault+0x455/0x860 [ 80.007972][ T5179] asm_exc_page_fault+0x26/0x30 [ 80.012817][ T5179] RIP: 0033:0x7f794735bc53 [ 80.017225][ T5179] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 80.036820][ T5179] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5178] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2262319) = 2262319 [ 80.042882][ T5179] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 80.050846][ T5179] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 80.058893][ T5179] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 80.066857][ T5179] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 80.074836][ T5179] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 80.082814][ T5179] [ 80.086412][ T5179] pagefault_out_of_memory: 2 callbacks suppressed [pid 5178] munmap(0x7f793ef10000, 2262319) = 0 [pid 5178] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5178] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5178] close(3) = 0 [pid 5178] mkdir("./file0", 0777) = 0 [pid 5178] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5178] ioctl(6, LOOP_CLR_FD [pid 5179] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5179] munmap(0x7f7936b10000, 2097152) = 0 [pid 5179] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5179] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5179] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5179] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5179] close(3) = 0 [ 80.086424][ T5179] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 80.108903][ T5178] loop0: detected capacity change from 0 to 4418 [pid 5179] close(5) = 0 [pid 5179] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5179] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5178] <... ioctl resumed>) = 0 [pid 5177] <... futex resumed>) = 0 [pid 5178] close(6) = 0 [pid 5178] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5177] exit_group(0) = ? [pid 5178] +++ exited with 0 +++ [pid 5179] <... futex resumed>) = ? [pid 5179] +++ exited with 0 +++ [pid 5177] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5177, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./48", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./48/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./48/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./48/binderfs") = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./48/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./48/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./48") = 0 mkdir("./49", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5180 attached , child_tidptr=0x555555f17690) = 5180 [pid 5180] set_robust_list(0x555555f176a0, 24) = 0 [pid 5180] chdir("./49") = 0 [pid 5180] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5180] setpgid(0, 0) = 0 [pid 5180] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5180] write(3, "1000", 4) = 4 [pid 5180] close(3) = 0 [pid 5180] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5180] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5180] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5180] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5180] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5180] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5180] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5181 attached [pid 5181] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5180] <... clone3 resumed> => {parent_tid=[5181]}, 88) = 5181 [pid 5181] <... rseq resumed>) = 0 [pid 5180] rt_sigprocmask(SIG_SETMASK, [], [pid 5181] set_robust_list(0x7f79473519a0, 24 [pid 5180] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5181] <... set_robust_list resumed>) = 0 [pid 5180] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5181] rt_sigprocmask(SIG_SETMASK, [], [pid 5180] <... futex resumed>) = 0 [pid 5181] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5180] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5181] memfd_create("syzkaller", 0 [pid 5180] <... futex resumed>) = 0 [pid 5180] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5180] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5180] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5181] <... memfd_create resumed>) = 3 [pid 5180] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5181] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5180] <... clone3 resumed> => {parent_tid=[5182]}, 88) = 5182 [pid 5180] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5180] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5182 attached [pid 5182] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5182] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5182] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5182] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5182] write(4, "85", 2) = 2 [pid 5182] memfd_create("syzkaller", 0) = 5 [pid 5182] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 80.258866][ T5182] FAULT_INJECTION: forcing a failure. [ 80.258866][ T5182] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 80.272622][ T5182] CPU: 0 PID: 5182 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 80.283053][ T5182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 80.293108][ T5182] Call Trace: [ 80.296388][ T5182] [ 80.299313][ T5182] dump_stack_lvl+0x1e7/0x2d0 [ 80.304002][ T5182] ? nf_tcp_handle_invalid+0x650/0x650 [ 80.309454][ T5182] ? panic+0x770/0x770 [ 80.313530][ T5182] should_fail_ex+0x3aa/0x4e0 [ 80.318210][ T5182] prepare_alloc_pages+0x1d9/0x5b0 [ 80.323326][ T5182] __alloc_pages+0x165/0x670 [ 80.327926][ T5182] ? zone_statistics+0x170/0x170 [ 80.332881][ T5182] ? verify_lock_unused+0x140/0x140 [ 80.338089][ T5182] ? handle_mm_fault+0x11d/0x62b0 [ 80.343133][ T5182] ? __lock_acquire+0x7f70/0x7f70 [ 80.348169][ T5182] ? pte_offset_map_nolock+0x137/0x1e0 [ 80.353646][ T5182] __folio_alloc+0x13/0x30 [ 80.358069][ T5182] vma_alloc_folio+0x48a/0x9a0 [ 80.362844][ T5182] handle_mm_fault+0x2376/0x62b0 [ 80.367819][ T5182] ? handle_mm_fault+0x11d/0x62b0 [ 80.372862][ T5182] ? numa_migrate_prep+0x380/0x380 [ 80.377991][ T5182] ? mtree_range_walk+0x6a0/0x7e0 [ 80.383043][ T5182] ? lock_vma_under_rcu+0x187/0x6f0 [ 80.388331][ T5182] ? __lock_acquire+0x7f70/0x7f70 [ 80.393355][ T5182] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 80.398569][ T5182] ? lock_vma_under_rcu+0x5df/0x6f0 [ 80.403769][ T5182] ? lock_vma_under_rcu+0x187/0x6f0 [ 80.408976][ T5182] ? exc_page_fault+0x10f/0x860 [ 80.413828][ T5182] exc_page_fault+0x455/0x860 [ 80.418507][ T5182] asm_exc_page_fault+0x26/0x30 [ 80.423347][ T5182] RIP: 0033:0x7f794735bc53 [ 80.427938][ T5182] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 80.447637][ T5182] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5181] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5181] munmap(0x7f793ef10000, 2097152) = 0 [pid 5182] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5181] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 80.453711][ T5182] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 80.461698][ T5182] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 80.469671][ T5182] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 80.477664][ T5182] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 80.485630][ T5182] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 80.493610][ T5182] [ 80.501560][ T5182] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5181] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5181] close(3) = 0 [pid 5181] mkdir("./file0", 0777) = 0 [pid 5181] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5182] <... write resumed>) = 2097152 [pid 5182] munmap(0x7f7936b10000, 2097152 [pid 5181] <... mount resumed>) = 0 [pid 5181] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5181] chdir("./file0") = 0 [pid 5181] ioctl(6, LOOP_CLR_FD) = 0 [pid 5181] close(6) = 0 [pid 5181] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5181] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5182] <... munmap resumed>) = 0 [pid 5182] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5182] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5182] ioctl(6, LOOP_CLR_FD) = 0 [pid 5182] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5182] close(6) = 0 [pid 5182] close(5) = 0 [pid 5182] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5180] <... futex resumed>) = 0 [pid 5182] <... futex resumed>) = 1 [pid 5180] exit_group(0 [pid 5182] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5180] <... exit_group resumed>) = ? [pid 5182] <... futex resumed>) = ? [pid 5181] <... futex resumed>) = ? [pid 5181] +++ exited with 0 +++ [pid 5182] +++ exited with 0 +++ [pid 5180] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5180, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./49", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./49/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 80.530109][ T5181] loop0: detected capacity change from 0 to 4096 [ 80.544184][ T5181] ntfs: volume version 12.0. newfstatat(AT_FDCWD, "./49/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./49/binderfs") = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./49/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./49/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./49") = 0 mkdir("./50", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5183 attached [pid 5183] set_robust_list(0x555555f176a0, 24) = 0 [pid 5183] chdir("./50") = 0 [pid 5183] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5183] setpgid(0, 0) = 0 [pid 5183] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5183 [pid 5183] write(3, "1000", 4) = 4 [pid 5183] close(3) = 0 [pid 5183] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5183] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5183] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5183] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5183] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5183] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5183] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5184 attached => {parent_tid=[5184]}, 88) = 5184 [pid 5184] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5183] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5183] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5183] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5183] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5183] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5185 attached => {parent_tid=[5185]}, 88) = 5185 [pid 5183] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5184] <... rseq resumed>) = 0 [pid 5183] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] set_robust_list(0x7f79473519a0, 24 [pid 5185] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5183] <... futex resumed>) = 0 [pid 5185] <... rseq resumed>) = 0 [pid 5184] <... set_robust_list resumed>) = 0 [pid 5185] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5183] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5185] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5184] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5185] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5184] memfd_create("syzkaller", 0) = 4 [pid 5184] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5185] write(3, "85", 2) = 2 [pid 5185] memfd_create("syzkaller", 0 [pid 5184] <... mmap resumed>) = 0x7f793ef10000 [pid 5184] munmap(0x7f793ef10000, 138412032) = 0 [pid 5184] close(4 [pid 5185] <... memfd_create resumed>) = 5 [pid 5184] <... close resumed>) = 0 [pid 5184] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5185] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 80.659414][ T5185] FAULT_INJECTION: forcing a failure. [ 80.659414][ T5185] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 80.673319][ T5185] CPU: 1 PID: 5185 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 80.683763][ T5185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 80.693853][ T5185] Call Trace: [ 80.697132][ T5185] [ 80.700078][ T5185] dump_stack_lvl+0x1e7/0x2d0 [ 80.704764][ T5185] ? nf_tcp_handle_invalid+0x650/0x650 [ 80.710217][ T5185] ? panic+0x770/0x770 [ 80.714292][ T5185] should_fail_ex+0x3aa/0x4e0 [ 80.718964][ T5185] prepare_alloc_pages+0x1d9/0x5b0 [ 80.724091][ T5185] __alloc_pages+0x165/0x670 [ 80.728674][ T5185] ? zone_statistics+0x170/0x170 [ 80.733696][ T5185] ? verify_lock_unused+0x140/0x140 [ 80.738901][ T5185] ? handle_mm_fault+0x11d/0x62b0 [ 80.743933][ T5185] ? __lock_acquire+0x7f70/0x7f70 [ 80.748945][ T5185] ? pte_offset_map_nolock+0x137/0x1e0 [ 80.754421][ T5185] __folio_alloc+0x13/0x30 [ 80.758862][ T5185] vma_alloc_folio+0x48a/0x9a0 [ 80.763626][ T5185] handle_mm_fault+0x2376/0x62b0 [ 80.768577][ T5185] ? handle_mm_fault+0x11d/0x62b0 [ 80.776572][ T5185] ? numa_migrate_prep+0x380/0x380 [ 80.781693][ T5185] ? mtree_range_walk+0x6a0/0x7e0 [ 80.786718][ T5185] ? lock_vma_under_rcu+0x187/0x6f0 [ 80.791917][ T5185] ? __lock_acquire+0x7f70/0x7f70 [ 80.796957][ T5185] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 80.802177][ T5185] ? lock_vma_under_rcu+0x5df/0x6f0 [ 80.807386][ T5185] ? lock_vma_under_rcu+0x187/0x6f0 [ 80.812654][ T5185] ? exc_page_fault+0x10f/0x860 [ 80.817508][ T5185] exc_page_fault+0x455/0x860 [ 80.822185][ T5185] asm_exc_page_fault+0x26/0x30 [ 80.827026][ T5185] RIP: 0033:0x7f794735bd00 [ 80.831457][ T5185] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 80.851157][ T5185] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5185] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5185] munmap(0x7f793ef10000, 2106600) = 0 [pid 5185] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 80.857224][ T5185] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 80.865191][ T5185] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 80.873162][ T5185] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 80.881135][ T5185] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 80.889094][ T5185] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 80.897072][ T5185] [ 80.900398][ T5185] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5185] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5185] close(5) = 0 [pid 5185] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5185] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 80.939442][ T5185] loop0: detected capacity change from 0 to 4114 [ 80.954240][ T5185] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5185] ioctl(4, LOOP_CLR_FD) = 0 [pid 5185] close(4) = 0 [pid 5185] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5185] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5183] <... futex resumed>) = 0 [pid 5183] exit_group(0) = ? [pid 5185] <... futex resumed>) = ? [pid 5184] <... futex resumed>) = ? [pid 5185] +++ exited with 0 +++ [pid 5184] +++ exited with 0 +++ [pid 5183] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5183, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./50", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./50/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./50/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./50/binderfs") = 0 umount2("\x2e\x2f\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./50") = 0 mkdir("./51", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5186 ./strace-static-x86_64: Process 5186 attached [pid 5186] set_robust_list(0x555555f176a0, 24) = 0 [pid 5186] chdir("./51") = 0 [pid 5186] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5186] setpgid(0, 0) = 0 [pid 5186] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5186] write(3, "1000", 4) = 4 [pid 5186] close(3) = 0 [pid 5186] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5186] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5186] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5186] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5186] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5186] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5186] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5186] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5187]}, 88) = 5187 ./strace-static-x86_64: Process 5187 attached [pid 5186] rt_sigprocmask(SIG_SETMASK, [], [pid 5187] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5186] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5187] <... rseq resumed>) = 0 [pid 5186] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5187] set_robust_list(0x7f79473519a0, 24 [pid 5186] <... futex resumed>) = 0 [pid 5187] <... set_robust_list resumed>) = 0 [pid 5186] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5187] rt_sigprocmask(SIG_SETMASK, [], [pid 5186] <... futex resumed>) = 0 [pid 5187] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5187] memfd_create("syzkaller", 0 [pid 5186] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5186] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5187] <... memfd_create resumed>) = 3 [pid 5186] <... mprotect resumed>) = 0 [pid 5186] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5187] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5186] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5187] <... mmap resumed>) = 0x7f793ef10000 [pid 5186] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5188]}, 88) = 5188 [pid 5186] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5186] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5186] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5188 attached [pid 5188] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5188] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5188] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5188] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5188] write(4, "85", 2) = 2 [pid 5188] memfd_create("syzkaller", 0) = 5 [pid 5188] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 81.090477][ T5188] FAULT_INJECTION: forcing a failure. [ 81.090477][ T5188] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 81.104206][ T5188] CPU: 1 PID: 5188 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 81.114636][ T5188] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 81.124685][ T5188] Call Trace: [ 81.127976][ T5188] [ 81.130914][ T5188] dump_stack_lvl+0x1e7/0x2d0 [ 81.135604][ T5188] ? nf_tcp_handle_invalid+0x650/0x650 [ 81.141064][ T5188] ? panic+0x770/0x770 [ 81.145135][ T5188] should_fail_ex+0x3aa/0x4e0 [ 81.149811][ T5188] prepare_alloc_pages+0x1d9/0x5b0 [ 81.154924][ T5188] __alloc_pages+0x165/0x670 [ 81.159529][ T5188] ? zone_statistics+0x170/0x170 [ 81.164473][ T5188] ? verify_lock_unused+0x140/0x140 [ 81.169672][ T5188] ? handle_mm_fault+0x11d/0x62b0 [ 81.174699][ T5188] ? __lock_acquire+0x7f70/0x7f70 [ 81.179721][ T5188] ? pte_offset_map_nolock+0x137/0x1e0 [ 81.185190][ T5188] __folio_alloc+0x13/0x30 [ 81.189605][ T5188] vma_alloc_folio+0x48a/0x9a0 [ 81.194405][ T5188] handle_mm_fault+0x2376/0x62b0 [ 81.199368][ T5188] ? handle_mm_fault+0x11d/0x62b0 [ 81.204403][ T5188] ? numa_migrate_prep+0x380/0x380 [ 81.209524][ T5188] ? mtree_range_walk+0x6a0/0x7e0 [ 81.214572][ T5188] ? lock_vma_under_rcu+0x187/0x6f0 [ 81.219778][ T5188] ? __lock_acquire+0x7f70/0x7f70 [ 81.224800][ T5188] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 81.230027][ T5188] ? lock_vma_under_rcu+0x5df/0x6f0 [ 81.235278][ T5188] ? lock_vma_under_rcu+0x187/0x6f0 [ 81.240498][ T5188] ? exc_page_fault+0x10f/0x860 [ 81.245366][ T5188] exc_page_fault+0x455/0x860 [ 81.250054][ T5188] asm_exc_page_fault+0x26/0x30 [ 81.254899][ T5188] RIP: 0033:0x7f794735bc53 [ 81.259311][ T5188] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 81.278932][ T5188] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5187] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5187] munmap(0x7f793ef10000, 2097152) = 0 [ 81.284990][ T5188] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 81.292971][ T5188] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 81.300947][ T5188] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 81.308924][ T5188] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 81.316892][ T5188] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 81.324905][ T5188] [ 81.332009][ T5188] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5187] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5187] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5188] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5187] close(3) = 0 [pid 5187] mkdir("./file0", 0777) = 0 [pid 5187] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5188] <... write resumed>) = 2097152 [ 81.356199][ T5187] loop0: detected capacity change from 0 to 4096 [ 81.380511][ T5187] __ntfs_error: 97 callbacks suppressed [ 81.380522][ T5187] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [pid 5188] munmap(0x7f7936b10000, 2097152) = 0 [pid 5188] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5188] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5188] ioctl(3, LOOP_CLR_FD) = 0 [pid 5188] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5188] close(3) = 0 [pid 5188] close(5) = 0 [pid 5188] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5186] <... futex resumed>) = 0 [pid 5188] <... futex resumed>) = 1 [ 81.397593][ T5187] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 81.411478][ T5187] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 81.436736][ T5187] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 81.446871][ T5187] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 81.454960][ T5187] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 81.471690][ T5187] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 81.486315][ T5187] ntfs: volume version 12.0. [ 81.491199][ T5187] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [pid 5188] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5187] <... mount resumed>) = 0 [pid 5187] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5187] chdir("./file0") = 0 [pid 5187] ioctl(6, LOOP_CLR_FD) = 0 [pid 5187] close(6) = 0 [pid 5187] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5187] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5186] exit_group(0 [pid 5188] <... futex resumed>) = ? [pid 5186] <... exit_group resumed>) = ? [pid 5187] <... futex resumed>) = ? [pid 5187] +++ exited with 0 +++ [pid 5188] +++ exited with 0 +++ [pid 5186] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5186, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=43 /* 0.43 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./51", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./51/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./51/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./51/binderfs") = 0 [ 81.500620][ T5187] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 81.514435][ T5187] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./51/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./51/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./51") = 0 mkdir("./52", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5189 ./strace-static-x86_64: Process 5189 attached [pid 5189] set_robust_list(0x555555f176a0, 24) = 0 [pid 5189] chdir("./52") = 0 [pid 5189] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5189] setpgid(0, 0) = 0 [pid 5189] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5189] write(3, "1000", 4) = 4 [pid 5189] close(3) = 0 [pid 5189] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5189] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5189] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5189] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5189] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5189] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5189] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5189] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5190 attached => {parent_tid=[5190]}, 88) = 5190 [pid 5189] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5189] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5189] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5189] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5189] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5189] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5190] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5189] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5190] <... rseq resumed>) = 0 [pid 5189] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5190] set_robust_list(0x7f79473519a0, 24./strace-static-x86_64: Process 5191 attached ) = 0 [pid 5191] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5190] rt_sigprocmask(SIG_SETMASK, [], [pid 5189] <... clone3 resumed> => {parent_tid=[5191]}, 88) = 5191 [pid 5190] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5189] rt_sigprocmask(SIG_SETMASK, [], [pid 5191] <... rseq resumed>) = 0 [pid 5191] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5191] rt_sigprocmask(SIG_SETMASK, [], [pid 5190] memfd_create("syzkaller", 0 [pid 5191] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5189] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5191] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5190] <... memfd_create resumed>) = 3 [pid 5189] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5191] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5190] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5189] <... futex resumed>) = 0 [pid 5190] <... mmap resumed>) = 0x7f793ef10000 [pid 5191] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5190] munmap(0x7f793ef10000, 138412032 [pid 5189] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5191] <... openat resumed>) = 4 [pid 5191] write(4, "85", 2) = 2 [pid 5191] memfd_create("syzkaller", 0 [pid 5190] <... munmap resumed>) = 0 [pid 5190] close(3) = 0 [pid 5190] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5190] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5191] <... memfd_create resumed>) = 3 [pid 5191] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 81.645506][ T5191] FAULT_INJECTION: forcing a failure. [ 81.645506][ T5191] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 81.659535][ T5191] CPU: 0 PID: 5191 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 81.669952][ T5191] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 81.680059][ T5191] Call Trace: [ 81.683350][ T5191] [ 81.686378][ T5191] dump_stack_lvl+0x1e7/0x2d0 [ 81.691050][ T5191] ? nf_tcp_handle_invalid+0x650/0x650 [ 81.696498][ T5191] ? panic+0x770/0x770 [ 81.700571][ T5191] should_fail_ex+0x3aa/0x4e0 [ 81.705245][ T5191] prepare_alloc_pages+0x1d9/0x5b0 [ 81.710358][ T5191] __alloc_pages+0x165/0x670 [ 81.714941][ T5191] ? zone_statistics+0x170/0x170 [ 81.719879][ T5191] ? verify_lock_unused+0x140/0x140 [ 81.725074][ T5191] ? handle_mm_fault+0x11d/0x62b0 [ 81.730120][ T5191] ? __lock_acquire+0x7f70/0x7f70 [ 81.735175][ T5191] ? pte_offset_map_nolock+0x137/0x1e0 [ 81.740638][ T5191] __folio_alloc+0x13/0x30 [ 81.745078][ T5191] vma_alloc_folio+0x48a/0x9a0 [ 81.749856][ T5191] handle_mm_fault+0x2376/0x62b0 [ 81.754791][ T5191] ? handle_mm_fault+0x11d/0x62b0 [ 81.759914][ T5191] ? numa_migrate_prep+0x380/0x380 [ 81.765039][ T5191] ? mtree_range_walk+0x6a0/0x7e0 [ 81.770089][ T5191] ? lock_vma_under_rcu+0x187/0x6f0 [ 81.775372][ T5191] ? __lock_acquire+0x7f70/0x7f70 [ 81.781956][ T5191] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 81.787164][ T5191] ? lock_vma_under_rcu+0x5df/0x6f0 [ 81.792360][ T5191] ? lock_vma_under_rcu+0x187/0x6f0 [ 81.797560][ T5191] ? exc_page_fault+0x10f/0x860 [ 81.802405][ T5191] exc_page_fault+0x455/0x860 [ 81.807079][ T5191] asm_exc_page_fault+0x26/0x30 [ 81.811920][ T5191] RIP: 0033:0x7f794735bd00 [ 81.816332][ T5191] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 81.835929][ T5191] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5191] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5191] munmap(0x7f793ef10000, 2097152) = 0 [ 81.841990][ T5191] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 81.849960][ T5191] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 81.857923][ T5191] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 81.865884][ T5191] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 81.873858][ T5191] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 81.881832][ T5191] [ 81.885278][ T5191] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5191] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 5191] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5191] close(3) = 0 [pid 5191] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5191] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5191] ioctl(5, LOOP_CLR_FD) = 0 [ 81.924971][ T5191] loop0: detected capacity change from 0 to 4096 [ 81.927823][ T23] cfg80211: failed to load regulatory.db [ 81.949504][ T5191] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 81.956575][ T5191] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5191] close(5) = 0 [pid 5191] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5189] <... futex resumed>) = 0 [pid 5191] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5189] exit_group(0 [pid 5191] <... futex resumed>) = ? [pid 5189] <... exit_group resumed>) = ? [pid 5191] +++ exited with 0 +++ [pid 5190] <... futex resumed>) = ? [pid 5190] +++ exited with 0 +++ [pid 5189] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5189, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./52", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./52/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./52/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./52/binderfs") = 0 umount2("\x2e\x2f\x35\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x35\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x35\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x35\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x35\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./52") = 0 mkdir("./53", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5192 attached , child_tidptr=0x555555f17690) = 5192 [pid 5192] set_robust_list(0x555555f176a0, 24) = 0 [pid 5192] chdir("./53") = 0 [pid 5192] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5192] setpgid(0, 0) = 0 [pid 5192] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5192] write(3, "1000", 4) = 4 [pid 5192] close(3) = 0 [pid 5192] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5192] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5192] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5192] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5192] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5192] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5192] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5193]}, 88) = 5193 [pid 5192] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5192] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5192] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5192] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5192] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5194]}, 88) = 5194 ./strace-static-x86_64: Process 5193 attached [pid 5192] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5192] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5194 attached [pid 5194] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5194] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5194] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5193] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5193] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5193] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5194] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5194] write(3, "85", 2 [pid 5193] memfd_create("syzkaller", 0 [pid 5194] <... write resumed>) = 2 [pid 5194] memfd_create("syzkaller", 0) = 4 [pid 5194] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5193] <... memfd_create resumed>) = 5 [pid 5193] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 82.053330][ T5194] FAULT_INJECTION: forcing a failure. [ 82.053330][ T5194] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 82.067576][ T5194] CPU: 1 PID: 5194 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 82.078021][ T5194] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 82.088114][ T5194] Call Trace: [ 82.091427][ T5194] [ 82.094884][ T5194] dump_stack_lvl+0x1e7/0x2d0 [ 82.099575][ T5194] ? nf_tcp_handle_invalid+0x650/0x650 [ 82.105035][ T5194] ? panic+0x770/0x770 [ 82.109195][ T5194] should_fail_ex+0x3aa/0x4e0 [ 82.113875][ T5194] prepare_alloc_pages+0x1d9/0x5b0 [ 82.118993][ T5194] __alloc_pages+0x165/0x670 [ 82.123596][ T5194] ? zone_statistics+0x170/0x170 [ 82.128537][ T5194] ? verify_lock_unused+0x140/0x140 [ 82.133725][ T5194] ? handle_mm_fault+0x11d/0x62b0 [ 82.138767][ T5194] ? __lock_acquire+0x7f70/0x7f70 [ 82.149717][ T5194] ? pte_offset_map_nolock+0x137/0x1e0 [ 82.155538][ T5194] __folio_alloc+0x13/0x30 [ 82.159964][ T5194] vma_alloc_folio+0x48a/0x9a0 [ 82.164727][ T5194] handle_mm_fault+0x2376/0x62b0 [ 82.169845][ T5194] ? handle_mm_fault+0x11d/0x62b0 [ 82.174875][ T5194] ? numa_migrate_prep+0x380/0x380 [ 82.180015][ T5194] ? mtree_range_walk+0x6a0/0x7e0 [ 82.185041][ T5194] ? lock_vma_under_rcu+0x187/0x6f0 [ 82.190263][ T5194] ? __lock_acquire+0x7f70/0x7f70 [ 82.195453][ T5194] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 82.200691][ T5194] ? lock_vma_under_rcu+0x5df/0x6f0 [ 82.205912][ T5194] ? lock_vma_under_rcu+0x187/0x6f0 [ 82.211119][ T5194] ? exc_page_fault+0x10f/0x860 [ 82.215974][ T5194] exc_page_fault+0x455/0x860 [ 82.220744][ T5194] asm_exc_page_fault+0x26/0x30 [ 82.225589][ T5194] RIP: 0033:0x7f794735bc53 [ 82.230000][ T5194] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 82.249799][ T5194] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 82.255862][ T5194] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 82.263826][ T5194] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 82.271793][ T5194] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 82.279755][ T5194] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 82.287719][ T5194] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 82.295787][ T5194] [pid 5193] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5194] munmap(0x7f793ef10000, 138412032) = 0 [pid 5194] close(4) = 0 [pid 5194] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5192] <... futex resumed>) = 0 [pid 5194] <... futex resumed>) = 1 [pid 5194] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5193] <... write resumed>) = 2097152 [pid 5193] munmap(0x7f7936b10000, 2097152) = 0 [pid 5193] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5193] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5193] close(5) = 0 [pid 5193] mkdir("./file0", 0777) = 0 [ 82.305483][ T5194] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 82.343425][ T5193] loop0: detected capacity change from 0 to 4096 [pid 5193] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5193] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5193] chdir("./file0") = 0 [pid 5193] ioctl(4, LOOP_CLR_FD) = 0 [pid 5193] close(4) = 0 [pid 5193] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 82.357270][ T5193] ntfs: volume version 12.0. [pid 5193] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5192] exit_group(0 [pid 5194] <... futex resumed>) = ? [pid 5193] <... futex resumed>) = ? [pid 5192] <... exit_group resumed>) = ? [pid 5194] +++ exited with 0 +++ [pid 5193] +++ exited with 0 +++ [pid 5192] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5192, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- umount2("./53", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./53/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./53/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./53/binderfs") = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./53/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./53/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./53") = 0 mkdir("./54", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5195 attached , child_tidptr=0x555555f17690) = 5195 [pid 5195] set_robust_list(0x555555f176a0, 24) = 0 [pid 5195] chdir("./54") = 0 [pid 5195] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5195] setpgid(0, 0) = 0 [pid 5195] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5195] write(3, "1000", 4) = 4 [pid 5195] close(3) = 0 [pid 5195] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5195] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5195] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5195] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5195] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5195] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5195] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5195] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5196 attached [pid 5196] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5195] <... clone3 resumed> => {parent_tid=[5196]}, 88) = 5196 [pid 5196] <... rseq resumed>) = 0 [pid 5195] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5196] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5195] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5196] rt_sigprocmask(SIG_SETMASK, [], [pid 5195] <... futex resumed>) = 0 [pid 5196] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5195] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5196] memfd_create("syzkaller", 0 [pid 5195] <... futex resumed>) = 0 [pid 5195] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5196] <... memfd_create resumed>) = 3 [pid 5195] <... mmap resumed>) = 0x7f7947310000 [pid 5196] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5195] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5196] <... mmap resumed>) = 0x7f793ef10000 [pid 5195] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5195] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5197 attached [pid 5197] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5197] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5197] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5195] <... clone3 resumed> => {parent_tid=[5197]}, 88) = 5197 [pid 5197] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5195] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5195] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5197] <... futex resumed>) = 0 [pid 5195] <... futex resumed>) = 1 [pid 5197] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5195] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5197] <... openat resumed>) = 4 [pid 5197] write(4, "85", 2) = 2 [pid 5197] memfd_create("syzkaller", 0) = 5 [pid 5197] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 82.469638][ T5197] FAULT_INJECTION: forcing a failure. [ 82.469638][ T5197] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 82.483629][ T5197] CPU: 0 PID: 5197 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 82.494079][ T5197] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 82.504142][ T5197] Call Trace: [ 82.509851][ T5197] [ 82.512774][ T5197] dump_stack_lvl+0x1e7/0x2d0 [ 82.517455][ T5197] ? nf_tcp_handle_invalid+0x650/0x650 [ 82.522907][ T5197] ? panic+0x770/0x770 [ 82.527001][ T5197] should_fail_ex+0x3aa/0x4e0 [ 82.531712][ T5197] prepare_alloc_pages+0x1d9/0x5b0 [ 82.536850][ T5197] __alloc_pages+0x165/0x670 [ 82.541441][ T5197] ? zone_statistics+0x170/0x170 [ 82.546403][ T5197] ? verify_lock_unused+0x140/0x140 [ 82.551709][ T5197] ? handle_mm_fault+0x11d/0x62b0 [ 82.556776][ T5197] ? __lock_acquire+0x7f70/0x7f70 [ 82.561807][ T5197] ? pte_offset_map_nolock+0x137/0x1e0 [ 82.567271][ T5197] __folio_alloc+0x13/0x30 [ 82.571685][ T5197] vma_alloc_folio+0x48a/0x9a0 [ 82.576449][ T5197] handle_mm_fault+0x2376/0x62b0 [ 82.581390][ T5197] ? handle_mm_fault+0x11d/0x62b0 [ 82.586420][ T5197] ? numa_migrate_prep+0x380/0x380 [ 82.591532][ T5197] ? mtree_range_walk+0x6a0/0x7e0 [ 82.596578][ T5197] ? lock_vma_under_rcu+0x187/0x6f0 [ 82.601772][ T5197] ? __lock_acquire+0x7f70/0x7f70 [ 82.606784][ T5197] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 82.611999][ T5197] ? lock_vma_under_rcu+0x5df/0x6f0 [ 82.617205][ T5197] ? lock_vma_under_rcu+0x187/0x6f0 [ 82.622416][ T5197] ? exc_page_fault+0x10f/0x860 [ 82.627631][ T5197] exc_page_fault+0x455/0x860 [ 82.632312][ T5197] asm_exc_page_fault+0x26/0x30 [ 82.637592][ T5197] RIP: 0033:0x7f794735bc53 [ 82.642003][ T5197] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 82.662126][ T5197] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5196] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2085833 [pid 5197] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5196] <... write resumed>) = 2085833 [pid 5196] munmap(0x7f793ef10000, 2085833) = 0 [ 82.668191][ T5197] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 82.676163][ T5197] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 82.684125][ T5197] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 82.692175][ T5197] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 82.700143][ T5197] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 82.708578][ T5197] [ 82.712506][ T5197] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5196] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5196] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5196] close(3) = 0 [pid 5196] mkdir("./file0", 0777 [pid 5197] <... write resumed>) = 2097152 [pid 5197] munmap(0x7f7936b10000, 2097152 [pid 5196] <... mkdir resumed>) = 0 [pid 5196] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5196] ioctl(6, LOOP_CLR_FD [pid 5197] <... munmap resumed>) = 0 [pid 5197] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5197] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5197] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5197] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5197] close(3) = 0 [pid 5197] close(5) = 0 [pid 5197] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5195] <... futex resumed>) = 0 [ 82.752417][ T5196] loop0: detected capacity change from 0 to 4073 [pid 5197] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5196] <... ioctl resumed>) = 0 [pid 5196] close(6) = 0 [pid 5196] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5196] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5195] exit_group(0 [pid 5197] <... futex resumed>) = ? [pid 5196] <... futex resumed>) = ? [pid 5195] <... exit_group resumed>) = ? [pid 5196] +++ exited with 0 +++ [pid 5197] +++ exited with 0 +++ [pid 5195] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5195, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./54", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./54/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./54/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./54/binderfs") = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./54/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./54/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./54") = 0 mkdir("./55", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5198 attached , child_tidptr=0x555555f17690) = 5198 [pid 5198] set_robust_list(0x555555f176a0, 24) = 0 [pid 5198] chdir("./55") = 0 [pid 5198] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5198] setpgid(0, 0) = 0 [pid 5198] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5198] write(3, "1000", 4) = 4 [pid 5198] close(3) = 0 [pid 5198] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5198] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5198] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5198] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5198] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5198] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5198] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5198] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5199 attached => {parent_tid=[5199]}, 88) = 5199 [pid 5199] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5198] rt_sigprocmask(SIG_SETMASK, [], [pid 5199] set_robust_list(0x7f79473519a0, 24 [pid 5198] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5199] <... set_robust_list resumed>) = 0 [pid 5198] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5199] rt_sigprocmask(SIG_SETMASK, [], [pid 5198] <... futex resumed>) = 0 [pid 5199] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5199] memfd_create("syzkaller", 0 [pid 5198] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5198] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5199] <... memfd_create resumed>) = 3 [pid 5199] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5198] <... mmap resumed>) = 0x7f7947310000 [pid 5199] <... mmap resumed>) = 0x7f793ef10000 [pid 5198] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5198] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5198] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5200 attached [pid 5200] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [ 82.812839][ T5034] I/O error, dev loop0, sector 3840 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5198] <... clone3 resumed> => {parent_tid=[5200]}, 88) = 5200 [pid 5200] <... rseq resumed>) = 0 [pid 5198] rt_sigprocmask(SIG_SETMASK, [], [pid 5200] set_robust_list(0x7f79473309a0, 24 [pid 5198] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5200] <... set_robust_list resumed>) = 0 [pid 5198] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5200] rt_sigprocmask(SIG_SETMASK, [], [pid 5198] <... futex resumed>) = 0 [pid 5200] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5198] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5200] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5199] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5200] <... openat resumed>) = 4 [pid 5200] write(4, "85", 2) = 2 [pid 5200] memfd_create("syzkaller", 0) = 5 [pid 5200] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5199] <... write resumed>) = 2097152 [ 82.898763][ T5200] FAULT_INJECTION: forcing a failure. [ 82.898763][ T5200] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 82.912245][ T5200] CPU: 1 PID: 5200 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 82.922681][ T5200] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 82.932737][ T5200] Call Trace: [ 82.936010][ T5200] [ 82.938950][ T5200] dump_stack_lvl+0x1e7/0x2d0 [ 82.943987][ T5200] ? nf_tcp_handle_invalid+0x650/0x650 [ 82.949436][ T5200] ? panic+0x770/0x770 [ 82.953511][ T5200] should_fail_ex+0x3aa/0x4e0 [ 82.958207][ T5200] prepare_alloc_pages+0x1d9/0x5b0 [ 82.963317][ T5200] __alloc_pages+0x165/0x670 [ 82.967903][ T5200] ? zone_statistics+0x170/0x170 [ 82.972945][ T5200] ? verify_lock_unused+0x140/0x140 [ 82.978220][ T5200] ? handle_mm_fault+0x11d/0x62b0 [ 82.983241][ T5200] ? __lock_acquire+0x7f70/0x7f70 [ 82.988251][ T5200] ? pte_offset_map_nolock+0x137/0x1e0 [ 82.993702][ T5200] __folio_alloc+0x13/0x30 [ 82.998111][ T5200] vma_alloc_folio+0x48a/0x9a0 [ 83.002887][ T5200] handle_mm_fault+0x2376/0x62b0 [ 83.007843][ T5200] ? handle_mm_fault+0x11d/0x62b0 [ 83.012886][ T5200] ? numa_migrate_prep+0x380/0x380 [ 83.018016][ T5200] ? mtree_range_walk+0x6a0/0x7e0 [ 83.023032][ T5200] ? lock_vma_under_rcu+0x187/0x6f0 [ 83.028235][ T5200] ? __lock_acquire+0x7f70/0x7f70 [ 83.033248][ T5200] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 83.038472][ T5200] ? lock_vma_under_rcu+0x5df/0x6f0 [ 83.043697][ T5200] ? lock_vma_under_rcu+0x187/0x6f0 [ 83.048922][ T5200] ? exc_page_fault+0x10f/0x860 [ 83.053796][ T5200] exc_page_fault+0x455/0x860 [ 83.058482][ T5200] asm_exc_page_fault+0x26/0x30 [ 83.063349][ T5200] RIP: 0033:0x7f794735bc53 [ 83.067769][ T5200] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 83.087386][ T5200] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5199] munmap(0x7f793ef10000, 2097152) = 0 [ 83.093457][ T5200] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 83.101423][ T5200] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 83.109409][ T5200] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 83.117396][ T5200] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 83.125378][ T5200] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 83.133373][ T5200] [ 83.140966][ T5200] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5199] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5199] ioctl(6, LOOP_SET_FD, 3 [pid 5200] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5199] <... ioctl resumed>) = 0 [pid 5199] close(3) = 0 [pid 5199] mkdir("./file0", 0777) = 0 [pid 5199] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5200] <... write resumed>) = 2097152 [pid 5200] munmap(0x7f7936b10000, 2097152) = 0 [pid 5200] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5199] <... mount resumed>) = 0 [pid 5200] ioctl(3, LOOP_SET_FD, 5 [pid 5199] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5200] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5200] ioctl(3, LOOP_CLR_FD [pid 5199] <... openat resumed>) = 7 [pid 5200] <... ioctl resumed>) = 0 [pid 5199] chdir("./file0") = 0 [pid 5199] ioctl(6, LOOP_CLR_FD) = 0 [pid 5199] close(6) = 0 [pid 5200] ioctl(3, LOOP_SET_FD, 5 [pid 5199] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5200] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5199] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5200] close(3) = 0 [pid 5200] close(5) = 0 [pid 5200] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5200] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5198] <... futex resumed>) = 0 [pid 5198] exit_group(0) = ? [pid 5200] <... futex resumed>) = ? [pid 5199] <... futex resumed>) = ? [pid 5200] +++ exited with 0 +++ [pid 5199] +++ exited with 0 +++ [pid 5198] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5198, si_uid=0, si_status=0, si_utime=0, si_stime=12 /* 0.12 s */} --- umount2("./55", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./55/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./55/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 83.160832][ T5199] loop0: detected capacity change from 0 to 4096 [ 83.186481][ T5199] ntfs: volume version 12.0. unlink("./55/binderfs") = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./55/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./55/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./55") = 0 mkdir("./56", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5201 attached , child_tidptr=0x555555f17690) = 5201 [pid 5201] set_robust_list(0x555555f176a0, 24) = 0 [pid 5201] chdir("./56") = 0 [pid 5201] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5201] setpgid(0, 0) = 0 [pid 5201] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5201] write(3, "1000", 4) = 4 [pid 5201] close(3) = 0 [pid 5201] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5201] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5201] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5201] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5201] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5201] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5201] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5201] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5202 attached [pid 5202] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5201] <... clone3 resumed> => {parent_tid=[5202]}, 88) = 5202 [pid 5202] <... rseq resumed>) = 0 [pid 5201] rt_sigprocmask(SIG_SETMASK, [], [pid 5202] set_robust_list(0x7f79473519a0, 24 [pid 5201] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5202] <... set_robust_list resumed>) = 0 [pid 5201] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5202] rt_sigprocmask(SIG_SETMASK, [], [pid 5201] <... futex resumed>) = 0 [pid 5202] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5201] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5202] memfd_create("syzkaller", 0 [pid 5201] <... futex resumed>) = 0 [pid 5201] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5201] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5201] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5201] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5202] <... memfd_create resumed>) = 3 [pid 5201] <... clone3 resumed> => {parent_tid=[5203]}, 88) = 5203 [pid 5202] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5201] rt_sigprocmask(SIG_SETMASK, [], [pid 5202] <... mmap resumed>) = 0x7f793ef10000 [pid 5201] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5201] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5201] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5203 attached [pid 5203] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5203] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5203] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5203] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5203] write(4, "85", 2) = 2 [pid 5203] memfd_create("syzkaller", 0) = 5 [pid 5203] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 83.331372][ T5203] FAULT_INJECTION: forcing a failure. [ 83.331372][ T5203] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 83.345087][ T5203] CPU: 0 PID: 5203 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 83.355532][ T5203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 83.365600][ T5203] Call Trace: [ 83.368877][ T5203] [ 83.371803][ T5203] dump_stack_lvl+0x1e7/0x2d0 [ 83.376481][ T5203] ? nf_tcp_handle_invalid+0x650/0x650 [ 83.381931][ T5203] ? panic+0x770/0x770 [ 83.386017][ T5203] should_fail_ex+0x3aa/0x4e0 [ 83.390696][ T5203] prepare_alloc_pages+0x1d9/0x5b0 [ 83.395815][ T5203] __alloc_pages+0x165/0x670 [ 83.400487][ T5203] ? zone_statistics+0x170/0x170 [ 83.405422][ T5203] ? verify_lock_unused+0x140/0x140 [ 83.410611][ T5203] ? handle_mm_fault+0x11d/0x62b0 [ 83.415629][ T5203] ? __lock_acquire+0x7f70/0x7f70 [ 83.420645][ T5203] ? pte_offset_map_nolock+0x137/0x1e0 [ 83.426116][ T5203] __folio_alloc+0x13/0x30 [ 83.430529][ T5203] vma_alloc_folio+0x48a/0x9a0 [ 83.435290][ T5203] handle_mm_fault+0x2376/0x62b0 [ 83.440233][ T5203] ? handle_mm_fault+0x11d/0x62b0 [ 83.445524][ T5203] ? numa_migrate_prep+0x380/0x380 [ 83.450640][ T5203] ? mtree_range_walk+0x6a0/0x7e0 [ 83.455667][ T5203] ? lock_vma_under_rcu+0x187/0x6f0 [ 83.460862][ T5203] ? __lock_acquire+0x7f70/0x7f70 [ 83.465879][ T5203] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 83.471086][ T5203] ? lock_vma_under_rcu+0x5df/0x6f0 [ 83.476277][ T5203] ? lock_vma_under_rcu+0x187/0x6f0 [ 83.481479][ T5203] ? exc_page_fault+0x10f/0x860 [ 83.486329][ T5203] exc_page_fault+0x455/0x860 [ 83.491008][ T5203] asm_exc_page_fault+0x26/0x30 [ 83.495890][ T5203] RIP: 0033:0x7f794735bc53 [ 83.500299][ T5203] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 83.520072][ T5203] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5202] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5202] munmap(0x7f793ef10000, 2097152) = 0 [pid 5202] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 83.526136][ T5203] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 83.534132][ T5203] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 83.542092][ T5203] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 83.550062][ T5203] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 83.558035][ T5203] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 83.566026][ T5203] [ 83.573293][ T5203] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5202] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5202] close(3) = 0 [pid 5202] mkdir("./file0", 0777) = 0 [pid 5202] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5203] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5203] munmap(0x7f7936b10000, 2097152 [pid 5202] <... mount resumed>) = 0 [pid 5202] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5202] chdir("./file0") = 0 [pid 5202] ioctl(6, LOOP_CLR_FD) = 0 [pid 5202] close(6) = 0 [pid 5202] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5202] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5203] <... munmap resumed>) = 0 [pid 5203] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5203] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5203] ioctl(6, LOOP_CLR_FD) = 0 [pid 5203] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5203] close(6) = 0 [pid 5203] close(5) = 0 [pid 5203] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5201] <... futex resumed>) = 0 [pid 5203] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5201] exit_group(0 [pid 5203] <... futex resumed>) = ? [pid 5202] <... futex resumed>) = ? [pid 5201] <... exit_group resumed>) = ? [pid 5203] +++ exited with 0 +++ [pid 5202] +++ exited with 0 +++ [pid 5201] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5201, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- umount2("./56", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./56/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./56/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./56/binderfs") = 0 [ 83.587275][ T5202] loop0: detected capacity change from 0 to 4096 [ 83.616208][ T5202] ntfs: volume version 12.0. umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./56/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./56/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./56") = 0 mkdir("./57", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5204 ./strace-static-x86_64: Process 5204 attached [pid 5204] set_robust_list(0x555555f176a0, 24) = 0 [pid 5204] chdir("./57") = 0 [pid 5204] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5204] setpgid(0, 0) = 0 [pid 5204] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5204] write(3, "1000", 4) = 4 [pid 5204] close(3) = 0 [pid 5204] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5204] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5204] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5204] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5204] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5204] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5204] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5204] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5205 attached => {parent_tid=[5205]}, 88) = 5205 [pid 5205] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5204] rt_sigprocmask(SIG_SETMASK, [], [pid 5205] set_robust_list(0x7f79473519a0, 24 [pid 5204] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5205] <... set_robust_list resumed>) = 0 [pid 5204] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5205] rt_sigprocmask(SIG_SETMASK, [], [pid 5204] <... futex resumed>) = 0 [pid 5205] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5204] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5205] memfd_create("syzkaller", 0 [pid 5204] <... futex resumed>) = 0 [pid 5204] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5204] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5204] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5205] <... memfd_create resumed>) = 3 [pid 5204] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5204] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5205] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5206 attached [pid 5206] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5204] <... clone3 resumed> => {parent_tid=[5206]}, 88) = 5206 [pid 5206] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5204] rt_sigprocmask(SIG_SETMASK, [], [pid 5206] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5206] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5204] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5204] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5206] <... futex resumed>) = 0 [pid 5204] <... futex resumed>) = 1 [pid 5206] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5204] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5206] <... openat resumed>) = 4 [pid 5206] write(4, "85", 2) = 2 [pid 5206] memfd_create("syzkaller", 0) = 5 [pid 5206] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5205] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 83.761042][ T5206] FAULT_INJECTION: forcing a failure. [ 83.761042][ T5206] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 83.774499][ T5206] CPU: 0 PID: 5206 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 83.784928][ T5206] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 83.795153][ T5206] Call Trace: [ 83.798438][ T5206] [ 83.801378][ T5206] dump_stack_lvl+0x1e7/0x2d0 [ 83.806074][ T5206] ? nf_tcp_handle_invalid+0x650/0x650 [ 83.811523][ T5206] ? panic+0x770/0x770 [ 83.815587][ T5206] should_fail_ex+0x3aa/0x4e0 [ 83.820267][ T5206] prepare_alloc_pages+0x1d9/0x5b0 [ 83.825394][ T5206] __alloc_pages+0x165/0x670 [ 83.829983][ T5206] ? zone_statistics+0x170/0x170 [ 83.834922][ T5206] ? verify_lock_unused+0x140/0x140 [ 83.840113][ T5206] ? handle_mm_fault+0x11d/0x62b0 [ 83.845130][ T5206] ? __lock_acquire+0x7f70/0x7f70 [ 83.850144][ T5206] ? pte_offset_map_nolock+0x137/0x1e0 [ 83.855597][ T5206] __folio_alloc+0x13/0x30 [ 83.860016][ T5206] vma_alloc_folio+0x48a/0x9a0 [ 83.864778][ T5206] handle_mm_fault+0x2376/0x62b0 [ 83.869717][ T5206] ? handle_mm_fault+0x11d/0x62b0 [ 83.874828][ T5206] ? numa_migrate_prep+0x380/0x380 [ 83.879948][ T5206] ? mtree_range_walk+0x6a0/0x7e0 [ 83.884975][ T5206] ? lock_vma_under_rcu+0x187/0x6f0 [ 83.890263][ T5206] ? __lock_acquire+0x7f70/0x7f70 [ 83.895450][ T5206] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 83.900658][ T5206] ? lock_vma_under_rcu+0x5df/0x6f0 [ 83.905850][ T5206] ? lock_vma_under_rcu+0x187/0x6f0 [ 83.911062][ T5206] ? exc_page_fault+0x10f/0x860 [ 83.915915][ T5206] exc_page_fault+0x455/0x860 [ 83.920589][ T5206] asm_exc_page_fault+0x26/0x30 [ 83.925442][ T5206] RIP: 0033:0x7f794735bc53 [ 83.929849][ T5206] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 83.949637][ T5206] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5205] munmap(0x7f793ef10000, 2097152) = 0 [pid 5205] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 83.955709][ T5206] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 83.963787][ T5206] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 83.972471][ T5206] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 83.980535][ T5206] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 83.988512][ T5206] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 83.996584][ T5206] [ 83.999850][ T5206] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5205] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5205] close(3) = 0 [pid 5205] mkdir("./file0", 0777) = 0 [pid 5205] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5206] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5205] <... mount resumed>) = 0 [pid 5205] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5205] chdir("./file0") = 0 [pid 5205] ioctl(6, LOOP_CLR_FD) = 0 [pid 5205] close(6) = 0 [pid 5205] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] <... write resumed>) = 2097152 [pid 5205] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5206] munmap(0x7f7936b10000, 2097152) = 0 [pid 5206] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5206] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5206] ioctl(6, LOOP_CLR_FD) = 0 [pid 5206] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 84.014012][ T5205] loop0: detected capacity change from 0 to 4096 [ 84.031487][ T5205] ntfs: volume version 12.0. [pid 5206] close(6) = 0 [pid 5206] close(5) = 0 [pid 5206] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5204] <... futex resumed>) = 0 [pid 5206] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5204] exit_group(0) = ? [pid 5205] <... futex resumed>) = ? [pid 5206] <... futex resumed>) = ? [pid 5205] +++ exited with 0 +++ [pid 5206] +++ exited with 0 +++ [pid 5204] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5204, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./57", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./57/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./57/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./57/binderfs") = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./57/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./57/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./57") = 0 mkdir("./58", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5207 ./strace-static-x86_64: Process 5207 attached [pid 5207] set_robust_list(0x555555f176a0, 24) = 0 [pid 5207] chdir("./58") = 0 [pid 5207] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5207] setpgid(0, 0) = 0 [pid 5207] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5207] write(3, "1000", 4) = 4 [pid 5207] close(3) = 0 [pid 5207] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5207] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5207] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5207] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5207] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5207] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5207] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5207] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5208 attached [pid 5208] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5207] <... clone3 resumed> => {parent_tid=[5208]}, 88) = 5208 [pid 5208] <... rseq resumed>) = 0 [pid 5208] set_robust_list(0x7f79473519a0, 24 [pid 5207] rt_sigprocmask(SIG_SETMASK, [], [pid 5208] <... set_robust_list resumed>) = 0 [pid 5208] rt_sigprocmask(SIG_SETMASK, [], [pid 5207] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5208] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5207] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5207] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5207] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5208] memfd_create("syzkaller", 0 [pid 5207] <... mmap resumed>) = 0x7f7947310000 [pid 5208] <... memfd_create resumed>) = 3 [pid 5208] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5207] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5207] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5207] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5209 attached => {parent_tid=[5209]}, 88) = 5209 [pid 5207] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5207] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5207] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5209] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5209] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5209] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5209] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5209] write(4, "85", 2) = 2 [pid 5209] memfd_create("syzkaller", 0) = 5 [pid 5209] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5208] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 84.172026][ T5209] FAULT_INJECTION: forcing a failure. [ 84.172026][ T5209] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 84.186072][ T5209] CPU: 1 PID: 5209 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 84.196696][ T5209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 84.206855][ T5209] Call Trace: [ 84.210134][ T5209] [ 84.213058][ T5209] dump_stack_lvl+0x1e7/0x2d0 [ 84.217733][ T5209] ? nf_tcp_handle_invalid+0x650/0x650 [ 84.223272][ T5209] ? panic+0x770/0x770 [ 84.227343][ T5209] should_fail_ex+0x3aa/0x4e0 [ 84.232073][ T5209] prepare_alloc_pages+0x1d9/0x5b0 [ 84.237201][ T5209] __alloc_pages+0x165/0x670 [ 84.241796][ T5209] ? zone_statistics+0x170/0x170 [ 84.246747][ T5209] ? verify_lock_unused+0x140/0x140 [ 84.252050][ T5209] ? handle_mm_fault+0x11d/0x62b0 [ 84.257106][ T5209] ? __lock_acquire+0x7f70/0x7f70 [ 84.262121][ T5209] ? pte_offset_map_nolock+0x137/0x1e0 [ 84.267581][ T5209] __folio_alloc+0x13/0x30 [ 84.272512][ T5209] vma_alloc_folio+0x48a/0x9a0 [ 84.277295][ T5209] handle_mm_fault+0x2376/0x62b0 [ 84.282334][ T5209] ? handle_mm_fault+0x11d/0x62b0 [ 84.287378][ T5209] ? numa_migrate_prep+0x380/0x380 [ 84.292490][ T5209] ? mtree_range_walk+0x6a0/0x7e0 [ 84.297535][ T5209] ? lock_vma_under_rcu+0x187/0x6f0 [ 84.302774][ T5209] ? __lock_acquire+0x7f70/0x7f70 [ 84.308220][ T5209] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 84.313419][ T5209] ? lock_vma_under_rcu+0x5df/0x6f0 [ 84.318629][ T5209] ? lock_vma_under_rcu+0x187/0x6f0 [ 84.323851][ T5209] ? exc_page_fault+0x10f/0x860 [ 84.328699][ T5209] exc_page_fault+0x455/0x860 [ 84.333370][ T5209] asm_exc_page_fault+0x26/0x30 [ 84.338241][ T5209] RIP: 0033:0x7f794735bc53 [ 84.342921][ T5209] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 84.362523][ T5209] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5208] munmap(0x7f793ef10000, 2097152) = 0 [pid 5208] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 84.368601][ T5209] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 84.376631][ T5209] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 84.384600][ T5209] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 84.392566][ T5209] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 84.400538][ T5209] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 84.408634][ T5209] [pid 5208] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5208] close(3) = 0 [pid 5208] mkdir("./file0", 0777) = 0 [pid 5208] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 84.421538][ T5208] loop0: detected capacity change from 0 to 4096 [pid 5209] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5208] <... mount resumed>) = 0 [pid 5208] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5208] chdir("./file0") = 0 [pid 5208] ioctl(6, LOOP_CLR_FD) = 0 [pid 5208] close(6) = 0 [pid 5208] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5209] <... write resumed>) = 2097152 [pid 5209] munmap(0x7f7936b10000, 2097152) = 0 [pid 5209] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5209] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5209] ioctl(6, LOOP_CLR_FD) = 0 [pid 5208] <... futex resumed>) = 0 [pid 5208] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5209] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5209] close(6) = 0 [pid 5209] close(5) = 0 [pid 5209] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5209] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5207] <... futex resumed>) = 0 [pid 5207] exit_group(0 [pid 5208] <... futex resumed>) = ? [pid 5209] <... futex resumed>) = ? [pid 5208] +++ exited with 0 +++ [pid 5209] +++ exited with 0 +++ [pid 5207] <... exit_group resumed>) = ? [ 84.447181][ T5208] ntfs: volume version 12.0. [pid 5207] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5207, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=14 /* 0.14 s */} --- umount2("./58", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./58/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./58/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./58/binderfs") = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./58/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./58/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./58") = 0 mkdir("./59", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5210 attached [pid 5210] set_robust_list(0x555555f176a0, 24) = 0 [pid 5210] chdir("./59") = 0 [pid 5210] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5210] setpgid(0, 0) = 0 [pid 5210] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5210] write(3, "1000", 4) = 4 [pid 5210] close(3) = 0 [pid 5210] symlink("/dev/binderfs", "./binderfs" [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5210 [pid 5210] <... symlink resumed>) = 0 [pid 5210] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5210] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5210] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5210] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5210] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5210] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5210] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5211 attached => {parent_tid=[5211]}, 88) = 5211 [pid 5211] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5210] rt_sigprocmask(SIG_SETMASK, [], [pid 5211] set_robust_list(0x7f79473519a0, 24 [pid 5210] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5211] <... set_robust_list resumed>) = 0 [pid 5210] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5211] rt_sigprocmask(SIG_SETMASK, [], [pid 5210] <... futex resumed>) = 0 [pid 5211] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5210] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5211] memfd_create("syzkaller", 0 [pid 5210] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5211] <... memfd_create resumed>) = 3 [pid 5210] <... mmap resumed>) = 0x7f7947310000 [pid 5211] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5210] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5211] <... mmap resumed>) = 0x7f793ef10000 [pid 5210] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5210] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5212]}, 88) = 5212 [pid 5210] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5210] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5210] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5212 attached [pid 5212] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5212] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5212] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5212] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5212] write(4, "85", 2) = 2 [pid 5212] memfd_create("syzkaller", 0) = 5 [pid 5212] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5211] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 84.584153][ T5212] FAULT_INJECTION: forcing a failure. [ 84.584153][ T5212] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 84.598223][ T5212] CPU: 0 PID: 5212 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 84.608786][ T5212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 84.619056][ T5212] Call Trace: [ 84.622369][ T5212] [ 84.625317][ T5212] dump_stack_lvl+0x1e7/0x2d0 [ 84.630017][ T5212] ? nf_tcp_handle_invalid+0x650/0x650 [ 84.635471][ T5212] ? panic+0x770/0x770 [ 84.639546][ T5212] should_fail_ex+0x3aa/0x4e0 [ 84.644226][ T5212] prepare_alloc_pages+0x1d9/0x5b0 [ 84.649426][ T5212] __alloc_pages+0x165/0x670 [ 84.654015][ T5212] ? zone_statistics+0x170/0x170 [ 84.658969][ T5212] ? verify_lock_unused+0x140/0x140 [ 84.664192][ T5212] ? handle_mm_fault+0x11d/0x62b0 [ 84.669240][ T5212] ? __lock_acquire+0x7f70/0x7f70 [ 84.674264][ T5212] ? pte_offset_map_nolock+0x137/0x1e0 [ 84.679763][ T5212] __folio_alloc+0x13/0x30 [ 84.684188][ T5212] vma_alloc_folio+0x48a/0x9a0 [ 84.688974][ T5212] handle_mm_fault+0x2376/0x62b0 [ 84.694288][ T5212] ? handle_mm_fault+0x11d/0x62b0 [ 84.699315][ T5212] ? numa_migrate_prep+0x380/0x380 [ 84.704426][ T5212] ? mtree_range_walk+0x6a0/0x7e0 [ 84.709455][ T5212] ? lock_vma_under_rcu+0x187/0x6f0 [ 84.714655][ T5212] ? __lock_acquire+0x7f70/0x7f70 [ 84.719684][ T5212] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 84.724884][ T5212] ? lock_vma_under_rcu+0x5df/0x6f0 [ 84.730099][ T5212] ? lock_vma_under_rcu+0x187/0x6f0 [ 84.735317][ T5212] ? exc_page_fault+0x10f/0x860 [ 84.740269][ T5212] exc_page_fault+0x455/0x860 [ 84.744986][ T5212] asm_exc_page_fault+0x26/0x30 [ 84.749834][ T5212] RIP: 0033:0x7f794735bc53 [ 84.754266][ T5212] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 84.773884][ T5212] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5211] munmap(0x7f793ef10000, 2097152) = 0 [pid 5211] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 84.779983][ T5212] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 84.787945][ T5212] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 84.795911][ T5212] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 84.803886][ T5212] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 84.811858][ T5212] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 84.819831][ T5212] [pid 5211] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5211] close(3) = 0 [pid 5211] mkdir("./file0", 0777 [pid 5212] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5211] <... mkdir resumed>) = 0 [pid 5211] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5211] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5211] chdir("./file0") = 0 [pid 5211] ioctl(6, LOOP_CLR_FD) = 0 [pid 5211] close(6) = 0 [pid 5211] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5211] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5212] <... write resumed>) = 2097152 [pid 5212] munmap(0x7f7936b10000, 2097152) = 0 [pid 5212] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5212] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5212] ioctl(6, LOOP_CLR_FD) = 0 [pid 5212] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5212] close(6) = 0 [pid 5212] close(5) = 0 [pid 5212] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5212] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5210] <... futex resumed>) = 0 [pid 5210] exit_group(0 [pid 5212] <... futex resumed>) = ? [pid 5212] +++ exited with 0 +++ [pid 5211] <... futex resumed>) = ? [pid 5210] <... exit_group resumed>) = ? [pid 5211] +++ exited with 0 +++ [ 84.837718][ T5211] loop0: detected capacity change from 0 to 4096 [ 84.852942][ T5211] ntfs: volume version 12.0. [pid 5210] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5210, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./59", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./59/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./59/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./59/binderfs") = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./59/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./59/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./59") = 0 mkdir("./60", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5213 attached , child_tidptr=0x555555f17690) = 5213 [pid 5213] set_robust_list(0x555555f176a0, 24) = 0 [pid 5213] chdir("./60") = 0 [pid 5213] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5213] setpgid(0, 0) = 0 [pid 5213] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5213] write(3, "1000", 4) = 4 [pid 5213] close(3) = 0 [pid 5213] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5213] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5213] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5213] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5213] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5213] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5213] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5214 attached [pid 5214] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5213] <... clone3 resumed> => {parent_tid=[5214]}, 88) = 5214 [pid 5213] rt_sigprocmask(SIG_SETMASK, [], [pid 5214] <... rseq resumed>) = 0 [pid 5214] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5213] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5213] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5213] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5214] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5213] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5214] memfd_create("syzkaller", 0) = 3 [pid 5214] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5213] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5214] <... mmap resumed>) = 0x7f793ef10000 [pid 5213] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5213] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5215 attached [pid 5215] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5213] <... clone3 resumed> => {parent_tid=[5215]}, 88) = 5215 [pid 5215] set_robust_list(0x7f79473309a0, 24 [pid 5213] rt_sigprocmask(SIG_SETMASK, [], [pid 5215] <... set_robust_list resumed>) = 0 [pid 5213] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5213] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5215] rt_sigprocmask(SIG_SETMASK, [], [pid 5213] <... futex resumed>) = 0 [pid 5215] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5213] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5215] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5215] write(4, "85", 2) = 2 [pid 5215] memfd_create("syzkaller", 0) = 5 [pid 5215] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5214] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 84.988146][ T5215] FAULT_INJECTION: forcing a failure. [ 84.988146][ T5215] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 85.001719][ T5215] CPU: 0 PID: 5215 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 85.012156][ T5215] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 85.022222][ T5215] Call Trace: [ 85.025486][ T5215] [ 85.028405][ T5215] dump_stack_lvl+0x1e7/0x2d0 [ 85.033087][ T5215] ? nf_tcp_handle_invalid+0x650/0x650 [ 85.038550][ T5215] ? panic+0x770/0x770 [ 85.042629][ T5215] should_fail_ex+0x3aa/0x4e0 [ 85.047313][ T5215] prepare_alloc_pages+0x1d9/0x5b0 [ 85.052458][ T5215] __alloc_pages+0x165/0x670 [ 85.057172][ T5215] ? zone_statistics+0x170/0x170 [ 85.062123][ T5215] ? verify_lock_unused+0x140/0x140 [ 85.067326][ T5215] ? handle_mm_fault+0x11d/0x62b0 [ 85.072372][ T5215] ? __lock_acquire+0x7f70/0x7f70 [ 85.077415][ T5215] ? pte_offset_map_nolock+0x137/0x1e0 [ 85.082883][ T5215] __folio_alloc+0x13/0x30 [ 85.087305][ T5215] vma_alloc_folio+0x48a/0x9a0 [ 85.092078][ T5215] handle_mm_fault+0x2376/0x62b0 [ 85.097035][ T5215] ? handle_mm_fault+0x11d/0x62b0 [ 85.102072][ T5215] ? numa_migrate_prep+0x380/0x380 [ 85.107190][ T5215] ? mtree_range_walk+0x6a0/0x7e0 [ 85.112209][ T5215] ? lock_vma_under_rcu+0x187/0x6f0 [ 85.117430][ T5215] ? __lock_acquire+0x7f70/0x7f70 [ 85.122445][ T5215] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 85.127653][ T5215] ? lock_vma_under_rcu+0x5df/0x6f0 [ 85.132849][ T5215] ? lock_vma_under_rcu+0x187/0x6f0 [ 85.138056][ T5215] ? exc_page_fault+0x10f/0x860 [ 85.142904][ T5215] exc_page_fault+0x455/0x860 [ 85.147582][ T5215] asm_exc_page_fault+0x26/0x30 [ 85.152528][ T5215] RIP: 0033:0x7f794735bc53 [ 85.157026][ T5215] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 85.176639][ T5215] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 85.182701][ T5215] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 85.190663][ T5215] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 85.198627][ T5215] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 85.206587][ T5215] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 85.214636][ T5215] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 85.223570][ T5215] [ 85.231148][ T5215] pagefault_out_of_memory: 2 callbacks suppressed [pid 5214] munmap(0x7f793ef10000, 2097152) = 0 [pid 5214] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5214] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5215] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5214] close(3) = 0 [pid 5214] mkdir("./file0", 0777) = 0 [pid 5214] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5214] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5214] chdir("./file0") = 0 [pid 5214] ioctl(6, LOOP_CLR_FD) = 0 [pid 5214] close(6) = 0 [pid 5214] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5215] <... write resumed>) = 2097152 [pid 5215] munmap(0x7f7936b10000, 2097152) = 0 [pid 5215] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5215] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5215] ioctl(6, LOOP_CLR_FD) = 0 [pid 5215] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5215] close(6) = 0 [pid 5215] close(5) = 0 [pid 5215] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5213] <... futex resumed>) = 0 [pid 5213] exit_group(0 [pid 5215] <... futex resumed>) = 1 [pid 5215] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5214] <... futex resumed>) = ? [pid 5213] <... exit_group resumed>) = ? [pid 5215] <... futex resumed>) = ? [pid 5215] +++ exited with 0 +++ [pid 5214] +++ exited with 0 +++ [pid 5213] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5213, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- umount2("./60", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./60/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./60/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./60/binderfs") = 0 [ 85.231162][ T5215] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 85.249169][ T5214] loop0: detected capacity change from 0 to 4096 [ 85.270546][ T5214] ntfs: volume version 12.0. umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./60/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./60/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./60") = 0 mkdir("./61", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5216 attached , child_tidptr=0x555555f17690) = 5216 [pid 5216] set_robust_list(0x555555f176a0, 24) = 0 [pid 5216] chdir("./61") = 0 [pid 5216] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5216] setpgid(0, 0) = 0 [pid 5216] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5216] write(3, "1000", 4) = 4 [pid 5216] close(3) = 0 [pid 5216] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5216] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5216] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5216] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5216] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5216] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5216] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5217 attached [pid 5217] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5217] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5217] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5217] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5216] <... clone3 resumed> => {parent_tid=[5217]}, 88) = 5217 [pid 5216] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5216] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5217] <... futex resumed>) = 0 [pid 5216] <... futex resumed>) = 1 [pid 5217] memfd_create("syzkaller", 0 [pid 5216] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5217] <... memfd_create resumed>) = 3 [pid 5216] <... mmap resumed>) = 0x7f7947310000 [pid 5217] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5216] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5216] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5216] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5217] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152./strace-static-x86_64: Process 5218 attached [pid 5218] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5218] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5218] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5218] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5216] <... clone3 resumed> => {parent_tid=[5218]}, 88) = 5218 [pid 5216] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5216] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] <... futex resumed>) = 0 [pid 5216] <... futex resumed>) = 1 [pid 5218] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5216] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5218] <... openat resumed>) = 4 [pid 5218] write(4, "85", 2) = 2 [pid 5218] memfd_create("syzkaller", 0) = 5 [pid 5218] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5217] <... write resumed>) = 2097152 [ 85.418094][ T5218] FAULT_INJECTION: forcing a failure. [ 85.418094][ T5218] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 85.431423][ T5218] CPU: 1 PID: 5218 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 85.441830][ T5218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 85.451904][ T5218] Call Trace: [ 85.455176][ T5218] [ 85.458108][ T5218] dump_stack_lvl+0x1e7/0x2d0 [ 85.462798][ T5218] ? nf_tcp_handle_invalid+0x650/0x650 [ 85.468247][ T5218] ? panic+0x770/0x770 [ 85.472329][ T5218] should_fail_ex+0x3aa/0x4e0 [ 85.477010][ T5218] prepare_alloc_pages+0x1d9/0x5b0 [ 85.482120][ T5218] __alloc_pages+0x165/0x670 [ 85.486705][ T5218] ? zone_statistics+0x170/0x170 [ 85.491678][ T5218] ? verify_lock_unused+0x140/0x140 [ 85.496908][ T5218] ? handle_mm_fault+0x11d/0x62b0 [ 85.501928][ T5218] ? __lock_acquire+0x7f70/0x7f70 [ 85.506976][ T5218] ? pte_offset_map_nolock+0x137/0x1e0 [ 85.512463][ T5218] __folio_alloc+0x13/0x30 [ 85.516907][ T5218] vma_alloc_folio+0x48a/0x9a0 [ 85.521664][ T5218] handle_mm_fault+0x2376/0x62b0 [ 85.526607][ T5218] ? handle_mm_fault+0x11d/0x62b0 [ 85.531734][ T5218] ? numa_migrate_prep+0x380/0x380 [ 85.536869][ T5218] ? mtree_range_walk+0x6a0/0x7e0 [ 85.542002][ T5218] ? lock_vma_under_rcu+0x187/0x6f0 [ 85.547203][ T5218] ? __lock_acquire+0x7f70/0x7f70 [ 85.552233][ T5218] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 85.557460][ T5218] ? lock_vma_under_rcu+0x5df/0x6f0 [ 85.562656][ T5218] ? lock_vma_under_rcu+0x187/0x6f0 [ 85.567884][ T5218] ? exc_page_fault+0x10f/0x860 [ 85.572756][ T5218] exc_page_fault+0x455/0x860 [ 85.577431][ T5218] asm_exc_page_fault+0x26/0x30 [ 85.582278][ T5218] RIP: 0033:0x7f794735bc53 [ 85.586698][ T5218] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 85.606297][ T5218] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 85.612367][ T5218] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 85.620344][ T5218] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 85.628308][ T5218] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 85.636272][ T5218] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 85.644275][ T5218] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 85.652269][ T5218] [ 85.655482][ T5218] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5217] munmap(0x7f793ef10000, 2097152) = 0 [pid 5217] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5217] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5217] close(3) = 0 [pid 5217] mkdir("./file0", 0777) = 0 [pid 5217] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5218] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5217] <... mount resumed>) = 0 [pid 5217] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5217] chdir("./file0") = 0 [pid 5217] ioctl(6, LOOP_CLR_FD [pid 5218] <... write resumed>) = 2097152 [pid 5218] munmap(0x7f7936b10000, 2097152 [pid 5217] <... ioctl resumed>) = 0 [pid 5217] close(6) = 0 [pid 5217] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5217] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5218] <... munmap resumed>) = 0 [pid 5218] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5218] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5218] ioctl(6, LOOP_CLR_FD) = 0 [pid 5218] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5218] close(6) = 0 [pid 5218] close(5) = 0 [pid 5218] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5216] <... futex resumed>) = 0 [pid 5216] exit_group(0) = ? [pid 5217] <... futex resumed>) = ? [pid 5217] +++ exited with 0 +++ [pid 5218] <... futex resumed>) = ? [pid 5218] +++ exited with 0 +++ [pid 5216] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5216, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./61", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./61/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./61/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./61/binderfs") = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./61/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 [ 85.671223][ T5217] loop0: detected capacity change from 0 to 4096 [ 85.692915][ T5217] ntfs: volume version 12.0. getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./61/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./61") = 0 mkdir("./62", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5219 ./strace-static-x86_64: Process 5219 attached [pid 5219] set_robust_list(0x555555f176a0, 24) = 0 [pid 5219] chdir("./62") = 0 [pid 5219] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5219] setpgid(0, 0) = 0 [pid 5219] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5219] write(3, "1000", 4) = 4 [pid 5219] close(3) = 0 [pid 5219] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5219] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5219] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5219] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5219] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5219] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5219] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5219] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5220 attached [pid 5220] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5219] <... clone3 resumed> => {parent_tid=[5220]}, 88) = 5220 [pid 5220] <... rseq resumed>) = 0 [pid 5219] rt_sigprocmask(SIG_SETMASK, [], [pid 5220] set_robust_list(0x7f79473519a0, 24 [pid 5219] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5220] <... set_robust_list resumed>) = 0 [pid 5219] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5220] rt_sigprocmask(SIG_SETMASK, [], [pid 5219] <... futex resumed>) = 0 [pid 5220] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5219] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5220] memfd_create("syzkaller", 0 [pid 5219] <... futex resumed>) = 0 [pid 5219] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5219] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5219] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5219] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5220] <... memfd_create resumed>) = 3 ./strace-static-x86_64: Process 5221 attached [pid 5221] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5219] <... clone3 resumed> => {parent_tid=[5221]}, 88) = 5221 [pid 5221] <... rseq resumed>) = 0 [pid 5220] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5219] rt_sigprocmask(SIG_SETMASK, [], [pid 5221] set_robust_list(0x7f79473309a0, 24 [pid 5220] <... mmap resumed>) = 0x7f793ef10000 [pid 5219] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5221] <... set_robust_list resumed>) = 0 [pid 5221] rt_sigprocmask(SIG_SETMASK, [], [pid 5219] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5221] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5219] <... futex resumed>) = 0 [pid 5221] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5219] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5221] <... openat resumed>) = 4 [pid 5221] write(4, "85", 2) = 2 [pid 5221] memfd_create("syzkaller", 0) = 5 [pid 5221] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5220] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 85.839141][ T5221] FAULT_INJECTION: forcing a failure. [ 85.839141][ T5221] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 85.852843][ T5221] CPU: 1 PID: 5221 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 85.863366][ T5221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 85.873441][ T5221] Call Trace: [ 85.876738][ T5221] [ 85.879775][ T5221] dump_stack_lvl+0x1e7/0x2d0 [ 85.884465][ T5221] ? nf_tcp_handle_invalid+0x650/0x650 [ 85.889939][ T5221] ? panic+0x770/0x770 [ 85.894032][ T5221] should_fail_ex+0x3aa/0x4e0 [ 85.898705][ T5221] prepare_alloc_pages+0x1d9/0x5b0 [ 85.903816][ T5221] __alloc_pages+0x165/0x670 [ 85.908406][ T5221] ? zone_statistics+0x170/0x170 [ 85.913346][ T5221] ? verify_lock_unused+0x140/0x140 [ 85.918535][ T5221] ? handle_mm_fault+0x11d/0x62b0 [ 85.923585][ T5221] ? __lock_acquire+0x7f70/0x7f70 [ 85.928613][ T5221] ? pte_offset_map_nolock+0x137/0x1e0 [ 85.934087][ T5221] __folio_alloc+0x13/0x30 [ 85.938510][ T5221] vma_alloc_folio+0x48a/0x9a0 [ 85.943282][ T5221] handle_mm_fault+0x2376/0x62b0 [ 85.948229][ T5221] ? handle_mm_fault+0x11d/0x62b0 [ 85.953270][ T5221] ? numa_migrate_prep+0x380/0x380 [ 85.958401][ T5221] ? mtree_range_walk+0x6a0/0x7e0 [ 85.963433][ T5221] ? lock_vma_under_rcu+0x187/0x6f0 [ 85.968814][ T5221] ? __lock_acquire+0x7f70/0x7f70 [ 85.973943][ T5221] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 85.979250][ T5221] ? lock_vma_under_rcu+0x5df/0x6f0 [ 85.984572][ T5221] ? lock_vma_under_rcu+0x187/0x6f0 [ 85.989792][ T5221] ? exc_page_fault+0x10f/0x860 [ 85.994646][ T5221] exc_page_fault+0x455/0x860 [ 85.999331][ T5221] asm_exc_page_fault+0x26/0x30 [ 86.004177][ T5221] RIP: 0033:0x7f794735bc53 [ 86.008590][ T5221] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 86.028365][ T5221] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 86.034427][ T5221] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 86.042389][ T5221] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 86.050351][ T5221] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 86.058327][ T5221] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 86.066289][ T5221] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 86.074271][ T5221] [ 86.077713][ T5221] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5220] munmap(0x7f793ef10000, 2097152) = 0 [pid 5220] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5220] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5220] close(3) = 0 [pid 5220] mkdir("./file0", 0777) = 0 [pid 5220] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5221] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5220] <... mount resumed>) = 0 [pid 5220] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5220] chdir("./file0") = 0 [pid 5220] ioctl(6, LOOP_CLR_FD) = 0 [pid 5220] close(6) = 0 [pid 5220] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5220] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5221] <... write resumed>) = 2097152 [ 86.090997][ T5220] loop0: detected capacity change from 0 to 4096 [ 86.108090][ T5220] ntfs: volume version 12.0. [pid 5221] munmap(0x7f7936b10000, 2097152) = 0 [pid 5221] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5221] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5221] ioctl(6, LOOP_CLR_FD) = 0 [pid 5221] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5221] close(6) = 0 [pid 5221] close(5) = 0 [pid 5221] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5219] <... futex resumed>) = 0 [pid 5219] exit_group(0) = ? [pid 5220] <... futex resumed>) = ? [pid 5220] +++ exited with 0 +++ [pid 5221] <... futex resumed>) = ? [pid 5221] +++ exited with 0 +++ [pid 5219] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5219, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./62", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./62/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./62/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./62/binderfs") = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./62/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./62/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./62") = 0 mkdir("./63", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5222 attached , child_tidptr=0x555555f17690) = 5222 [pid 5222] set_robust_list(0x555555f176a0, 24) = 0 [pid 5222] chdir("./63") = 0 [pid 5222] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5222] setpgid(0, 0) = 0 [pid 5222] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5222] write(3, "1000", 4) = 4 [pid 5222] close(3) = 0 [pid 5222] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5222] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5222] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5222] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5222] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5223 attached [pid 5223] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5222] <... clone3 resumed> => {parent_tid=[5223]}, 88) = 5223 [pid 5223] <... rseq resumed>) = 0 [pid 5222] rt_sigprocmask(SIG_SETMASK, [], [pid 5223] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5222] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5223] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5222] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5223] memfd_create("syzkaller", 0 [pid 5222] <... futex resumed>) = 0 [pid 5222] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5222] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5222] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5224]}, 88) = 5224 [pid 5222] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5222] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5223] <... memfd_create resumed>) = 3 [pid 5222] <... futex resumed>) = 0 [pid 5222] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5223] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5224 attached [pid 5224] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5224] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5224] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5224] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5224] write(4, "85", 2) = 2 [pid 5224] memfd_create("syzkaller", 0) = 5 [pid 5224] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5223] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 86.270545][ T5224] FAULT_INJECTION: forcing a failure. [ 86.270545][ T5224] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 86.284238][ T5224] CPU: 1 PID: 5224 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 86.294765][ T5224] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 86.304838][ T5224] Call Trace: [ 86.308109][ T5224] [ 86.311034][ T5224] dump_stack_lvl+0x1e7/0x2d0 [ 86.315721][ T5224] ? nf_tcp_handle_invalid+0x650/0x650 [ 86.321374][ T5224] ? panic+0x770/0x770 [ 86.325487][ T5224] should_fail_ex+0x3aa/0x4e0 [ 86.330178][ T5224] prepare_alloc_pages+0x1d9/0x5b0 [ 86.335306][ T5224] __alloc_pages+0x165/0x670 [ 86.340006][ T5224] ? zone_statistics+0x170/0x170 [ 86.345032][ T5224] ? verify_lock_unused+0x140/0x140 [ 86.350234][ T5224] ? handle_mm_fault+0x11d/0x62b0 [ 86.355261][ T5224] ? __lock_acquire+0x7f70/0x7f70 [ 86.360275][ T5224] ? pte_offset_map_nolock+0x137/0x1e0 [ 86.365732][ T5224] __folio_alloc+0x13/0x30 [ 86.370250][ T5224] vma_alloc_folio+0x48a/0x9a0 [ 86.375014][ T5224] handle_mm_fault+0x2376/0x62b0 [ 86.380046][ T5224] ? handle_mm_fault+0x11d/0x62b0 [ 86.385168][ T5224] ? numa_migrate_prep+0x380/0x380 [ 86.390292][ T5224] ? mtree_range_walk+0x6a0/0x7e0 [ 86.395348][ T5224] ? lock_vma_under_rcu+0x187/0x6f0 [ 86.400722][ T5224] ? __lock_acquire+0x7f70/0x7f70 [ 86.405740][ T5224] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 86.410960][ T5224] ? lock_vma_under_rcu+0x5df/0x6f0 [ 86.416159][ T5224] ? lock_vma_under_rcu+0x187/0x6f0 [ 86.421370][ T5224] ? exc_page_fault+0x10f/0x860 [ 86.426223][ T5224] exc_page_fault+0x455/0x860 [ 86.430916][ T5224] asm_exc_page_fault+0x26/0x30 [ 86.435765][ T5224] RIP: 0033:0x7f794735bc53 [ 86.440184][ T5224] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 86.459781][ T5224] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5223] munmap(0x7f793ef10000, 2097152) = 0 [pid 5223] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 86.465842][ T5224] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 86.473806][ T5224] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 86.481776][ T5224] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 86.489840][ T5224] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 86.497910][ T5224] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 86.505886][ T5224] [ 86.509471][ T5224] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5223] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5223] close(3) = 0 [pid 5223] mkdir("./file0", 0777) = 0 [pid 5223] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5224] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5224] munmap(0x7f7936b10000, 2097152) = 0 [pid 5224] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 86.525344][ T5223] loop0: detected capacity change from 0 to 4096 [ 86.541376][ T5223] __ntfs_error: 202 callbacks suppressed [ 86.541401][ T5223] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 86.558240][ T5223] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5224] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5224] ioctl(3, LOOP_CLR_FD) = 0 [pid 5224] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5224] close(3) = 0 [pid 5224] close(5) = 0 [pid 5224] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5224] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5222] <... futex resumed>) = 0 [ 86.571672][ T5223] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 86.587022][ T5223] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 86.596762][ T5223] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 86.606702][ T5223] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5223] <... mount resumed>) = 0 [pid 5223] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5223] chdir("./file0") = 0 [pid 5223] ioctl(6, LOOP_CLR_FD) = 0 [pid 5223] close(6) = 0 [pid 5223] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5223] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5222] exit_group(0 [pid 5224] <... futex resumed>) = ? [pid 5222] <... exit_group resumed>) = ? [pid 5224] +++ exited with 0 +++ [pid 5223] <... futex resumed>) = ? [pid 5223] +++ exited with 0 +++ [pid 5222] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5222, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=23 /* 0.23 s */} --- umount2("./63", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./63/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./63/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./63/binderfs") = 0 [ 86.620057][ T5223] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 86.632590][ T5223] ntfs: volume version 12.0. [ 86.637354][ T5223] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 86.645908][ T5223] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 86.658939][ T5223] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./63/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./63/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./63") = 0 mkdir("./64", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5225 attached , child_tidptr=0x555555f17690) = 5225 [pid 5225] set_robust_list(0x555555f176a0, 24) = 0 [pid 5225] chdir("./64") = 0 [pid 5225] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5225] setpgid(0, 0) = 0 [pid 5225] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5225] write(3, "1000", 4) = 4 [pid 5225] close(3) = 0 [pid 5225] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5225] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5225] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5225] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5225] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5225] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5225] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5225] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5226 attached [pid 5226] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5225] <... clone3 resumed> => {parent_tid=[5226]}, 88) = 5226 [pid 5226] <... rseq resumed>) = 0 [pid 5226] set_robust_list(0x7f79473519a0, 24 [pid 5225] rt_sigprocmask(SIG_SETMASK, [], [pid 5226] <... set_robust_list resumed>) = 0 [pid 5226] rt_sigprocmask(SIG_SETMASK, [], [pid 5225] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5226] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5225] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5225] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5225] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5225] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5225] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5226] memfd_create("syzkaller", 0 [pid 5225] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5225] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5227 attached [pid 5227] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5227] set_robust_list(0x7f79473309a0, 24 [pid 5225] <... clone3 resumed> => {parent_tid=[5227]}, 88) = 5227 [pid 5227] <... set_robust_list resumed>) = 0 [pid 5227] rt_sigprocmask(SIG_SETMASK, [], [pid 5225] rt_sigprocmask(SIG_SETMASK, [], [pid 5227] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5225] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5227] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5225] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5227] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5225] <... futex resumed>) = 0 [pid 5226] <... memfd_create resumed>) = 3 [pid 5225] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5226] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5227] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5226] <... mmap resumed>) = 0x7f793ef10000 [pid 5226] munmap(0x7f793ef10000, 138412032 [pid 5227] <... openat resumed>) = 4 [pid 5227] write(4, "85", 2) = 2 [pid 5227] memfd_create("syzkaller", 0) = 5 [pid 5227] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5226] <... munmap resumed>) = 0 [pid 5226] close(3) = 0 [pid 5226] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 86.764517][ T5227] FAULT_INJECTION: forcing a failure. [ 86.764517][ T5227] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 86.777973][ T5227] CPU: 0 PID: 5227 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 86.788487][ T5227] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 86.798554][ T5227] Call Trace: [ 86.801824][ T5227] [ 86.804753][ T5227] dump_stack_lvl+0x1e7/0x2d0 [ 86.809443][ T5227] ? nf_tcp_handle_invalid+0x650/0x650 [ 86.814899][ T5227] ? panic+0x770/0x770 [ 86.818982][ T5227] should_fail_ex+0x3aa/0x4e0 [ 86.823658][ T5227] prepare_alloc_pages+0x1d9/0x5b0 [ 86.828786][ T5227] __alloc_pages+0x165/0x670 [ 86.833388][ T5227] ? zone_statistics+0x170/0x170 [ 86.838318][ T5227] ? verify_lock_unused+0x140/0x140 [ 86.843513][ T5227] ? handle_mm_fault+0x11d/0x62b0 [ 86.849316][ T5227] ? __lock_acquire+0x7f70/0x7f70 [ 86.854341][ T5227] ? pte_offset_map_nolock+0x137/0x1e0 [ 86.859819][ T5227] __folio_alloc+0x13/0x30 [ 86.864236][ T5227] vma_alloc_folio+0x48a/0x9a0 [ 86.869026][ T5227] handle_mm_fault+0x2376/0x62b0 [ 86.873963][ T5227] ? handle_mm_fault+0x11d/0x62b0 [ 86.879001][ T5227] ? numa_migrate_prep+0x380/0x380 [ 86.884143][ T5227] ? mtree_range_walk+0x6a0/0x7e0 [ 86.889169][ T5227] ? lock_vma_under_rcu+0x187/0x6f0 [ 86.894368][ T5227] ? __lock_acquire+0x7f70/0x7f70 [ 86.899398][ T5227] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 86.904606][ T5227] ? lock_vma_under_rcu+0x5df/0x6f0 [ 86.909809][ T5227] ? lock_vma_under_rcu+0x187/0x6f0 [ 86.915024][ T5227] ? exc_page_fault+0x10f/0x860 [ 86.919893][ T5227] exc_page_fault+0x455/0x860 [ 86.924588][ T5227] asm_exc_page_fault+0x26/0x30 [ 86.929452][ T5227] RIP: 0033:0x7f794735bc53 [ 86.933869][ T5227] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 86.953466][ T5227] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5226] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5227] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5227] munmap(0x7f7936b10000, 2097152) = 0 [pid 5227] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 86.959528][ T5227] RAX: 0000000000087000 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 86.967496][ T5227] RDX: 00007f794732f8f0 RSI: 0000000000000002 RDI: 00007f794732f7f0 [ 86.975455][ T5227] RBP: 00000000000000ac R08: 0000000000000009 R09: 0000000000000127 [ 86.983433][ T5227] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 86.991409][ T5227] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f794732f7f0 [ 87.000015][ T5227] [ 87.003406][ T5227] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5227] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5227] close(5) = 0 [pid 5227] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5227] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5227] ioctl(3, LOOP_CLR_FD) = 0 [pid 5227] close(3) = 0 [pid 5227] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5225] <... futex resumed>) = 0 [pid 5227] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5225] exit_group(0 [pid 5226] <... futex resumed>) = ? [pid 5225] <... exit_group resumed>) = ? [pid 5227] <... futex resumed>) = ? [pid 5226] +++ exited with 0 +++ [pid 5227] +++ exited with 0 +++ [pid 5225] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5225, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- [ 87.037389][ T5227] loop0: detected capacity change from 0 to 4096 [ 87.053903][ T5227] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 87.061081][ T5227] ntfs3: loop0: Failed to load $AttrDef (-22) umount2("./64", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./64/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./64/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./64/binderfs") = 0 umount2("\x2e\x2f\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./64") = 0 mkdir("./65", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5228 attached [pid 5228] set_robust_list(0x555555f176a0, 24) = 0 [pid 5228] chdir("./65") = 0 [pid 5228] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5228 [pid 5228] <... prctl resumed>) = 0 [pid 5228] setpgid(0, 0) = 0 [pid 5228] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5228] write(3, "1000", 4) = 4 [pid 5228] close(3) = 0 [pid 5228] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5228] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5228] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5228] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5228] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5228] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5228] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5229 attached => {parent_tid=[5229]}, 88) = 5229 [pid 5229] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5228] rt_sigprocmask(SIG_SETMASK, [], [pid 5229] <... rseq resumed>) = 0 [pid 5228] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5229] set_robust_list(0x7f79473519a0, 24 [pid 5228] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5229] <... set_robust_list resumed>) = 0 [pid 5228] <... futex resumed>) = 0 [pid 5229] rt_sigprocmask(SIG_SETMASK, [], [pid 5228] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5229] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5228] <... futex resumed>) = 0 [pid 5228] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5228] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5229] memfd_create("syzkaller", 0 [pid 5228] <... mprotect resumed>) = 0 [pid 5229] <... memfd_create resumed>) = 3 [pid 5229] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5228] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5229] <... mmap resumed>) = 0x7f793ef10000 [pid 5228] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5228] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5230]}, 88) = 5230 [pid 5228] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5228] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5230 attached [pid 5230] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5230] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5230] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5230] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5230] write(4, "85", 2) = 2 [pid 5230] memfd_create("syzkaller", 0) = 5 [pid 5230] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5229] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 87.189272][ T5230] FAULT_INJECTION: forcing a failure. [ 87.189272][ T5230] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 87.204313][ T5230] CPU: 0 PID: 5230 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 87.214820][ T5230] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 87.224890][ T5230] Call Trace: [ 87.229379][ T5230] [ 87.232299][ T5230] dump_stack_lvl+0x1e7/0x2d0 [ 87.237059][ T5230] ? nf_tcp_handle_invalid+0x650/0x650 [ 87.243300][ T5230] ? panic+0x770/0x770 [ 87.247379][ T5230] should_fail_ex+0x3aa/0x4e0 [ 87.252068][ T5230] prepare_alloc_pages+0x1d9/0x5b0 [ 87.257193][ T5230] __alloc_pages+0x165/0x670 [ 87.261786][ T5230] ? zone_statistics+0x170/0x170 [ 87.266726][ T5230] ? verify_lock_unused+0x140/0x140 [ 87.271933][ T5230] ? handle_mm_fault+0x11d/0x62b0 [ 87.276966][ T5230] ? __lock_acquire+0x7f70/0x7f70 [ 87.281980][ T5230] ? pte_offset_map_nolock+0x137/0x1e0 [ 87.287545][ T5230] __folio_alloc+0x13/0x30 [ 87.291972][ T5230] vma_alloc_folio+0x48a/0x9a0 [ 87.296745][ T5230] handle_mm_fault+0x2376/0x62b0 [ 87.301686][ T5230] ? handle_mm_fault+0x11d/0x62b0 [ 87.306724][ T5230] ? numa_migrate_prep+0x380/0x380 [ 87.311842][ T5230] ? mtree_range_walk+0x6a0/0x7e0 [ 87.316859][ T5230] ? lock_vma_under_rcu+0x187/0x6f0 [ 87.322044][ T5230] ? __lock_acquire+0x7f70/0x7f70 [ 87.327069][ T5230] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 87.332270][ T5230] ? lock_vma_under_rcu+0x5df/0x6f0 [ 87.337465][ T5230] ? lock_vma_under_rcu+0x187/0x6f0 [ 87.342656][ T5230] ? exc_page_fault+0x10f/0x860 [ 87.347499][ T5230] exc_page_fault+0x455/0x860 [ 87.352169][ T5230] asm_exc_page_fault+0x26/0x30 [ 87.357005][ T5230] RIP: 0033:0x7f794735bc53 [ 87.361404][ T5230] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 87.381172][ T5230] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5229] munmap(0x7f793ef10000, 2097152) = 0 [pid 5229] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 87.387228][ T5230] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 87.395186][ T5230] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 87.403137][ T5230] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 87.411094][ T5230] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 87.419047][ T5230] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 87.427012][ T5230] [ 87.431043][ T5230] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5229] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5229] close(3) = 0 [pid 5229] mkdir("./file0", 0777) = 0 [pid 5229] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5230] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5229] <... mount resumed>) = 0 [pid 5229] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5229] chdir("./file0") = 0 [pid 5229] ioctl(6, LOOP_CLR_FD) = 0 [pid 5229] close(6) = 0 [pid 5229] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5229] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5230] <... write resumed>) = 2097152 [pid 5230] munmap(0x7f7936b10000, 2097152) = 0 [pid 5230] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5230] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5230] ioctl(6, LOOP_CLR_FD) = 0 [pid 5230] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5230] close(6) = 0 [ 87.444850][ T5229] loop0: detected capacity change from 0 to 4096 [ 87.461019][ T5229] ntfs: volume version 12.0. [pid 5230] close(5) = 0 [pid 5230] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5230] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5228] <... futex resumed>) = 0 [pid 5228] exit_group(0 [pid 5230] <... futex resumed>) = ? [pid 5229] <... futex resumed>) = ? [pid 5228] <... exit_group resumed>) = ? [pid 5230] +++ exited with 0 +++ [pid 5229] +++ exited with 0 +++ [pid 5228] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5228, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./65", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./65/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./65/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./65/binderfs") = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./65/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./65/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./65") = 0 mkdir("./66", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5231 attached , child_tidptr=0x555555f17690) = 5231 [pid 5231] set_robust_list(0x555555f176a0, 24) = 0 [pid 5231] chdir("./66") = 0 [pid 5231] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5231] setpgid(0, 0) = 0 [pid 5231] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5231] write(3, "1000", 4) = 4 [pid 5231] close(3) = 0 [pid 5231] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5231] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5231] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5231] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5231] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5231] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5231] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5231] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5232 attached => {parent_tid=[5232]}, 88) = 5232 [pid 5232] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5231] rt_sigprocmask(SIG_SETMASK, [], [pid 5232] <... rseq resumed>) = 0 [pid 5231] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5232] set_robust_list(0x7f79473519a0, 24 [pid 5231] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5232] <... set_robust_list resumed>) = 0 [pid 5231] <... futex resumed>) = 0 [pid 5232] rt_sigprocmask(SIG_SETMASK, [], [pid 5231] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5232] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5231] <... futex resumed>) = 0 [pid 5231] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5232] memfd_create("syzkaller", 0) = 3 [pid 5232] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5231] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5231] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5231] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5233 attached [pid 5233] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5231] <... clone3 resumed> => {parent_tid=[5233]}, 88) = 5233 [pid 5233] set_robust_list(0x7f79473309a0, 24 [pid 5231] rt_sigprocmask(SIG_SETMASK, [], [pid 5233] <... set_robust_list resumed>) = 0 [pid 5231] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5233] rt_sigprocmask(SIG_SETMASK, [], [pid 5231] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5233] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5231] <... futex resumed>) = 0 [pid 5233] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5231] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5233] <... openat resumed>) = 4 [pid 5233] write(4, "85", 2) = 2 [pid 5233] memfd_create("syzkaller", 0) = 5 [pid 5233] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 87.603171][ T5233] FAULT_INJECTION: forcing a failure. [ 87.603171][ T5233] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 87.617156][ T5233] CPU: 0 PID: 5233 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 87.627601][ T5233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 87.637665][ T5233] Call Trace: [ 87.640932][ T5233] [ 87.643845][ T5233] dump_stack_lvl+0x1e7/0x2d0 [pid 5232] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 87.648512][ T5233] ? nf_tcp_handle_invalid+0x650/0x650 [ 87.653965][ T5233] ? panic+0x770/0x770 [ 87.658026][ T5233] should_fail_ex+0x3aa/0x4e0 [ 87.662689][ T5233] prepare_alloc_pages+0x1d9/0x5b0 [ 87.667791][ T5233] __alloc_pages+0x165/0x670 [ 87.672368][ T5233] ? zone_statistics+0x170/0x170 [ 87.677301][ T5233] ? verify_lock_unused+0x140/0x140 [ 87.682503][ T5233] ? handle_mm_fault+0x11d/0x62b0 [ 87.687541][ T5233] ? __lock_acquire+0x7f70/0x7f70 [ 87.692575][ T5233] ? pte_offset_map_nolock+0x137/0x1e0 [ 87.698044][ T5233] __folio_alloc+0x13/0x30 [ 87.702461][ T5233] vma_alloc_folio+0x48a/0x9a0 [ 87.707220][ T5233] handle_mm_fault+0x2376/0x62b0 [ 87.712155][ T5233] ? handle_mm_fault+0x11d/0x62b0 [ 87.717193][ T5233] ? numa_migrate_prep+0x380/0x380 [ 87.722317][ T5233] ? mtree_range_walk+0x6a0/0x7e0 [ 87.727347][ T5233] ? lock_vma_under_rcu+0x187/0x6f0 [ 87.732557][ T5233] ? __lock_acquire+0x7f70/0x7f70 [ 87.737566][ T5233] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 87.742788][ T5233] ? lock_vma_under_rcu+0x5df/0x6f0 [ 87.747999][ T5233] ? lock_vma_under_rcu+0x187/0x6f0 [ 87.753221][ T5233] ? exc_page_fault+0x10f/0x860 [ 87.758072][ T5233] exc_page_fault+0x455/0x860 [ 87.762759][ T5233] asm_exc_page_fault+0x26/0x30 [ 87.767607][ T5233] RIP: 0033:0x7f794735bc53 [ 87.772036][ T5233] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 87.791651][ T5233] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5232] munmap(0x7f793ef10000, 2097152) = 0 [pid 5232] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 87.797708][ T5233] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 87.805687][ T5233] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 87.813669][ T5233] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 87.821653][ T5233] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 87.829619][ T5233] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 87.837599][ T5233] [ 87.841986][ T5233] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5232] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5232] close(3) = 0 [pid 5232] mkdir("./file0", 0777) = 0 [pid 5232] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5233] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5233] munmap(0x7f7936b10000, 2097152) = 0 [pid 5233] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5232] <... mount resumed>) = 0 [pid 5232] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5233] <... openat resumed>) = 3 [pid 5233] ioctl(3, LOOP_SET_FD, 5 [pid 5232] <... openat resumed>) = 7 [pid 5233] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5233] ioctl(3, LOOP_CLR_FD [pid 5232] chdir("./file0") = 0 [pid 5232] ioctl(6, LOOP_CLR_FD) = 0 [pid 5232] close(6 [pid 5233] <... ioctl resumed>) = 0 [pid 5232] <... close resumed>) = 0 [pid 5232] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5233] ioctl(3, LOOP_SET_FD, 5 [pid 5232] <... futex resumed>) = 0 [pid 5233] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5232] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5233] close(3) = 0 [pid 5233] close(5) = 0 [pid 5233] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5231] <... futex resumed>) = 0 [pid 5231] exit_group(0 [pid 5232] <... futex resumed>) = ? [pid 5231] <... exit_group resumed>) = ? [pid 5232] +++ exited with 0 +++ [pid 5233] <... futex resumed>) = ? [pid 5233] +++ exited with 0 +++ [pid 5231] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5231, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=12 /* 0.12 s */} --- umount2("./66", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./66/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./66/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./66/binderfs") = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 [ 87.858455][ T5232] loop0: detected capacity change from 0 to 4096 [ 87.887179][ T5232] ntfs: volume version 12.0. umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./66/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./66/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./66") = 0 mkdir("./67", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5234 attached , child_tidptr=0x555555f17690) = 5234 [pid 5234] set_robust_list(0x555555f176a0, 24) = 0 [pid 5234] chdir("./67") = 0 [pid 5234] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5234] setpgid(0, 0) = 0 [pid 5234] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5234] write(3, "1000", 4) = 4 [pid 5234] close(3) = 0 [pid 5234] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5234] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5234] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5234] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5234] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5234] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5234] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5234] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5235 attached [pid 5235] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5234] <... clone3 resumed> => {parent_tid=[5235]}, 88) = 5235 [pid 5235] <... rseq resumed>) = 0 [pid 5235] set_robust_list(0x7f79473519a0, 24 [pid 5234] rt_sigprocmask(SIG_SETMASK, [], [pid 5235] <... set_robust_list resumed>) = 0 [pid 5234] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5235] rt_sigprocmask(SIG_SETMASK, [], [pid 5234] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5234] <... futex resumed>) = 0 [pid 5235] memfd_create("syzkaller", 0 [pid 5234] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] <... memfd_create resumed>) = 3 [pid 5234] <... futex resumed>) = 0 [pid 5235] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5234] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5234] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5234] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5234] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5236 attached [pid 5236] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5234] <... clone3 resumed> => {parent_tid=[5236]}, 88) = 5236 [pid 5236] <... rseq resumed>) = 0 [pid 5234] rt_sigprocmask(SIG_SETMASK, [], [pid 5236] set_robust_list(0x7f793ef309a0, 24 [pid 5234] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5234] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5236] <... set_robust_list resumed>) = 0 [pid 5234] <... futex resumed>) = 0 [pid 5236] rt_sigprocmask(SIG_SETMASK, [], [pid 5234] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5236] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5236] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5236] write(4, "85", 2) = 2 [pid 5236] memfd_create("syzkaller", 0) = 5 [pid 5235] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5236] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5235] <... write resumed>) = 2097152 [ 88.030400][ T5236] FAULT_INJECTION: forcing a failure. [ 88.030400][ T5236] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 88.044397][ T5236] CPU: 0 PID: 5236 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 88.054838][ T5236] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 88.064895][ T5236] Call Trace: [ 88.068173][ T5236] [ 88.071101][ T5236] dump_stack_lvl+0x1e7/0x2d0 [ 88.075784][ T5236] ? nf_tcp_handle_invalid+0x650/0x650 [ 88.081237][ T5236] ? panic+0x770/0x770 [ 88.085338][ T5236] should_fail_ex+0x3aa/0x4e0 [ 88.090049][ T5236] prepare_alloc_pages+0x1d9/0x5b0 [ 88.095164][ T5236] __alloc_pages+0x165/0x670 [ 88.099757][ T5236] ? zone_statistics+0x170/0x170 [ 88.104766][ T5236] ? verify_lock_unused+0x140/0x140 [ 88.110060][ T5236] ? handle_mm_fault+0x11d/0x62b0 [ 88.115084][ T5236] ? __lock_acquire+0x7f70/0x7f70 [ 88.120105][ T5236] ? pte_offset_map_nolock+0x137/0x1e0 [ 88.125576][ T5236] __folio_alloc+0x13/0x30 [ 88.130005][ T5236] vma_alloc_folio+0x48a/0x9a0 [ 88.134775][ T5236] handle_mm_fault+0x2376/0x62b0 [ 88.139744][ T5236] ? handle_mm_fault+0x11d/0x62b0 [ 88.144872][ T5236] ? numa_migrate_prep+0x380/0x380 [ 88.150095][ T5236] ? mtree_range_walk+0x6a0/0x7e0 [ 88.155117][ T5236] ? lock_vma_under_rcu+0x187/0x6f0 [ 88.160315][ T5236] ? __lock_acquire+0x7f70/0x7f70 [ 88.165351][ T5236] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 88.170582][ T5236] ? lock_vma_under_rcu+0x5df/0x6f0 [ 88.175797][ T5236] ? lock_vma_under_rcu+0x187/0x6f0 [ 88.181026][ T5236] ? exc_page_fault+0x10f/0x860 [ 88.185963][ T5236] exc_page_fault+0x455/0x860 [ 88.190644][ T5236] asm_exc_page_fault+0x26/0x30 [ 88.195492][ T5236] RIP: 0033:0x7f794735bc53 [ 88.199904][ T5236] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 88.219679][ T5236] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5235] munmap(0x7f793ef31000, 2097152) = 0 [pid 5235] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 88.226004][ T5236] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 88.233967][ T5236] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 88.241962][ T5236] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 88.249926][ T5236] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 88.257910][ T5236] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 88.265886][ T5236] [ 88.273025][ T5235] loop0: detected capacity change from 0 to 4096 [pid 5235] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5235] close(3) = 0 [pid 5235] mkdir("./file0", 0777) = 0 [pid 5235] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5235] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5235] chdir("./file0") = 0 [pid 5235] ioctl(6, LOOP_CLR_FD) = 0 [pid 5235] close(6 [pid 5236] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5235] <... close resumed>) = 0 [pid 5235] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5236] <... write resumed>) = 2097152 [pid 5236] munmap(0x7f7936b10000, 2097152) = 0 [pid 5236] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5236] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5236] ioctl(6, LOOP_CLR_FD) = 0 [ 88.275343][ T5236] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 88.296112][ T5235] ntfs: volume version 12.0. [pid 5236] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5236] close(6) = 0 [pid 5236] close(5) = 0 [pid 5236] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5234] <... futex resumed>) = 0 [pid 5236] <... futex resumed>) = 1 [pid 5236] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5234] exit_group(0 [pid 5236] <... futex resumed>) = ? [pid 5235] <... futex resumed>) = ? [pid 5234] <... exit_group resumed>) = ? [pid 5236] +++ exited with 0 +++ [pid 5235] +++ exited with 0 +++ [pid 5234] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5234, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=37 /* 0.37 s */} --- umount2("./67", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./67/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./67/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./67/binderfs") = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./67/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./67/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./67") = 0 mkdir("./68", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5237 ./strace-static-x86_64: Process 5237 attached [pid 5237] set_robust_list(0x555555f176a0, 24) = 0 [pid 5237] chdir("./68") = 0 [pid 5237] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5237] setpgid(0, 0) = 0 [pid 5237] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5237] write(3, "1000", 4) = 4 [pid 5237] close(3) = 0 [pid 5237] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5237] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5237] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5237] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5237] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5237] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5237] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5237] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5239 attached => {parent_tid=[5239]}, 88) = 5239 [pid 5237] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5239] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5239] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5237] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5239] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5237] <... futex resumed>) = 0 [pid 5237] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5237] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5237] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5237] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5239] memfd_create("syzkaller", 0 [pid 5237] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5237] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5239] <... memfd_create resumed>) = 3 [pid 5239] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5240 attached [pid 5240] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5239] <... mmap resumed>) = 0x7f793ef10000 [pid 5237] <... clone3 resumed> => {parent_tid=[5240]}, 88) = 5240 [pid 5240] <... rseq resumed>) = 0 [pid 5237] rt_sigprocmask(SIG_SETMASK, [], [pid 5240] set_robust_list(0x7f79473309a0, 24 [pid 5237] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5240] <... set_robust_list resumed>) = 0 [pid 5240] rt_sigprocmask(SIG_SETMASK, [], [pid 5237] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5240] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5237] <... futex resumed>) = 0 [pid 5237] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5240] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5239] munmap(0x7f793ef10000, 138412032 [pid 5240] <... openat resumed>) = 4 [pid 5240] write(4, "85", 2) = 2 [pid 5240] memfd_create("syzkaller", 0) = 5 [pid 5240] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5239] <... munmap resumed>) = 0 [pid 5239] close(3) = 0 [pid 5239] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 88.442464][ T5240] FAULT_INJECTION: forcing a failure. [ 88.442464][ T5240] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 88.456114][ T5240] CPU: 1 PID: 5240 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 88.466557][ T5240] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 88.476641][ T5240] Call Trace: [ 88.479917][ T5240] [ 88.482871][ T5240] dump_stack_lvl+0x1e7/0x2d0 [ 88.487576][ T5240] ? nf_tcp_handle_invalid+0x650/0x650 [ 88.493051][ T5240] ? panic+0x770/0x770 [ 88.497404][ T5240] should_fail_ex+0x3aa/0x4e0 [ 88.502090][ T5240] prepare_alloc_pages+0x1d9/0x5b0 [ 88.507302][ T5240] __alloc_pages+0x165/0x670 [ 88.511893][ T5240] ? zone_statistics+0x170/0x170 [ 88.516833][ T5240] ? verify_lock_unused+0x140/0x140 [ 88.522027][ T5240] ? handle_mm_fault+0x11d/0x62b0 [ 88.527048][ T5240] ? __lock_acquire+0x7f70/0x7f70 [ 88.532084][ T5240] ? pte_offset_map_nolock+0x137/0x1e0 [ 88.537556][ T5240] __folio_alloc+0x13/0x30 [ 88.541966][ T5240] vma_alloc_folio+0x48a/0x9a0 [ 88.546745][ T5240] handle_mm_fault+0x2376/0x62b0 [ 88.551692][ T5240] ? handle_mm_fault+0x11d/0x62b0 [ 88.556736][ T5240] ? numa_migrate_prep+0x380/0x380 [ 88.561848][ T5240] ? mtree_range_walk+0x6a0/0x7e0 [ 88.566963][ T5240] ? lock_vma_under_rcu+0x187/0x6f0 [ 88.572158][ T5240] ? __lock_acquire+0x7f70/0x7f70 [ 88.577233][ T5240] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 88.582448][ T5240] ? lock_vma_under_rcu+0x5df/0x6f0 [ 88.587642][ T5240] ? lock_vma_under_rcu+0x187/0x6f0 [ 88.592845][ T5240] ? exc_page_fault+0x10f/0x860 [ 88.597704][ T5240] exc_page_fault+0x455/0x860 [ 88.602385][ T5240] asm_exc_page_fault+0x26/0x30 [ 88.607230][ T5240] RIP: 0033:0x7f794735bd00 [ 88.611660][ T5240] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 88.631261][ T5240] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5239] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5240] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5240] munmap(0x7f793ef10000, 2097152) = 0 [pid 5240] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 88.637337][ T5240] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 88.645298][ T5240] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 88.653259][ T5240] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 88.661221][ T5240] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 88.669186][ T5240] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 88.677162][ T5240] [ 88.680748][ T5240] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5240] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5240] close(5) = 0 [pid 5240] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5240] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5240] ioctl(3, LOOP_CLR_FD) = 0 [pid 5240] close(3) = 0 [pid 5240] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5237] <... futex resumed>) = 0 [pid 5237] exit_group(0 [pid 5240] <... futex resumed>) = ? [pid 5239] <... futex resumed>) = ? [pid 5237] <... exit_group resumed>) = ? [pid 5240] +++ exited with 0 +++ [pid 5239] +++ exited with 0 +++ [pid 5237] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5237, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./68", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./68/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./68/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./68/binderfs") = 0 umount2("\x2e\x2f\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 88.717770][ T5240] loop0: detected capacity change from 0 to 4096 [ 88.733470][ T5240] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 88.740651][ T5240] ntfs3: loop0: Failed to load $AttrDef (-22) newfstatat(AT_FDCWD, "\x2e\x2f\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./68") = 0 mkdir("./69", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5241 attached , child_tidptr=0x555555f17690) = 5241 [pid 5241] set_robust_list(0x555555f176a0, 24) = 0 [pid 5241] chdir("./69") = 0 [pid 5241] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5241] setpgid(0, 0) = 0 [pid 5241] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5241] write(3, "1000", 4) = 4 [pid 5241] close(3) = 0 [pid 5241] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5241] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5241] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5241] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5241] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5241] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5241] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5241] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5242]}, 88) = 5242 [pid 5241] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5241] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5241] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5241] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0./strace-static-x86_64: Process 5242 attached ) = 0x7f7947310000 [pid 5241] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5242] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5241] <... mprotect resumed>) = 0 [pid 5242] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5241] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5242] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5241] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5241] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5243 attached [pid 5243] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5243] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5242] memfd_create("syzkaller", 0 [pid 5241] <... clone3 resumed> => {parent_tid=[5243]}, 88) = 5243 [pid 5243] rt_sigprocmask(SIG_SETMASK, [], [pid 5242] <... memfd_create resumed>) = 3 [pid 5243] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5242] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5241] rt_sigprocmask(SIG_SETMASK, [], [pid 5243] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5242] <... mmap resumed>) = 0x7f793ef10000 [pid 5241] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5241] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5241] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5243] <... futex resumed>) = 0 [pid 5243] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5243] write(4, "85", 2) = 2 [pid 5243] memfd_create("syzkaller", 0) = 5 [pid 5243] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5242] munmap(0x7f793ef10000, 138412032) = 0 [pid 5242] close(3) = 0 [pid 5242] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 88.842081][ T5243] FAULT_INJECTION: forcing a failure. [ 88.842081][ T5243] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 88.855907][ T5243] CPU: 1 PID: 5243 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 88.866355][ T5243] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 88.876425][ T5243] Call Trace: [ 88.879699][ T5243] [ 88.882628][ T5243] dump_stack_lvl+0x1e7/0x2d0 [ 88.887313][ T5243] ? nf_tcp_handle_invalid+0x650/0x650 [ 88.892794][ T5243] ? panic+0x770/0x770 [ 88.897224][ T5243] should_fail_ex+0x3aa/0x4e0 [ 88.901895][ T5243] prepare_alloc_pages+0x1d9/0x5b0 [ 88.907051][ T5243] __alloc_pages+0x165/0x670 [ 88.911664][ T5243] ? zone_statistics+0x170/0x170 [ 88.916601][ T5243] ? verify_lock_unused+0x140/0x140 [ 88.921877][ T5243] ? handle_mm_fault+0x11d/0x62b0 [ 88.926897][ T5243] ? __lock_acquire+0x7f70/0x7f70 [ 88.931912][ T5243] ? pte_offset_map_nolock+0x137/0x1e0 [ 88.937472][ T5243] __folio_alloc+0x13/0x30 [ 88.941898][ T5243] vma_alloc_folio+0x48a/0x9a0 [ 88.946688][ T5243] handle_mm_fault+0x2376/0x62b0 [ 88.951677][ T5243] ? handle_mm_fault+0x11d/0x62b0 [ 88.956711][ T5243] ? numa_migrate_prep+0x380/0x380 [ 88.961833][ T5243] ? mtree_range_walk+0x6a0/0x7e0 [ 88.966881][ T5243] ? lock_vma_under_rcu+0x187/0x6f0 [ 88.972098][ T5243] ? __lock_acquire+0x7f70/0x7f70 [ 88.977126][ T5243] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 88.982337][ T5243] ? lock_vma_under_rcu+0x5df/0x6f0 [ 88.987541][ T5243] ? lock_vma_under_rcu+0x187/0x6f0 [ 88.992779][ T5243] ? exc_page_fault+0x10f/0x860 [ 88.997648][ T5243] exc_page_fault+0x455/0x860 [ 89.002347][ T5243] asm_exc_page_fault+0x26/0x30 [ 89.007201][ T5243] RIP: 0033:0x7f794735bc53 [ 89.011635][ T5243] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 89.031250][ T5243] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5242] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5243] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5243] munmap(0x7f7936b10000, 2097152) = 0 [pid 5243] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 89.037340][ T5243] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 89.045316][ T5243] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 89.053284][ T5243] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 89.061246][ T5243] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 89.069337][ T5243] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 89.077339][ T5243] [ 89.081303][ T5243] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5243] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5243] close(5) = 0 [pid 5243] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5243] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5243] ioctl(3, LOOP_CLR_FD) = 0 [pid 5243] close(3) = 0 [pid 5243] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5241] <... futex resumed>) = 0 [pid 5243] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5241] exit_group(0 [pid 5243] <... futex resumed>) = ? [pid 5242] <... futex resumed>) = ? [pid 5241] <... exit_group resumed>) = ? [pid 5243] +++ exited with 0 +++ [pid 5242] +++ exited with 0 +++ [ 89.117073][ T5243] loop0: detected capacity change from 0 to 4096 [ 89.135661][ T5243] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 89.142866][ T5243] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5241] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5241, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./69", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./69/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./69/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./69/binderfs") = 0 umount2("\x2e\x2f\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./69") = 0 mkdir("./70", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5244 ./strace-static-x86_64: Process 5244 attached [pid 5244] set_robust_list(0x555555f176a0, 24) = 0 [pid 5244] chdir("./70") = 0 [pid 5244] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5244] setpgid(0, 0) = 0 [pid 5244] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5244] write(3, "1000", 4) = 4 [pid 5244] close(3) = 0 [pid 5244] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5244] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5244] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5244] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5244] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5244] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5244] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5245 attached [pid 5245] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5244] <... clone3 resumed> => {parent_tid=[5245]}, 88) = 5245 [pid 5245] <... rseq resumed>) = 0 [pid 5244] rt_sigprocmask(SIG_SETMASK, [], [pid 5245] set_robust_list(0x7f79473519a0, 24 [pid 5244] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5245] <... set_robust_list resumed>) = 0 [pid 5244] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5245] rt_sigprocmask(SIG_SETMASK, [], [pid 5244] <... futex resumed>) = 0 [pid 5245] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5244] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5245] memfd_create("syzkaller", 0 [pid 5244] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5245] <... memfd_create resumed>) = 3 [pid 5244] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5245] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5244] <... mprotect resumed>) = 0 [pid 5245] <... mmap resumed>) = 0x7f793ef10000 [pid 5244] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5244] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5246]}, 88) = 5246 [pid 5244] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5244] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5246 attached [pid 5246] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5246] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5246] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5246] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5245] munmap(0x7f793ef10000, 138412032) = 0 [pid 5245] close(3) = 0 [pid 5246] <... openat resumed>) = 4 [pid 5245] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5245] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5246] write(4, "85", 2) = 2 [pid 5246] memfd_create("syzkaller", 0) = 3 [pid 5246] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 89.262018][ T5246] FAULT_INJECTION: forcing a failure. [ 89.262018][ T5246] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 89.275418][ T5246] CPU: 0 PID: 5246 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 89.285823][ T5246] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 89.295901][ T5246] Call Trace: [ 89.299187][ T5246] [ 89.302107][ T5246] dump_stack_lvl+0x1e7/0x2d0 [ 89.306781][ T5246] ? nf_tcp_handle_invalid+0x650/0x650 [ 89.312232][ T5246] ? panic+0x770/0x770 [ 89.316309][ T5246] should_fail_ex+0x3aa/0x4e0 [ 89.320991][ T5246] prepare_alloc_pages+0x1d9/0x5b0 [ 89.326139][ T5246] __alloc_pages+0x165/0x670 [ 89.330739][ T5246] ? zone_statistics+0x170/0x170 [ 89.335690][ T5246] ? verify_lock_unused+0x140/0x140 [ 89.340973][ T5246] ? handle_mm_fault+0x11d/0x62b0 [ 89.345996][ T5246] ? __lock_acquire+0x7f70/0x7f70 [ 89.351031][ T5246] ? pte_offset_map_nolock+0x137/0x1e0 [ 89.356486][ T5246] __folio_alloc+0x13/0x30 [ 89.360895][ T5246] vma_alloc_folio+0x48a/0x9a0 [ 89.365654][ T5246] handle_mm_fault+0x2376/0x62b0 [ 89.370801][ T5246] ? handle_mm_fault+0x11d/0x62b0 [ 89.375839][ T5246] ? numa_migrate_prep+0x380/0x380 [ 89.380984][ T5246] ? mtree_range_walk+0x6a0/0x7e0 [ 89.386019][ T5246] ? lock_vma_under_rcu+0x187/0x6f0 [ 89.391223][ T5246] ? __lock_acquire+0x7f70/0x7f70 [ 89.396252][ T5246] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 89.401451][ T5246] ? lock_vma_under_rcu+0x5df/0x6f0 [ 89.406654][ T5246] ? lock_vma_under_rcu+0x187/0x6f0 [ 89.411868][ T5246] ? exc_page_fault+0x10f/0x860 [ 89.416726][ T5246] exc_page_fault+0x455/0x860 [ 89.421395][ T5246] asm_exc_page_fault+0x26/0x30 [ 89.426236][ T5246] RIP: 0033:0x7f794735bd00 [ 89.430727][ T5246] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 89.450333][ T5246] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5246] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5246] munmap(0x7f793ef10000, 2097152) = 0 [pid 5246] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 89.456403][ T5246] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 89.464366][ T5246] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 89.472337][ T5246] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 89.480309][ T5246] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 89.488275][ T5246] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 89.496250][ T5246] [pid 5246] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5246] close(3) = 0 [pid 5246] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5246] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 89.532323][ T5246] loop0: detected capacity change from 0 to 4096 [ 89.552613][ T5246] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 89.559647][ T5246] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5246] ioctl(5, LOOP_CLR_FD) = 0 [pid 5246] close(5) = 0 [pid 5246] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = 0 [pid 5244] exit_group(0) = ? [pid 5246] <... futex resumed>) = ? [pid 5246] +++ exited with 0 +++ [pid 5245] <... futex resumed>) = ? [pid 5245] +++ exited with 0 +++ [pid 5244] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5244, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./70", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./70/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./70/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./70/binderfs") = 0 umount2("\x2e\x2f\x37\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x37\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x37\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x37\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x37\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./70") = 0 mkdir("./71", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5247 attached [pid 5247] set_robust_list(0x555555f176a0, 24) = 0 [pid 5247] chdir("./71") = 0 [pid 5247] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5247 [pid 5247] <... prctl resumed>) = 0 [pid 5247] setpgid(0, 0) = 0 [pid 5247] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5247] write(3, "1000", 4) = 4 [pid 5247] close(3) = 0 [pid 5247] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5247] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5247] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5247] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5247] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5247] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5247] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5248]}, 88) = 5248 [pid 5247] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5247] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5248 attached [pid 5247] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5247] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5247] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5247] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5249 attached [pid 5249] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5247] <... clone3 resumed> => {parent_tid=[5249]}, 88) = 5249 [pid 5249] <... rseq resumed>) = 0 [pid 5248] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5247] rt_sigprocmask(SIG_SETMASK, [], [pid 5249] set_robust_list(0x7f79473309a0, 24 [pid 5248] <... rseq resumed>) = 0 [pid 5249] <... set_robust_list resumed>) = 0 [pid 5248] set_robust_list(0x7f79473519a0, 24 [pid 5247] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5248] <... set_robust_list resumed>) = 0 [pid 5249] rt_sigprocmask(SIG_SETMASK, [], [pid 5248] rt_sigprocmask(SIG_SETMASK, [], [pid 5247] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5249] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5248] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5247] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5249] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5248] memfd_create("syzkaller", 0 [pid 5249] <... openat resumed>) = 3 [pid 5248] <... memfd_create resumed>) = 4 [pid 5248] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5249] write(3, "85", 2) = 2 [pid 5249] memfd_create("syzkaller", 0) = 5 [pid 5249] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 89.713295][ T5249] FAULT_INJECTION: forcing a failure. [ 89.713295][ T5249] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 89.727409][ T5249] CPU: 0 PID: 5249 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 89.737854][ T5249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 89.747905][ T5249] Call Trace: [ 89.751182][ T5249] [ 89.754127][ T5249] dump_stack_lvl+0x1e7/0x2d0 [ 89.758803][ T5249] ? nf_tcp_handle_invalid+0x650/0x650 [ 89.764259][ T5249] ? panic+0x770/0x770 [ 89.768348][ T5249] should_fail_ex+0x3aa/0x4e0 [ 89.773027][ T5249] prepare_alloc_pages+0x1d9/0x5b0 [ 89.778148][ T5249] __alloc_pages+0x165/0x670 [ 89.782734][ T5249] ? zone_statistics+0x170/0x170 [ 89.787670][ T5249] ? verify_lock_unused+0x140/0x140 [ 89.792863][ T5249] ? handle_mm_fault+0x11d/0x62b0 [ 89.797968][ T5249] ? __lock_acquire+0x7f70/0x7f70 [ 89.802983][ T5249] ? pte_offset_map_nolock+0x137/0x1e0 [ 89.808447][ T5249] __folio_alloc+0x13/0x30 [ 89.812870][ T5249] vma_alloc_folio+0x48a/0x9a0 [ 89.817810][ T5249] handle_mm_fault+0x2376/0x62b0 [ 89.822769][ T5249] ? handle_mm_fault+0x11d/0x62b0 [ 89.827800][ T5249] ? numa_migrate_prep+0x380/0x380 [ 89.832917][ T5249] ? mtree_range_walk+0x6a0/0x7e0 [ 89.837948][ T5249] ? lock_vma_under_rcu+0x187/0x6f0 [ 89.843144][ T5249] ? __lock_acquire+0x7f70/0x7f70 [ 89.848246][ T5249] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 89.853449][ T5249] ? lock_vma_under_rcu+0x5df/0x6f0 [ 89.858650][ T5249] ? lock_vma_under_rcu+0x187/0x6f0 [ 89.863851][ T5249] ? exc_page_fault+0x10f/0x860 [ 89.868697][ T5249] exc_page_fault+0x455/0x860 [ 89.873371][ T5249] asm_exc_page_fault+0x26/0x30 [ 89.878211][ T5249] RIP: 0033:0x7f794735bc53 [ 89.882615][ T5249] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 89.902231][ T5249] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5248] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5249] munmap(0x7f7936b10000, 138412032) = 0 [pid 5249] close(5) = 0 [pid 5249] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5247] <... futex resumed>) = 0 [pid 5249] <... futex resumed>) = 1 [pid 5249] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5248] <... write resumed>) = 2097152 [pid 5248] munmap(0x7f793ef10000, 2097152) = 0 [pid 5248] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 89.908305][ T5249] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 89.916710][ T5249] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 89.924679][ T5249] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 89.932649][ T5249] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 89.940700][ T5249] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 89.948678][ T5249] [pid 5248] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5248] close(4) = 0 [pid 5248] mkdir("./file0", 0777) = 0 [pid 5248] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5248] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5248] chdir("./file0") = 0 [pid 5248] ioctl(5, LOOP_CLR_FD) = 0 [pid 5248] close(5) = 0 [pid 5248] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5247] exit_group(0 [pid 5249] <... futex resumed>) = ? [pid 5247] <... exit_group resumed>) = ? [pid 5249] +++ exited with 0 +++ [pid 5248] +++ exited with 0 +++ [pid 5247] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5247, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- umount2("./71", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./71/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./71/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./71/binderfs") = 0 [ 89.981890][ T5248] loop0: detected capacity change from 0 to 4096 [ 89.995474][ T5248] ntfs: volume version 12.0. umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./71/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./71/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./71") = 0 mkdir("./72", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5250 ./strace-static-x86_64: Process 5250 attached [pid 5250] set_robust_list(0x555555f176a0, 24) = 0 [pid 5250] chdir("./72") = 0 [pid 5250] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5250] setpgid(0, 0) = 0 [pid 5250] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5250] write(3, "1000", 4) = 4 [pid 5250] close(3) = 0 [pid 5250] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5250] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5250] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5250] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5250] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5250] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5250] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5250] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5251 attached [pid 5251] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5250] <... clone3 resumed> => {parent_tid=[5251]}, 88) = 5251 [pid 5251] <... rseq resumed>) = 0 [pid 5250] rt_sigprocmask(SIG_SETMASK, [], [pid 5251] set_robust_list(0x7f79473519a0, 24 [pid 5250] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5251] <... set_robust_list resumed>) = 0 [pid 5251] rt_sigprocmask(SIG_SETMASK, [], [pid 5250] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5251] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5250] <... futex resumed>) = 0 [pid 5250] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5250] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5251] memfd_create("syzkaller", 0 [pid 5250] <... mmap resumed>) = 0x7f7947310000 [pid 5251] <... memfd_create resumed>) = 3 [pid 5250] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5251] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5250] <... mprotect resumed>) = 0 [pid 5251] <... mmap resumed>) = 0x7f793ef10000 [pid 5250] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5250] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5252]}, 88) = 5252 [pid 5250] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5250] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5250] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5252 attached [pid 5252] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5252] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5252] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5252] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5252] write(4, "85", 2) = 2 [pid 5252] memfd_create("syzkaller", 0) = 5 [pid 5252] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5251] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 90.126613][ T5252] FAULT_INJECTION: forcing a failure. [ 90.126613][ T5252] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 90.141277][ T5252] CPU: 0 PID: 5252 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 90.151699][ T5252] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 90.161742][ T5252] Call Trace: [ 90.165006][ T5252] [ 90.167921][ T5252] dump_stack_lvl+0x1e7/0x2d0 [ 90.172588][ T5252] ? nf_tcp_handle_invalid+0x650/0x650 [ 90.178034][ T5252] ? panic+0x770/0x770 [ 90.182186][ T5252] should_fail_ex+0x3aa/0x4e0 [ 90.186853][ T5252] prepare_alloc_pages+0x1d9/0x5b0 [ 90.191954][ T5252] __alloc_pages+0x165/0x670 [ 90.196548][ T5252] ? zone_statistics+0x170/0x170 [ 90.201475][ T5252] ? verify_lock_unused+0x140/0x140 [ 90.206657][ T5252] ? handle_mm_fault+0x11d/0x62b0 [ 90.211673][ T5252] ? __lock_acquire+0x7f70/0x7f70 [ 90.216688][ T5252] ? pte_offset_map_nolock+0x137/0x1e0 [ 90.222134][ T5252] __folio_alloc+0x13/0x30 [ 90.226628][ T5252] vma_alloc_folio+0x48a/0x9a0 [ 90.231376][ T5252] handle_mm_fault+0x2376/0x62b0 [ 90.236308][ T5252] ? handle_mm_fault+0x11d/0x62b0 [ 90.241320][ T5252] ? numa_migrate_prep+0x380/0x380 [ 90.246419][ T5252] ? mtree_range_walk+0x6a0/0x7e0 [ 90.251430][ T5252] ? lock_vma_under_rcu+0x187/0x6f0 [ 90.256615][ T5252] ? __lock_acquire+0x7f70/0x7f70 [ 90.261644][ T5252] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 90.266841][ T5252] ? lock_vma_under_rcu+0x5df/0x6f0 [ 90.272023][ T5252] ? lock_vma_under_rcu+0x187/0x6f0 [ 90.277326][ T5252] ? exc_page_fault+0x10f/0x860 [ 90.282160][ T5252] exc_page_fault+0x455/0x860 [ 90.286829][ T5252] asm_exc_page_fault+0x26/0x30 [ 90.291667][ T5252] RIP: 0033:0x7f794735bc53 [ 90.296067][ T5252] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 90.315682][ T5252] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 90.321733][ T5252] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 90.329688][ T5252] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 90.337813][ T5252] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 90.345792][ T5252] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 90.353762][ T5252] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 90.361749][ T5252] [ 90.365160][ T5252] pagefault_out_of_memory: 2 callbacks suppressed [pid 5251] munmap(0x7f793ef10000, 2097152) = 0 [pid 5251] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5251] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5251] close(3) = 0 [pid 5251] mkdir("./file0", 0777) = 0 [pid 5251] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5252] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5251] <... mount resumed>) = 0 [pid 5251] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5251] chdir("./file0") = 0 [pid 5251] ioctl(6, LOOP_CLR_FD) = 0 [pid 5251] close(6) = 0 [pid 5251] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5252] <... write resumed>) = 2097152 [pid 5252] munmap(0x7f7936b10000, 2097152) = 0 [pid 5252] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5252] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5252] ioctl(6, LOOP_CLR_FD) = 0 [pid 5252] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5252] close(6) = 0 [pid 5252] close(5) = 0 [pid 5252] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5252] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5250] <... futex resumed>) = 0 [pid 5250] exit_group(0 [pid 5252] <... futex resumed>) = ? [pid 5250] <... exit_group resumed>) = ? [ 90.365173][ T5252] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 90.383347][ T5251] loop0: detected capacity change from 0 to 4096 [ 90.399591][ T5251] ntfs: volume version 12.0. [pid 5252] +++ exited with 0 +++ [pid 5251] <... futex resumed>) = ? [pid 5251] +++ exited with 0 +++ [pid 5250] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5250, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./72", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./72/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./72/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./72/binderfs") = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./72/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./72/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./72") = 0 mkdir("./73", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5253 ./strace-static-x86_64: Process 5253 attached [pid 5253] set_robust_list(0x555555f176a0, 24) = 0 [pid 5253] chdir("./73") = 0 [pid 5253] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5253] setpgid(0, 0) = 0 [pid 5253] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5253] write(3, "1000", 4) = 4 [pid 5253] close(3) = 0 [pid 5253] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5253] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5253] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5253] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5253] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5253] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5253] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5253] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5254 attached [pid 5254] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5253] <... clone3 resumed> => {parent_tid=[5254]}, 88) = 5254 [pid 5254] <... rseq resumed>) = 0 [pid 5253] rt_sigprocmask(SIG_SETMASK, [], [pid 5254] set_robust_list(0x7f79473519a0, 24 [pid 5253] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5254] <... set_robust_list resumed>) = 0 [pid 5253] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5254] rt_sigprocmask(SIG_SETMASK, [], [pid 5253] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5254] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5253] <... futex resumed>) = 0 [pid 5254] memfd_create("syzkaller", 0 [pid 5253] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5254] <... memfd_create resumed>) = 3 [pid 5253] <... mmap resumed>) = 0x7f7947310000 [pid 5254] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5253] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5253] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5254] <... mmap resumed>) = 0x7f793ef10000 [pid 5253] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5253] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5255 attached [pid 5255] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5253] <... clone3 resumed> => {parent_tid=[5255]}, 88) = 5255 [pid 5255] <... rseq resumed>) = 0 [pid 5253] rt_sigprocmask(SIG_SETMASK, [], [pid 5255] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5253] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5255] rt_sigprocmask(SIG_SETMASK, [], [pid 5253] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5255] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5253] <... futex resumed>) = 0 [pid 5255] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5253] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5255] <... openat resumed>) = 4 [pid 5255] write(4, "85", 2) = 2 [pid 5255] memfd_create("syzkaller", 0) = 5 [pid 5255] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 90.541349][ T5255] FAULT_INJECTION: forcing a failure. [ 90.541349][ T5255] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 90.556256][ T5255] CPU: 1 PID: 5255 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 90.566782][ T5255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 90.576857][ T5255] Call Trace: [ 90.580129][ T5255] [ 90.583046][ T5255] dump_stack_lvl+0x1e7/0x2d0 [ 90.587712][ T5255] ? nf_tcp_handle_invalid+0x650/0x650 [ 90.593160][ T5255] ? panic+0x770/0x770 [ 90.597220][ T5255] should_fail_ex+0x3aa/0x4e0 [ 90.601883][ T5255] prepare_alloc_pages+0x1d9/0x5b0 [ 90.607002][ T5255] __alloc_pages+0x165/0x670 [ 90.611577][ T5255] ? zone_statistics+0x170/0x170 [ 90.616506][ T5255] ? verify_lock_unused+0x140/0x140 [ 90.621715][ T5255] ? handle_mm_fault+0x11d/0x62b0 [ 90.626725][ T5255] ? __lock_acquire+0x7f70/0x7f70 [ 90.631729][ T5255] ? pte_offset_map_nolock+0x137/0x1e0 [ 90.637172][ T5255] __folio_alloc+0x13/0x30 [ 90.641571][ T5255] vma_alloc_folio+0x48a/0x9a0 [ 90.646325][ T5255] handle_mm_fault+0x2376/0x62b0 [ 90.651251][ T5255] ? handle_mm_fault+0x11d/0x62b0 [ 90.656265][ T5255] ? numa_migrate_prep+0x380/0x380 [ 90.661366][ T5255] ? mtree_range_walk+0x6a0/0x7e0 [ 90.666376][ T5255] ? lock_vma_under_rcu+0x187/0x6f0 [ 90.671556][ T5255] ? __lock_acquire+0x7f70/0x7f70 [ 90.676561][ T5255] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 90.681750][ T5255] ? lock_vma_under_rcu+0x5df/0x6f0 [ 90.686932][ T5255] ? lock_vma_under_rcu+0x187/0x6f0 [ 90.692122][ T5255] ? exc_page_fault+0x10f/0x860 [ 90.696954][ T5255] exc_page_fault+0x455/0x860 [ 90.701614][ T5255] asm_exc_page_fault+0x26/0x30 [ 90.706443][ T5255] RIP: 0033:0x7f794735bc53 [ 90.710840][ T5255] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 90.730426][ T5255] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5254] munmap(0x7f793ef10000, 138412032) = 0 [pid 5254] close(3) = 0 [pid 5254] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5254] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5255] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5255] munmap(0x7f7936b10000, 2097152) = 0 [pid 5255] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 90.736497][ T5255] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 90.744451][ T5255] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 90.752632][ T5255] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 90.760586][ T5255] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 90.768558][ T5255] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 90.776540][ T5255] [ 90.781626][ T5255] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5255] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5255] close(5) = 0 [pid 5255] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5255] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 90.819442][ T5255] loop0: detected capacity change from 0 to 4096 [ 90.835856][ T5255] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 90.842932][ T5255] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5255] ioctl(3, LOOP_CLR_FD) = 0 [pid 5255] close(3) = 0 [pid 5255] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5255] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5253] <... futex resumed>) = 0 [pid 5253] exit_group(0 [pid 5255] <... futex resumed>) = ? [pid 5254] <... futex resumed>) = ? [pid 5255] +++ exited with 0 +++ [pid 5254] +++ exited with 0 +++ [pid 5253] <... exit_group resumed>) = ? [pid 5253] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5253, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./73", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./73/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./73/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./73/binderfs") = 0 umount2("\x2e\x2f\x37\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x37\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x37\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x37\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x37\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./73") = 0 mkdir("./74", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5256 attached , child_tidptr=0x555555f17690) = 5256 [pid 5256] set_robust_list(0x555555f176a0, 24) = 0 [pid 5256] chdir("./74") = 0 [pid 5256] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5256] setpgid(0, 0) = 0 [pid 5256] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5256] write(3, "1000", 4) = 4 [pid 5256] close(3) = 0 [pid 5256] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5256] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5256] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5256] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5256] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5256] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5256] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5257 attached => {parent_tid=[5257]}, 88) = 5257 [pid 5256] rt_sigprocmask(SIG_SETMASK, [], [pid 5257] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5256] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5257] <... rseq resumed>) = 0 [pid 5256] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5256] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5256] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5256] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5258 attached [pid 5257] set_robust_list(0x7f79473519a0, 24 [pid 5256] <... clone3 resumed> => {parent_tid=[5258]}, 88) = 5258 [pid 5257] <... set_robust_list resumed>) = 0 [pid 5256] rt_sigprocmask(SIG_SETMASK, [], [pid 5257] rt_sigprocmask(SIG_SETMASK, [], [pid 5256] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5257] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5256] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5257] memfd_create("syzkaller", 0 [pid 5258] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5257] <... memfd_create resumed>) = 3 [pid 5258] <... rseq resumed>) = 0 [pid 5258] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5258] rt_sigprocmask(SIG_SETMASK, [], [pid 5257] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5258] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5257] <... mmap resumed>) = 0x7f793ef10000 [pid 5258] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5257] munmap(0x7f793ef10000, 138412032) = 0 [pid 5258] <... openat resumed>) = 4 [pid 5257] close(3) = 0 [pid 5258] write(4, "85", 2 [pid 5257] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5258] <... write resumed>) = 2 [pid 5258] memfd_create("syzkaller", 0 [pid 5257] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5258] <... memfd_create resumed>) = 3 [pid 5258] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 90.964609][ T5258] FAULT_INJECTION: forcing a failure. [ 90.964609][ T5258] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 90.979237][ T5258] CPU: 0 PID: 5258 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 90.989785][ T5258] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 91.000190][ T5258] Call Trace: [ 91.003465][ T5258] [ 91.006386][ T5258] dump_stack_lvl+0x1e7/0x2d0 [ 91.011095][ T5258] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.016571][ T5258] ? panic+0x770/0x770 [ 91.020676][ T5258] should_fail_ex+0x3aa/0x4e0 [ 91.025368][ T5258] prepare_alloc_pages+0x1d9/0x5b0 [ 91.030491][ T5258] __alloc_pages+0x165/0x670 [ 91.035091][ T5258] ? zone_statistics+0x170/0x170 [ 91.040139][ T5258] ? verify_lock_unused+0x140/0x140 [ 91.045363][ T5258] ? handle_mm_fault+0x11d/0x62b0 [ 91.050377][ T5258] ? __lock_acquire+0x7f70/0x7f70 [ 91.055397][ T5258] ? pte_offset_map_nolock+0x137/0x1e0 [ 91.060877][ T5258] __folio_alloc+0x13/0x30 [ 91.065315][ T5258] vma_alloc_folio+0x48a/0x9a0 [ 91.070095][ T5258] handle_mm_fault+0x2376/0x62b0 [ 91.075045][ T5258] ? handle_mm_fault+0x11d/0x62b0 [ 91.080083][ T5258] ? numa_migrate_prep+0x380/0x380 [ 91.085191][ T5258] ? mtree_range_walk+0x6a0/0x7e0 [ 91.090321][ T5258] ? lock_vma_under_rcu+0x187/0x6f0 [ 91.095543][ T5258] ? __lock_acquire+0x7f70/0x7f70 [ 91.100589][ T5258] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 91.105815][ T5258] ? lock_vma_under_rcu+0x5df/0x6f0 [ 91.111038][ T5258] ? lock_vma_under_rcu+0x187/0x6f0 [ 91.116276][ T5258] ? exc_page_fault+0x10f/0x860 [ 91.121127][ T5258] exc_page_fault+0x455/0x860 [ 91.125810][ T5258] asm_exc_page_fault+0x26/0x30 [ 91.130657][ T5258] RIP: 0033:0x7f794735bd00 [ 91.135062][ T5258] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 91.154668][ T5258] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5258] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5258] munmap(0x7f793ef10000, 2097152) = 0 [pid 5258] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 91.160914][ T5258] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 91.168885][ T5258] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 91.176856][ T5258] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 91.184924][ T5258] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 91.192909][ T5258] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 91.200906][ T5258] [ 91.204618][ T5258] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5258] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5258] close(3) = 0 [pid 5258] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5258] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 91.246745][ T5258] loop0: detected capacity change from 0 to 4096 [ 91.266712][ T5258] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 91.273813][ T5258] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5258] ioctl(5, LOOP_CLR_FD) = 0 [pid 5258] close(5) = 0 [pid 5258] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5256] <... futex resumed>) = 0 [pid 5258] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5256] exit_group(0 [pid 5258] <... futex resumed>) = ? [pid 5257] <... futex resumed>) = ? [pid 5256] <... exit_group resumed>) = ? [pid 5258] +++ exited with 0 +++ [pid 5257] +++ exited with 0 +++ [pid 5256] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5256, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./74", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./74/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./74/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./74/binderfs") = 0 umount2("\x2e\x2f\x37\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x37\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x37\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x37\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x37\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./74") = 0 mkdir("./75", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5259 attached [pid 5259] set_robust_list(0x555555f176a0, 24) = 0 [pid 5259] chdir("./75") = 0 [pid 5259] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5259 [pid 5259] setpgid(0, 0) = 0 [pid 5259] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5259] write(3, "1000", 4) = 4 [pid 5259] close(3) = 0 [pid 5259] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5259] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5259] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5259] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5259] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5259] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5259] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5259] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5260 attached [pid 5260] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5259] <... clone3 resumed> => {parent_tid=[5260]}, 88) = 5260 [pid 5260] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5259] rt_sigprocmask(SIG_SETMASK, [], [pid 5260] rt_sigprocmask(SIG_SETMASK, [], [pid 5259] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5260] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5259] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5260] memfd_create("syzkaller", 0 [pid 5259] <... futex resumed>) = 0 [pid 5259] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5260] <... memfd_create resumed>) = 3 [pid 5259] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5260] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5259] <... mmap resumed>) = 0x7f7947310000 [pid 5259] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5260] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5259] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5259] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5261 attached => {parent_tid=[5261]}, 88) = 5261 [pid 5261] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5259] rt_sigprocmask(SIG_SETMASK, [], [pid 5261] <... rseq resumed>) = 0 [pid 5259] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5261] set_robust_list(0x7f79473309a0, 24 [pid 5259] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5261] <... set_robust_list resumed>) = 0 [pid 5259] <... futex resumed>) = 0 [pid 5261] rt_sigprocmask(SIG_SETMASK, [], [pid 5259] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5261] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5261] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5261] write(4, "85", 2) = 2 [pid 5261] memfd_create("syzkaller", 0) = 5 [pid 5261] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5260] <... write resumed>) = 2097152 [ 91.407928][ T5261] FAULT_INJECTION: forcing a failure. [ 91.407928][ T5261] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 91.421393][ T5261] CPU: 1 PID: 5261 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 91.431827][ T5261] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 91.441883][ T5261] Call Trace: [ 91.445172][ T5261] [ 91.448114][ T5261] dump_stack_lvl+0x1e7/0x2d0 [ 91.452882][ T5261] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.458420][ T5261] ? panic+0x770/0x770 [ 91.462492][ T5261] should_fail_ex+0x3aa/0x4e0 [ 91.467167][ T5261] prepare_alloc_pages+0x1d9/0x5b0 [ 91.472311][ T5261] __alloc_pages+0x165/0x670 [ 91.476930][ T5261] ? zone_statistics+0x170/0x170 [ 91.481902][ T5261] ? verify_lock_unused+0x140/0x140 [ 91.487132][ T5261] ? handle_mm_fault+0x11d/0x62b0 [ 91.492165][ T5261] ? __lock_acquire+0x7f70/0x7f70 [ 91.497184][ T5261] ? pte_offset_map_nolock+0x137/0x1e0 [ 91.502669][ T5261] __folio_alloc+0x13/0x30 [ 91.507103][ T5261] vma_alloc_folio+0x48a/0x9a0 [ 91.511897][ T5261] handle_mm_fault+0x2376/0x62b0 [ 91.516845][ T5261] ? handle_mm_fault+0x11d/0x62b0 [ 91.521978][ T5261] ? numa_migrate_prep+0x380/0x380 [ 91.527193][ T5261] ? mtree_range_walk+0x6a0/0x7e0 [ 91.532387][ T5261] ? lock_vma_under_rcu+0x187/0x6f0 [ 91.537580][ T5261] ? __lock_acquire+0x7f70/0x7f70 [ 91.542595][ T5261] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 91.547801][ T5261] ? lock_vma_under_rcu+0x5df/0x6f0 [ 91.552998][ T5261] ? lock_vma_under_rcu+0x187/0x6f0 [ 91.558216][ T5261] ? exc_page_fault+0x10f/0x860 [ 91.563061][ T5261] exc_page_fault+0x455/0x860 [ 91.567737][ T5261] asm_exc_page_fault+0x26/0x30 [ 91.572611][ T5261] RIP: 0033:0x7f794735bc53 [ 91.577190][ T5261] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 91.597308][ T5261] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5260] munmap(0x7f793ef10000, 2097152) = 0 [pid 5260] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 91.603370][ T5261] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 91.611337][ T5261] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 91.619417][ T5261] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 91.627380][ T5261] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 91.635432][ T5261] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 91.643496][ T5261] [ 91.646755][ T5261] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5260] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5260] close(3) = 0 [pid 5260] mkdir("./file0", 0777) = 0 [ 91.657856][ T5260] loop0: detected capacity change from 0 to 4096 [ 91.674863][ T5260] __ntfs_error: 116 callbacks suppressed [ 91.674874][ T5260] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 91.692193][ T5260] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5260] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5261] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5261] munmap(0x7f7936b10000, 2097152) = 0 [pid 5261] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5261] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5261] ioctl(3, LOOP_CLR_FD) = 0 [pid 5261] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5261] close(3) = 0 [ 91.705719][ T5260] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 91.721304][ T5260] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 91.731483][ T5260] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 91.740182][ T5260] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5261] close(5) = 0 [pid 5261] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5259] <... futex resumed>) = 0 [pid 5261] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5260] <... mount resumed>) = 0 [pid 5260] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5260] chdir("./file0") = 0 [pid 5260] ioctl(6, LOOP_CLR_FD) = 0 [pid 5260] close(6) = 0 [pid 5260] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5260] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5259] exit_group(0) = ? [pid 5260] <... futex resumed>) = ? [pid 5261] <... futex resumed>) = ? [pid 5260] +++ exited with 0 +++ [pid 5261] +++ exited with 0 +++ [pid 5259] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5259, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=26 /* 0.26 s */} --- umount2("./75", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./75/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./75/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./75/binderfs") = 0 [ 91.754281][ T5260] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 91.766978][ T5260] ntfs: volume version 12.0. [ 91.771685][ T5260] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 91.780655][ T5260] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 91.794232][ T5260] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./75/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./75/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./75") = 0 mkdir("./76", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5262 attached , child_tidptr=0x555555f17690) = 5262 [pid 5262] set_robust_list(0x555555f176a0, 24) = 0 [pid 5262] chdir("./76") = 0 [pid 5262] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5262] setpgid(0, 0) = 0 [pid 5262] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5262] write(3, "1000", 4) = 4 [pid 5262] close(3) = 0 [pid 5262] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5262] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5262] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5262] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5262] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5262] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5262] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5262] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5263 attached [pid 5263] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5263] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5263] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5263] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5262] <... clone3 resumed> => {parent_tid=[5263]}, 88) = 5263 [pid 5262] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5262] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5263] <... futex resumed>) = 0 [pid 5262] <... futex resumed>) = 1 [pid 5263] memfd_create("syzkaller", 0 [pid 5262] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5262] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5263] <... memfd_create resumed>) = 3 [pid 5263] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5262] <... mmap resumed>) = 0x7f793ef10000 [pid 5262] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5262] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5262] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5264 attached [pid 5264] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5264] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5264] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5264] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5263] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5262] <... clone3 resumed> => {parent_tid=[5264]}, 88) = 5264 [pid 5262] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5262] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5264] <... futex resumed>) = 0 [pid 5262] <... futex resumed>) = 1 [pid 5264] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5262] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5264] <... openat resumed>) = 4 [pid 5264] write(4, "85", 2) = 2 [pid 5264] memfd_create("syzkaller", 0) = 5 [pid 5264] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5263] <... write resumed>) = 2097152 [ 91.912517][ T5264] FAULT_INJECTION: forcing a failure. [ 91.912517][ T5264] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 91.925904][ T5264] CPU: 1 PID: 5264 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 91.936350][ T5264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 91.946400][ T5264] Call Trace: [ 91.949672][ T5264] [ 91.952595][ T5264] dump_stack_lvl+0x1e7/0x2d0 [ 91.957270][ T5264] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.962815][ T5264] ? panic+0x770/0x770 [ 91.966941][ T5264] should_fail_ex+0x3aa/0x4e0 [ 91.971620][ T5264] prepare_alloc_pages+0x1d9/0x5b0 [ 91.976820][ T5264] __alloc_pages+0x165/0x670 [ 91.981582][ T5264] ? zone_statistics+0x170/0x170 [ 91.986528][ T5264] ? verify_lock_unused+0x140/0x140 [ 91.991812][ T5264] ? handle_mm_fault+0x11d/0x62b0 [ 91.996918][ T5264] ? __lock_acquire+0x7f70/0x7f70 [ 92.001957][ T5264] ? pte_offset_map_nolock+0x137/0x1e0 [ 92.007421][ T5264] __folio_alloc+0x13/0x30 [ 92.011844][ T5264] vma_alloc_folio+0x48a/0x9a0 [ 92.016611][ T5264] handle_mm_fault+0x2376/0x62b0 [ 92.021579][ T5264] ? handle_mm_fault+0x11d/0x62b0 [ 92.026607][ T5264] ? numa_migrate_prep+0x380/0x380 [ 92.031726][ T5264] ? mtree_range_walk+0x6a0/0x7e0 [ 92.036749][ T5264] ? lock_vma_under_rcu+0x187/0x6f0 [ 92.041945][ T5264] ? __lock_acquire+0x7f70/0x7f70 [ 92.046963][ T5264] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 92.052252][ T5264] ? lock_vma_under_rcu+0x5df/0x6f0 [ 92.058059][ T5264] ? lock_vma_under_rcu+0x187/0x6f0 [ 92.063260][ T5264] ? exc_page_fault+0x10f/0x860 [ 92.068141][ T5264] exc_page_fault+0x455/0x860 [ 92.072841][ T5264] asm_exc_page_fault+0x26/0x30 [ 92.077703][ T5264] RIP: 0033:0x7f794735bc53 [ 92.082133][ T5264] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 92.101746][ T5264] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5263] munmap(0x7f793ef31000, 2097152) = 0 [pid 5263] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 92.107840][ T5264] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 92.115813][ T5264] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 92.123776][ T5264] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 92.131821][ T5264] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 92.139805][ T5264] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 92.147800][ T5264] [ 92.151856][ T5264] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5263] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5263] close(3) = 0 [pid 5263] mkdir("./file0", 0777) = 0 [pid 5263] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5263] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5263] chdir("./file0") = 0 [pid 5263] ioctl(6, LOOP_CLR_FD) = 0 [pid 5263] close(6) = 0 [pid 5263] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5263] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5264] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 92.156213][ T5263] loop0: detected capacity change from 0 to 4096 [ 92.180169][ T5263] ntfs: volume version 12.0. [pid 5264] munmap(0x7f7936b10000, 2097152) = 0 [pid 5264] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5264] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5264] ioctl(6, LOOP_CLR_FD) = 0 [pid 5264] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5264] close(6) = 0 [pid 5264] close(5) = 0 [pid 5264] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5262] <... futex resumed>) = 0 [pid 5262] exit_group(0 [pid 5263] <... futex resumed>) = ? [pid 5262] <... exit_group resumed>) = ? [pid 5263] +++ exited with 0 +++ [pid 5264] <... futex resumed>) = ? [pid 5264] +++ exited with 0 +++ [pid 5262] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5262, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- umount2("./76", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./76/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./76/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./76/binderfs") = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./76/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./76/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./76") = 0 mkdir("./77", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5265 ./strace-static-x86_64: Process 5265 attached [pid 5265] set_robust_list(0x555555f176a0, 24) = 0 [pid 5265] chdir("./77") = 0 [pid 5265] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5265] setpgid(0, 0) = 0 [pid 5265] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5265] write(3, "1000", 4) = 4 [pid 5265] close(3) = 0 [pid 5265] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5265] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5265] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5265] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5265] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5265] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5265] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5265] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5266 attached => {parent_tid=[5266]}, 88) = 5266 [pid 5266] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5265] rt_sigprocmask(SIG_SETMASK, [], [pid 5266] set_robust_list(0x7f79473519a0, 24 [pid 5265] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5266] <... set_robust_list resumed>) = 0 [pid 5265] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5266] rt_sigprocmask(SIG_SETMASK, [], [pid 5265] <... futex resumed>) = 0 [pid 5266] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5265] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5266] memfd_create("syzkaller", 0 [pid 5265] <... futex resumed>) = 0 [pid 5265] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5265] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5265] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5265] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5267 attached => {parent_tid=[5267]}, 88) = 5267 [pid 5267] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5266] <... memfd_create resumed>) = 3 [pid 5265] rt_sigprocmask(SIG_SETMASK, [], [pid 5266] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5265] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5267] <... rseq resumed>) = 0 [pid 5266] <... mmap resumed>) = 0x7f793ef10000 [pid 5265] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5267] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5267] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5265] <... futex resumed>) = 0 [pid 5265] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5267] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5267] write(4, "85", 2) = 2 [pid 5267] memfd_create("syzkaller", 0) = 5 [pid 5267] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 92.338756][ T5267] FAULT_INJECTION: forcing a failure. [ 92.338756][ T5267] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 92.352105][ T5267] CPU: 1 PID: 5267 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 92.362633][ T5267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 92.372706][ T5267] Call Trace: [ 92.376002][ T5267] [ 92.379101][ T5267] dump_stack_lvl+0x1e7/0x2d0 [ 92.383788][ T5267] ? nf_tcp_handle_invalid+0x650/0x650 [ 92.389242][ T5267] ? panic+0x770/0x770 [ 92.393320][ T5267] should_fail_ex+0x3aa/0x4e0 [ 92.398008][ T5267] prepare_alloc_pages+0x1d9/0x5b0 [ 92.403124][ T5267] __alloc_pages+0x165/0x670 [ 92.408236][ T5267] ? zone_statistics+0x170/0x170 [ 92.413173][ T5267] ? verify_lock_unused+0x140/0x140 [ 92.418373][ T5267] ? handle_mm_fault+0x11d/0x62b0 [ 92.423400][ T5267] ? __lock_acquire+0x7f70/0x7f70 [ 92.428470][ T5267] ? pte_offset_map_nolock+0x137/0x1e0 [ 92.433943][ T5267] __folio_alloc+0x13/0x30 [ 92.438354][ T5267] vma_alloc_folio+0x48a/0x9a0 [ 92.443114][ T5267] handle_mm_fault+0x2376/0x62b0 [ 92.448066][ T5267] ? handle_mm_fault+0x11d/0x62b0 [ 92.453188][ T5267] ? numa_migrate_prep+0x380/0x380 [ 92.458310][ T5267] ? mtree_range_walk+0x6a0/0x7e0 [ 92.463335][ T5267] ? lock_vma_under_rcu+0x187/0x6f0 [ 92.468547][ T5267] ? __lock_acquire+0x7f70/0x7f70 [ 92.473570][ T5267] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 92.478862][ T5267] ? lock_vma_under_rcu+0x5df/0x6f0 [ 92.484055][ T5267] ? lock_vma_under_rcu+0x187/0x6f0 [ 92.489260][ T5267] ? exc_page_fault+0x10f/0x860 [ 92.494112][ T5267] exc_page_fault+0x455/0x860 [ 92.498789][ T5267] asm_exc_page_fault+0x26/0x30 [ 92.503632][ T5267] RIP: 0033:0x7f794735bc53 [ 92.508041][ T5267] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 92.527813][ T5267] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5266] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5266] munmap(0x7f793ef10000, 2097152) = 0 [pid 5266] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 92.533877][ T5267] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 92.541845][ T5267] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 92.549814][ T5267] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 92.557776][ T5267] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 92.565764][ T5267] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 92.573742][ T5267] [ 92.582058][ T5267] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5266] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5266] close(3) = 0 [pid 5266] mkdir("./file0", 0777) = 0 [pid 5266] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5267] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5266] <... mount resumed>) = 0 [pid 5266] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5266] chdir("./file0") = 0 [pid 5266] ioctl(6, LOOP_CLR_FD) = 0 [pid 5266] close(6) = 0 [pid 5266] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5267] <... write resumed>) = 2097152 [pid 5267] munmap(0x7f7936b10000, 2097152) = 0 [pid 5267] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5267] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5267] ioctl(6, LOOP_CLR_FD) = 0 [pid 5267] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5267] close(6) = 0 [ 92.593187][ T5266] loop0: detected capacity change from 0 to 4096 [ 92.609221][ T5266] ntfs: volume version 12.0. [pid 5267] close(5) = 0 [pid 5267] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5265] <... futex resumed>) = 0 [pid 5265] exit_group(0 [pid 5266] <... futex resumed>) = ? [pid 5265] <... exit_group resumed>) = ? [pid 5266] +++ exited with 0 +++ [pid 5267] <... futex resumed>) = ? [pid 5267] +++ exited with 0 +++ [pid 5265] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5265, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./77", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./77/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./77/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./77/binderfs") = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./77/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./77/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./77") = 0 mkdir("./78", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5268 attached , child_tidptr=0x555555f17690) = 5268 [pid 5268] set_robust_list(0x555555f176a0, 24) = 0 [pid 5268] chdir("./78") = 0 [pid 5268] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5268] setpgid(0, 0) = 0 [pid 5268] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5268] write(3, "1000", 4) = 4 [pid 5268] close(3) = 0 [pid 5268] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5268] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5268] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5268] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5268] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5268] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5268] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5269 attached [pid 5269] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5269] set_robust_list(0x7f79473519a0, 24 [pid 5268] <... clone3 resumed> => {parent_tid=[5269]}, 88) = 5269 [pid 5269] <... set_robust_list resumed>) = 0 [pid 5269] rt_sigprocmask(SIG_SETMASK, [], [pid 5268] rt_sigprocmask(SIG_SETMASK, [], [pid 5269] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5269] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5268] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5268] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5269] <... futex resumed>) = 0 [pid 5268] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5268] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5269] memfd_create("syzkaller", 0 [pid 5268] <... mprotect resumed>) = 0 [pid 5269] <... memfd_create resumed>) = 3 [pid 5269] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5268] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5268] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5270 attached => {parent_tid=[5270]}, 88) = 5270 [pid 5270] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5268] rt_sigprocmask(SIG_SETMASK, [], [pid 5270] <... rseq resumed>) = 0 [pid 5268] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5270] set_robust_list(0x7f79473309a0, 24 [pid 5268] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5270] <... set_robust_list resumed>) = 0 [pid 5268] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5270] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5270] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5270] write(4, "85", 2) = 2 [pid 5270] memfd_create("syzkaller", 0) = 5 [pid 5270] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 92.743361][ T5270] FAULT_INJECTION: forcing a failure. [ 92.743361][ T5270] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 92.766222][ T5270] CPU: 1 PID: 5270 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 92.776668][ T5270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 92.786721][ T5270] Call Trace: [ 92.789990][ T5270] [ 92.792921][ T5270] dump_stack_lvl+0x1e7/0x2d0 [ 92.797594][ T5270] ? nf_tcp_handle_invalid+0x650/0x650 [ 92.803046][ T5270] ? panic+0x770/0x770 [ 92.807117][ T5270] should_fail_ex+0x3aa/0x4e0 [ 92.811791][ T5270] prepare_alloc_pages+0x1d9/0x5b0 [ 92.816904][ T5270] __alloc_pages+0x165/0x670 [ 92.821489][ T5270] ? zone_statistics+0x170/0x170 [ 92.826427][ T5270] ? verify_lock_unused+0x140/0x140 [ 92.831616][ T5270] ? handle_mm_fault+0x11d/0x62b0 [ 92.836669][ T5270] ? __lock_acquire+0x7f70/0x7f70 [ 92.841707][ T5270] ? pte_offset_map_nolock+0x137/0x1e0 [ 92.847175][ T5270] __folio_alloc+0x13/0x30 [ 92.851585][ T5270] vma_alloc_folio+0x48a/0x9a0 [ 92.856370][ T5270] handle_mm_fault+0x2376/0x62b0 [ 92.861311][ T5270] ? handle_mm_fault+0x11d/0x62b0 [ 92.866337][ T5270] ? numa_migrate_prep+0x380/0x380 [ 92.871543][ T5270] ? mtree_range_walk+0x6a0/0x7e0 [ 92.876566][ T5270] ? lock_vma_under_rcu+0x187/0x6f0 [ 92.881755][ T5270] ? __lock_acquire+0x7f70/0x7f70 [ 92.886768][ T5270] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 92.891970][ T5270] ? lock_vma_under_rcu+0x5df/0x6f0 [ 92.897191][ T5270] ? lock_vma_under_rcu+0x187/0x6f0 [ 92.902392][ T5270] ? exc_page_fault+0x10f/0x860 [ 92.907429][ T5270] exc_page_fault+0x455/0x860 [ 92.912136][ T5270] asm_exc_page_fault+0x26/0x30 [ 92.916993][ T5270] RIP: 0033:0x7f794735bc53 [ 92.921408][ T5270] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 92.941101][ T5270] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 92.947163][ T5270] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 92.955298][ T5270] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 92.963261][ T5270] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 92.971220][ T5270] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 92.979268][ T5270] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 92.987245][ T5270] [pid 5269] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5270] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5269] <... write resumed>) = 2097152 [pid 5269] munmap(0x7f793ef10000, 2097152) = 0 [pid 5269] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5269] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5269] close(3) = 0 [pid 5269] mkdir("./file0", 0777) = 0 [ 92.992441][ T5270] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 93.032407][ T5269] loop0: detected capacity change from 0 to 4096 [pid 5269] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5270] <... write resumed>) = 2097152 [pid 5270] munmap(0x7f7936b10000, 2097152) = 0 [pid 5270] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5270] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5270] ioctl(3, LOOP_CLR_FD) = 0 [pid 5269] <... mount resumed>) = 0 [pid 5269] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5270] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5270] close(3) = 0 [pid 5269] <... openat resumed>) = 7 [pid 5270] close(5 [pid 5269] chdir("./file0") = 0 [pid 5269] ioctl(6, LOOP_CLR_FD) = 0 [pid 5269] close(6) = 0 [pid 5269] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5269] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5270] <... close resumed>) = 0 [pid 5270] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5268] <... futex resumed>) = 0 [pid 5268] exit_group(0 [pid 5269] <... futex resumed>) = ? [pid 5268] <... exit_group resumed>) = ? [pid 5269] +++ exited with 0 +++ [pid 5270] <... futex resumed>) = ? [ 93.048087][ T5269] ntfs: volume version 12.0. [pid 5270] +++ exited with 0 +++ [pid 5268] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5268, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- umount2("./78", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./78/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./78/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./78/binderfs") = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./78/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./78/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./78") = 0 mkdir("./79", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5271 attached [pid 5271] set_robust_list(0x555555f176a0, 24) = 0 [pid 5271] chdir("./79") = 0 [pid 5271] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5271] setpgid(0, 0) = 0 [pid 5271] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5271 [pid 5271] <... openat resumed>) = 3 [pid 5271] write(3, "1000", 4) = 4 [pid 5271] close(3) = 0 [pid 5271] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5271] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5271] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5271] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5271] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5271] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5271] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5272 attached => {parent_tid=[5272]}, 88) = 5272 [pid 5272] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5271] rt_sigprocmask(SIG_SETMASK, [], [pid 5272] set_robust_list(0x7f79473519a0, 24 [pid 5271] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5272] <... set_robust_list resumed>) = 0 [pid 5271] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5272] rt_sigprocmask(SIG_SETMASK, [], [pid 5271] <... futex resumed>) = 0 [pid 5272] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5271] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5271] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5271] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5271] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5273]}, 88) = 5273 [pid 5271] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5272] memfd_create("syzkaller", 0 [pid 5271] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5272] <... memfd_create resumed>) = 3 [pid 5272] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5273 attached [pid 5273] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5273] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5273] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5273] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5273] write(4, "85", 2) = 2 [pid 5273] memfd_create("syzkaller", 0) = 5 [pid 5273] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5272] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 93.193828][ T5273] FAULT_INJECTION: forcing a failure. [ 93.193828][ T5273] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 93.208402][ T5273] CPU: 0 PID: 5273 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 93.218846][ T5273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 93.228954][ T5273] Call Trace: [ 93.232248][ T5273] [ 93.235201][ T5273] dump_stack_lvl+0x1e7/0x2d0 [ 93.239904][ T5273] ? nf_tcp_handle_invalid+0x650/0x650 [ 93.245357][ T5273] ? panic+0x770/0x770 [ 93.249461][ T5273] should_fail_ex+0x3aa/0x4e0 [ 93.254144][ T5273] prepare_alloc_pages+0x1d9/0x5b0 [ 93.259277][ T5273] __alloc_pages+0x165/0x670 [ 93.263913][ T5273] ? zone_statistics+0x170/0x170 [ 93.268886][ T5273] ? verify_lock_unused+0x140/0x140 [ 93.274097][ T5273] ? handle_mm_fault+0x11d/0x62b0 [ 93.279118][ T5273] ? __lock_acquire+0x7f70/0x7f70 [ 93.284134][ T5273] ? pte_offset_map_nolock+0x137/0x1e0 [ 93.289588][ T5273] __folio_alloc+0x13/0x30 [ 93.294001][ T5273] vma_alloc_folio+0x48a/0x9a0 [ 93.298771][ T5273] handle_mm_fault+0x2376/0x62b0 [ 93.303808][ T5273] ? handle_mm_fault+0x11d/0x62b0 [ 93.308846][ T5273] ? numa_migrate_prep+0x380/0x380 [ 93.313959][ T5273] ? mtree_range_walk+0x6a0/0x7e0 [ 93.318979][ T5273] ? lock_vma_under_rcu+0x187/0x6f0 [ 93.324273][ T5273] ? __lock_acquire+0x7f70/0x7f70 [ 93.329285][ T5273] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 93.334506][ T5273] ? lock_vma_under_rcu+0x5df/0x6f0 [ 93.339716][ T5273] ? lock_vma_under_rcu+0x187/0x6f0 [ 93.344932][ T5273] ? exc_page_fault+0x10f/0x860 [ 93.349790][ T5273] exc_page_fault+0x455/0x860 [ 93.354481][ T5273] asm_exc_page_fault+0x26/0x30 [ 93.359346][ T5273] RIP: 0033:0x7f794735bc53 [ 93.363756][ T5273] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 93.383534][ T5273] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5272] munmap(0x7f793ef10000, 2097152) = 0 [pid 5272] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 93.389596][ T5273] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 93.397558][ T5273] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 93.405520][ T5273] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 93.413674][ T5273] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 93.421725][ T5273] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 93.429704][ T5273] [ 93.434523][ T5273] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5272] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5272] close(3) = 0 [pid 5272] mkdir("./file0", 0777) = 0 [pid 5272] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5272] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5272] chdir("./file0") = 0 [pid 5272] ioctl(6, LOOP_CLR_FD) = 0 [pid 5272] close(6) = 0 [pid 5272] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5272] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5273] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 93.444313][ T5272] loop0: detected capacity change from 0 to 4096 [ 93.457957][ T5272] ntfs: volume version 12.0. [pid 5273] munmap(0x7f7936b10000, 2097152) = 0 [pid 5273] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5273] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5273] ioctl(6, LOOP_CLR_FD) = 0 [pid 5273] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5273] close(6) = 0 [pid 5273] close(5) = 0 [pid 5273] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5273] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5271] <... futex resumed>) = 0 [pid 5271] exit_group(0 [pid 5272] <... futex resumed>) = ? [pid 5273] <... futex resumed>) = ? [pid 5273] +++ exited with 0 +++ [pid 5272] +++ exited with 0 +++ [pid 5271] <... exit_group resumed>) = ? [pid 5271] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5271, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=12 /* 0.12 s */} --- umount2("./79", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./79/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./79/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./79/binderfs") = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./79/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./79/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./79") = 0 mkdir("./80", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5274 ./strace-static-x86_64: Process 5274 attached [pid 5274] set_robust_list(0x555555f176a0, 24) = 0 [pid 5274] chdir("./80") = 0 [pid 5274] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5274] setpgid(0, 0) = 0 [pid 5274] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5274] write(3, "1000", 4) = 4 [pid 5274] close(3) = 0 [pid 5274] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5274] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5274] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5274] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5274] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5274] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5274] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5274] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5275 attached [pid 5275] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5274] <... clone3 resumed> => {parent_tid=[5275]}, 88) = 5275 [pid 5275] <... rseq resumed>) = 0 [pid 5275] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5275] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5275] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5274] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5274] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5275] <... futex resumed>) = 0 [pid 5274] <... futex resumed>) = 1 [pid 5274] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5274] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5274] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5275] memfd_create("syzkaller", 0) = 3 [pid 5274] <... mprotect resumed>) = 0 [pid 5275] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5274] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5274] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5276 attached => {parent_tid=[5276]}, 88) = 5276 [pid 5276] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5274] rt_sigprocmask(SIG_SETMASK, [], [pid 5276] <... rseq resumed>) = 0 [pid 5274] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5276] set_robust_list(0x7f79473309a0, 24 [pid 5274] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5276] <... set_robust_list resumed>) = 0 [pid 5274] <... futex resumed>) = 0 [pid 5276] rt_sigprocmask(SIG_SETMASK, [], [pid 5274] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5276] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5276] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5276] write(4, "85", 2) = 2 [pid 5276] memfd_create("syzkaller", 0) = 5 [pid 5276] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5275] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 93.630652][ T5276] FAULT_INJECTION: forcing a failure. [ 93.630652][ T5276] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 93.644447][ T5276] CPU: 0 PID: 5276 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 93.654894][ T5276] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 93.665079][ T5276] Call Trace: [ 93.668370][ T5276] [ 93.671297][ T5276] dump_stack_lvl+0x1e7/0x2d0 [ 93.675973][ T5276] ? nf_tcp_handle_invalid+0x650/0x650 [ 93.681854][ T5276] ? panic+0x770/0x770 [ 93.685928][ T5276] should_fail_ex+0x3aa/0x4e0 [ 93.690618][ T5276] prepare_alloc_pages+0x1d9/0x5b0 [ 93.695734][ T5276] __alloc_pages+0x165/0x670 [ 93.700344][ T5276] ? zone_statistics+0x170/0x170 [ 93.705293][ T5276] ? verify_lock_unused+0x140/0x140 [ 93.710486][ T5276] ? handle_mm_fault+0x11d/0x62b0 [ 93.715506][ T5276] ? __lock_acquire+0x7f70/0x7f70 [ 93.720524][ T5276] ? pte_offset_map_nolock+0x137/0x1e0 [ 93.725983][ T5276] __folio_alloc+0x13/0x30 [ 93.730397][ T5276] vma_alloc_folio+0x48a/0x9a0 [ 93.735161][ T5276] handle_mm_fault+0x2376/0x62b0 [ 93.740106][ T5276] ? handle_mm_fault+0x11d/0x62b0 [ 93.745133][ T5276] ? numa_migrate_prep+0x380/0x380 [ 93.750250][ T5276] ? mtree_range_walk+0x6a0/0x7e0 [ 93.755279][ T5276] ? lock_vma_under_rcu+0x187/0x6f0 [ 93.760477][ T5276] ? __lock_acquire+0x7f70/0x7f70 [ 93.765495][ T5276] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 93.770702][ T5276] ? lock_vma_under_rcu+0x5df/0x6f0 [ 93.775909][ T5276] ? lock_vma_under_rcu+0x187/0x6f0 [ 93.781110][ T5276] ? exc_page_fault+0x10f/0x860 [ 93.786045][ T5276] exc_page_fault+0x455/0x860 [ 93.790985][ T5276] asm_exc_page_fault+0x26/0x30 [ 93.795837][ T5276] RIP: 0033:0x7f794735bc53 [ 93.800253][ T5276] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 93.819856][ T5276] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5275] munmap(0x7f793ef10000, 2097152) = 0 [ 93.826529][ T5276] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 93.834492][ T5276] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 93.842458][ T5276] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 93.850432][ T5276] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 93.858410][ T5276] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 93.866510][ T5276] [ 93.871711][ T5276] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5275] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5275] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5275] close(3) = 0 [pid 5275] mkdir("./file0", 0777) = 0 [pid 5275] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5276] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5275] <... mount resumed>) = 0 [pid 5275] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5275] chdir("./file0") = 0 [pid 5275] ioctl(6, LOOP_CLR_FD) = 0 [pid 5275] close(6) = 0 [pid 5275] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5276] <... write resumed>) = 2097152 [pid 5276] munmap(0x7f7936b10000, 2097152) = 0 [pid 5276] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5276] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5276] ioctl(6, LOOP_CLR_FD) = 0 [pid 5276] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5276] close(6) = 0 [ 93.887677][ T5275] loop0: detected capacity change from 0 to 4096 [ 93.903080][ T5275] ntfs: volume version 12.0. [pid 5276] close(5) = 0 [pid 5276] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5276] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5274] <... futex resumed>) = 0 [pid 5274] exit_group(0 [pid 5276] <... futex resumed>) = ? [pid 5275] <... futex resumed>) = ? [pid 5274] <... exit_group resumed>) = ? [pid 5276] +++ exited with 0 +++ [pid 5275] +++ exited with 0 +++ [pid 5274] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5274, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=13 /* 0.13 s */} --- umount2("./80", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./80/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./80/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./80/binderfs") = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./80/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./80/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./80") = 0 mkdir("./81", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5277 attached , child_tidptr=0x555555f17690) = 5277 [pid 5277] set_robust_list(0x555555f176a0, 24) = 0 [pid 5277] chdir("./81") = 0 [pid 5277] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5277] setpgid(0, 0) = 0 [pid 5277] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5277] write(3, "1000", 4) = 4 [pid 5277] close(3) = 0 [pid 5277] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5277] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5277] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5277] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5277] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5277] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5277] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5277] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5278]}, 88) = 5278 [pid 5277] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5277] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5277] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5277] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5277] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5277] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5277] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5279 attached [pid 5279] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5277] <... clone3 resumed> => {parent_tid=[5279]}, 88) = 5279 ./strace-static-x86_64: Process 5278 attached [pid 5279] <... rseq resumed>) = 0 [pid 5277] rt_sigprocmask(SIG_SETMASK, [], [pid 5278] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5279] set_robust_list(0x7f79473309a0, 24 [pid 5278] <... rseq resumed>) = 0 [pid 5277] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5279] <... set_robust_list resumed>) = 0 [pid 5278] set_robust_list(0x7f79473519a0, 24 [pid 5277] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5279] rt_sigprocmask(SIG_SETMASK, [], [pid 5277] <... futex resumed>) = 0 [pid 5279] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5277] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5278] <... set_robust_list resumed>) = 0 [pid 5278] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5279] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5278] memfd_create("syzkaller", 0) = 4 [pid 5279] <... openat resumed>) = 3 [pid 5278] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5279] write(3, "85", 2 [pid 5278] <... mmap resumed>) = 0x7f793ef10000 [pid 5279] <... write resumed>) = 2 [pid 5279] memfd_create("syzkaller", 0) = 5 [pid 5279] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 94.009711][ T5279] FAULT_INJECTION: forcing a failure. [ 94.009711][ T5279] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 94.023996][ T5279] CPU: 0 PID: 5279 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 94.034421][ T5279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 94.044471][ T5279] Call Trace: [ 94.047749][ T5279] [ 94.050677][ T5279] dump_stack_lvl+0x1e7/0x2d0 [ 94.055354][ T5279] ? nf_tcp_handle_invalid+0x650/0x650 [ 94.060805][ T5279] ? panic+0x770/0x770 [ 94.064878][ T5279] should_fail_ex+0x3aa/0x4e0 [ 94.069555][ T5279] prepare_alloc_pages+0x1d9/0x5b0 [ 94.074673][ T5279] __alloc_pages+0x165/0x670 [ 94.079271][ T5279] ? zone_statistics+0x170/0x170 [ 94.084210][ T5279] ? verify_lock_unused+0x140/0x140 [ 94.089403][ T5279] ? handle_mm_fault+0x11d/0x62b0 [ 94.094517][ T5279] ? __lock_acquire+0x7f70/0x7f70 [ 94.099532][ T5279] ? pte_offset_map_nolock+0x137/0x1e0 [ 94.104990][ T5279] __folio_alloc+0x13/0x30 [ 94.109404][ T5279] vma_alloc_folio+0x48a/0x9a0 [ 94.114171][ T5279] handle_mm_fault+0x2376/0x62b0 [ 94.119220][ T5279] ? handle_mm_fault+0x11d/0x62b0 [ 94.124273][ T5279] ? numa_migrate_prep+0x380/0x380 [ 94.129402][ T5279] ? mtree_range_walk+0x6a0/0x7e0 [ 94.134435][ T5279] ? lock_vma_under_rcu+0x187/0x6f0 [ 94.139646][ T5279] ? __lock_acquire+0x7f70/0x7f70 [ 94.144672][ T5279] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 94.150056][ T5279] ? lock_vma_under_rcu+0x5df/0x6f0 [ 94.155339][ T5279] ? lock_vma_under_rcu+0x187/0x6f0 [ 94.160546][ T5279] ? exc_page_fault+0x10f/0x860 [ 94.165394][ T5279] exc_page_fault+0x455/0x860 [ 94.170075][ T5279] asm_exc_page_fault+0x26/0x30 [ 94.175701][ T5279] RIP: 0033:0x7f794735bc53 [ 94.180110][ T5279] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 94.199885][ T5279] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5279] munmap(0x7f7936b10000, 138412032) = 0 [pid 5278] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5279] close(5) = 0 [pid 5279] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5277] <... futex resumed>) = 0 [pid 5279] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5278] <... write resumed>) = 2097152 [pid 5278] munmap(0x7f793ef10000, 2097152) = 0 [pid 5278] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 94.206037][ T5279] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 94.213999][ T5279] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 94.221976][ T5279] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 94.230057][ T5279] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 94.238022][ T5279] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 94.245997][ T5279] [ 94.249279][ T5279] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5278] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5278] close(4) = 0 [pid 5278] mkdir("./file0", 0777) = 0 [pid 5278] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5278] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5278] chdir("./file0") = 0 [pid 5278] ioctl(5, LOOP_CLR_FD) = 0 [pid 5278] close(5) = 0 [pid 5278] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5277] exit_group(0 [pid 5279] <... futex resumed>) = ? [pid 5277] <... exit_group resumed>) = ? [pid 5279] +++ exited with 0 +++ [pid 5278] +++ exited with 0 +++ [pid 5277] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5277, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./81", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./81/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./81/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./81/binderfs") = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./81/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./81/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 [ 94.286403][ T5278] loop0: detected capacity change from 0 to 4096 [ 94.300234][ T5278] ntfs: volume version 12.0. rmdir("./81") = 0 mkdir("./82", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5280 attached , child_tidptr=0x555555f17690) = 5280 [pid 5280] set_robust_list(0x555555f176a0, 24) = 0 [pid 5280] chdir("./82") = 0 [pid 5280] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5280] setpgid(0, 0) = 0 [pid 5280] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5280] write(3, "1000", 4) = 4 [pid 5280] close(3) = 0 [pid 5280] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5280] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5280] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5280] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5280] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5280] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5280] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5281 attached [pid 5281] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5280] <... clone3 resumed> => {parent_tid=[5281]}, 88) = 5281 [pid 5281] <... rseq resumed>) = 0 [pid 5281] set_robust_list(0x7f79473519a0, 24 [pid 5280] rt_sigprocmask(SIG_SETMASK, [], [pid 5281] <... set_robust_list resumed>) = 0 [pid 5280] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5281] rt_sigprocmask(SIG_SETMASK, [], [pid 5280] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5281] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5280] <... futex resumed>) = 0 [pid 5280] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5281] memfd_create("syzkaller", 0) = 3 [pid 5280] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5281] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5280] <... mmap resumed>) = 0x7f7947310000 [pid 5281] <... mmap resumed>) = 0x7f793ef10000 [pid 5280] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5280] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5280] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5282 attached [pid 5282] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5282] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5280] <... clone3 resumed> => {parent_tid=[5282]}, 88) = 5282 [pid 5282] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5280] rt_sigprocmask(SIG_SETMASK, [], [pid 5282] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5280] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5282] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5280] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5282] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5280] <... futex resumed>) = 0 [pid 5280] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5282] <... openat resumed>) = 4 [pid 5282] write(4, "85", 2) = 2 [pid 5282] memfd_create("syzkaller", 0) = 5 [pid 5282] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 94.408421][ T5282] FAULT_INJECTION: forcing a failure. [ 94.408421][ T5282] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 94.422860][ T5282] CPU: 0 PID: 5282 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 94.433417][ T5282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 94.443482][ T5282] Call Trace: [ 94.446755][ T5282] [ 94.449680][ T5282] dump_stack_lvl+0x1e7/0x2d0 [ 94.454368][ T5282] ? nf_tcp_handle_invalid+0x650/0x650 [ 94.459842][ T5282] ? panic+0x770/0x770 [ 94.463946][ T5282] should_fail_ex+0x3aa/0x4e0 [ 94.468724][ T5282] prepare_alloc_pages+0x1d9/0x5b0 [ 94.473843][ T5282] __alloc_pages+0x165/0x670 [ 94.478450][ T5282] ? zone_statistics+0x170/0x170 [ 94.483391][ T5282] ? verify_lock_unused+0x140/0x140 [ 94.488584][ T5282] ? handle_mm_fault+0x11d/0x62b0 [ 94.493604][ T5282] ? __lock_acquire+0x7f70/0x7f70 [ 94.498617][ T5282] ? pte_offset_map_nolock+0x137/0x1e0 [ 94.504072][ T5282] __folio_alloc+0x13/0x30 [ 94.508484][ T5282] vma_alloc_folio+0x48a/0x9a0 [ 94.513245][ T5282] handle_mm_fault+0x2376/0x62b0 [ 94.518185][ T5282] ? handle_mm_fault+0x11d/0x62b0 [ 94.523209][ T5282] ? numa_migrate_prep+0x380/0x380 [ 94.528331][ T5282] ? mtree_range_walk+0x6a0/0x7e0 [ 94.533366][ T5282] ? lock_vma_under_rcu+0x187/0x6f0 [ 94.538557][ T5282] ? __lock_acquire+0x7f70/0x7f70 [ 94.543570][ T5282] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 94.548780][ T5282] ? lock_vma_under_rcu+0x5df/0x6f0 [ 94.553975][ T5282] ? lock_vma_under_rcu+0x187/0x6f0 [ 94.559178][ T5282] ? exc_page_fault+0x10f/0x860 [ 94.564026][ T5282] exc_page_fault+0x455/0x860 [ 94.568702][ T5282] asm_exc_page_fault+0x26/0x30 [ 94.573544][ T5282] RIP: 0033:0x7f794735bc53 [ 94.577952][ T5282] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 94.597551][ T5282] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5281] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5281] munmap(0x7f793ef10000, 2097152) = 0 [pid 5281] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 94.603615][ T5282] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 94.611578][ T5282] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 94.619541][ T5282] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 94.627502][ T5282] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 94.635552][ T5282] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 94.643525][ T5282] [pid 5281] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5281] close(3) = 0 [pid 5281] mkdir("./file0", 0777) = 0 [pid 5281] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5282] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5281] <... mount resumed>) = 0 [pid 5281] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5281] chdir("./file0") = 0 [pid 5281] ioctl(6, LOOP_CLR_FD) = 0 [pid 5281] close(6) = 0 [pid 5281] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5281] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5282] <... write resumed>) = 2097152 [ 94.657671][ T5281] loop0: detected capacity change from 0 to 4096 [ 94.674938][ T5281] ntfs: volume version 12.0. [pid 5282] munmap(0x7f7936b10000, 2097152) = 0 [pid 5282] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5282] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5282] ioctl(6, LOOP_CLR_FD) = 0 [pid 5282] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5282] close(6) = 0 [pid 5282] close(5) = 0 [pid 5282] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5280] <... futex resumed>) = 0 [pid 5280] exit_group(0 [pid 5281] <... futex resumed>) = ? [pid 5280] <... exit_group resumed>) = ? [pid 5281] +++ exited with 0 +++ [pid 5282] <... futex resumed>) = ? [pid 5282] +++ exited with 0 +++ [pid 5280] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5280, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./82", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./82/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./82/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./82/binderfs") = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./82/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./82/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./82") = 0 mkdir("./83", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5283 attached , child_tidptr=0x555555f17690) = 5283 [pid 5283] set_robust_list(0x555555f176a0, 24) = 0 [pid 5283] chdir("./83") = 0 [pid 5283] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5283] setpgid(0, 0) = 0 [pid 5283] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5283] write(3, "1000", 4) = 4 [pid 5283] close(3) = 0 [pid 5283] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5283] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5283] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5283] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5283] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5283] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5283] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5283] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5284 attached => {parent_tid=[5284]}, 88) = 5284 [pid 5284] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5283] rt_sigprocmask(SIG_SETMASK, [], [pid 5284] <... rseq resumed>) = 0 [pid 5283] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5284] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5283] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] rt_sigprocmask(SIG_SETMASK, [], [pid 5283] <... futex resumed>) = 0 [pid 5284] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5283] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] memfd_create("syzkaller", 0 [pid 5283] <... futex resumed>) = 0 [pid 5283] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5283] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5283] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5283] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5285 attached [pid 5284] <... memfd_create resumed>) = 3 [pid 5284] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5283] <... clone3 resumed> => {parent_tid=[5285]}, 88) = 5285 [pid 5285] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5284] <... mmap resumed>) = 0x7f793ef10000 [pid 5285] <... rseq resumed>) = 0 [pid 5285] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5285] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5285] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5283] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5283] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5285] <... futex resumed>) = 0 [pid 5283] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5285] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5284] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5285] write(4, "85", 2) = 2 [pid 5285] memfd_create("syzkaller", 0) = 5 [pid 5285] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5284] <... write resumed>) = 2097152 [ 94.836946][ T5285] FAULT_INJECTION: forcing a failure. [ 94.836946][ T5285] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 94.850240][ T5285] CPU: 1 PID: 5285 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 94.860643][ T5285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 94.870692][ T5285] Call Trace: [ 94.873966][ T5285] [ 94.876888][ T5285] dump_stack_lvl+0x1e7/0x2d0 [ 94.881563][ T5285] ? nf_tcp_handle_invalid+0x650/0x650 [ 94.887032][ T5285] ? panic+0x770/0x770 [ 94.891117][ T5285] should_fail_ex+0x3aa/0x4e0 [ 94.895819][ T5285] prepare_alloc_pages+0x1d9/0x5b0 [ 94.900946][ T5285] __alloc_pages+0x165/0x670 [ 94.905539][ T5285] ? zone_statistics+0x170/0x170 [ 94.910479][ T5285] ? verify_lock_unused+0x140/0x140 [ 94.915675][ T5285] ? handle_mm_fault+0x11d/0x62b0 [ 94.920700][ T5285] ? __lock_acquire+0x7f70/0x7f70 [ 94.925718][ T5285] ? pte_offset_map_nolock+0x137/0x1e0 [ 94.931221][ T5285] __folio_alloc+0x13/0x30 [ 94.935639][ T5285] vma_alloc_folio+0x48a/0x9a0 [ 94.940426][ T5285] handle_mm_fault+0x2376/0x62b0 [ 94.945390][ T5285] ? handle_mm_fault+0x11d/0x62b0 [ 94.950425][ T5285] ? numa_migrate_prep+0x380/0x380 [ 94.955544][ T5285] ? mtree_range_walk+0x6a0/0x7e0 [ 94.960571][ T5285] ? lock_vma_under_rcu+0x187/0x6f0 [ 94.965769][ T5285] ? __lock_acquire+0x7f70/0x7f70 [ 94.970791][ T5285] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 94.975995][ T5285] ? lock_vma_under_rcu+0x5df/0x6f0 [ 94.981187][ T5285] ? lock_vma_under_rcu+0x187/0x6f0 [ 94.987430][ T5285] ? exc_page_fault+0x10f/0x860 [ 94.992273][ T5285] exc_page_fault+0x455/0x860 [ 94.996950][ T5285] asm_exc_page_fault+0x26/0x30 [ 95.001795][ T5285] RIP: 0033:0x7f794735bc53 [ 95.006204][ T5285] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 95.025992][ T5285] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5284] munmap(0x7f793ef10000, 2097152) = 0 [pid 5284] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 95.032051][ T5285] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 95.040017][ T5285] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 95.047978][ T5285] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 95.055944][ T5285] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 95.063905][ T5285] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 95.071881][ T5285] [pid 5284] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5284] close(3) = 0 [pid 5284] mkdir("./file0", 0777) = 0 [pid 5284] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5285] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5284] <... mount resumed>) = 0 [pid 5284] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5284] chdir("./file0") = 0 [pid 5284] ioctl(6, LOOP_CLR_FD) = 0 [pid 5284] close(6) = 0 [pid 5284] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5285] <... write resumed>) = 2097152 [pid 5285] munmap(0x7f7936b10000, 2097152 [pid 5284] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5285] <... munmap resumed>) = 0 [pid 5285] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5285] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5285] ioctl(6, LOOP_CLR_FD) = 0 [pid 5285] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5285] close(6) = 0 [ 95.085351][ T5284] loop0: detected capacity change from 0 to 4096 [ 95.103837][ T5284] ntfs: volume version 12.0. [pid 5285] close(5) = 0 [pid 5285] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5285] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5283] <... futex resumed>) = 0 [pid 5283] exit_group(0) = ? [pid 5284] <... futex resumed>) = ? [pid 5285] <... futex resumed>) = ? [pid 5285] +++ exited with 0 +++ [pid 5284] +++ exited with 0 +++ [pid 5283] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5283, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./83", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./83/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./83/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./83/binderfs") = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./83/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./83/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./83") = 0 mkdir("./84", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5286 attached , child_tidptr=0x555555f17690) = 5286 [pid 5286] set_robust_list(0x555555f176a0, 24) = 0 [pid 5286] chdir("./84") = 0 [pid 5286] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5286] setpgid(0, 0) = 0 [pid 5286] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5286] write(3, "1000", 4) = 4 [pid 5286] close(3) = 0 [pid 5286] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5286] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5286] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5286] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5286] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5286] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5286] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5286] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5287]}, 88) = 5287 [pid 5286] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5286] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5286] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5286] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5286] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5286] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5286] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5288 attached [pid 5288] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5288] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5286] <... clone3 resumed> => {parent_tid=[5288]}, 88) = 5288 [pid 5288] rt_sigprocmask(SIG_SETMASK, [], [pid 5286] rt_sigprocmask(SIG_SETMASK, [], [pid 5288] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5286] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5288] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5286] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5288] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5286] <... futex resumed>) = 0 [pid 5286] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5288] <... openat resumed>) = 3 [pid 5288] write(3, "85", 2) = 2 [pid 5288] memfd_create("syzkaller", 0) = 4 [pid 5288] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5287 attached [pid 5287] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5287] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5287] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5287] memfd_create("syzkaller", 0) = 5 [pid 5287] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 95.233013][ T5288] FAULT_INJECTION: forcing a failure. [ 95.233013][ T5288] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 95.246467][ T5288] CPU: 0 PID: 5288 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 95.256892][ T5288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 95.267112][ T5288] Call Trace: [ 95.270388][ T5288] [ 95.273311][ T5288] dump_stack_lvl+0x1e7/0x2d0 [ 95.277990][ T5288] ? nf_tcp_handle_invalid+0x650/0x650 [ 95.283962][ T5288] ? panic+0x770/0x770 [ 95.288033][ T5288] should_fail_ex+0x3aa/0x4e0 [ 95.292886][ T5288] prepare_alloc_pages+0x1d9/0x5b0 [ 95.298004][ T5288] __alloc_pages+0x165/0x670 [ 95.302589][ T5288] ? zone_statistics+0x170/0x170 [ 95.307525][ T5288] ? verify_lock_unused+0x140/0x140 [ 95.312718][ T5288] ? handle_mm_fault+0x11d/0x62b0 [ 95.317745][ T5288] ? __lock_acquire+0x7f70/0x7f70 [ 95.322846][ T5288] ? pte_offset_map_nolock+0x137/0x1e0 [ 95.328302][ T5288] __folio_alloc+0x13/0x30 [ 95.332764][ T5288] vma_alloc_folio+0x48a/0x9a0 [ 95.337535][ T5288] handle_mm_fault+0x2376/0x62b0 [ 95.342476][ T5288] ? handle_mm_fault+0x11d/0x62b0 [ 95.347503][ T5288] ? numa_migrate_prep+0x380/0x380 [ 95.352619][ T5288] ? mtree_range_walk+0x6a0/0x7e0 [ 95.357731][ T5288] ? lock_vma_under_rcu+0x187/0x6f0 [ 95.362931][ T5288] ? __lock_acquire+0x7f70/0x7f70 [ 95.367951][ T5288] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 95.373155][ T5288] ? lock_vma_under_rcu+0x5df/0x6f0 [ 95.378349][ T5288] ? lock_vma_under_rcu+0x187/0x6f0 [ 95.383658][ T5288] ? exc_page_fault+0x10f/0x860 [ 95.388507][ T5288] exc_page_fault+0x455/0x860 [ 95.393641][ T5288] asm_exc_page_fault+0x26/0x30 [ 95.398580][ T5288] RIP: 0033:0x7f794735bc53 [ 95.403007][ T5288] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 95.422612][ T5288] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 95.428678][ T5288] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 95.436654][ T5288] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 95.444879][ T5288] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 95.452964][ T5288] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 95.460935][ T5288] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 95.468913][ T5288] [ 95.473464][ T5288] pagefault_out_of_memory: 2 callbacks suppressed [pid 5287] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5288] munmap(0x7f793ef10000, 138412032) = 0 [pid 5288] close(4) = 0 [pid 5288] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5288] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5286] <... futex resumed>) = 0 [pid 5287] <... write resumed>) = 2097152 [pid 5287] munmap(0x7f7936b10000, 2097152) = 0 [pid 5287] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 95.473478][ T5288] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5287] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5287] close(5) = 0 [pid 5287] mkdir("./file0", 0777) = 0 [pid 5287] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5287] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5287] chdir("./file0") = 0 [pid 5287] ioctl(4, LOOP_CLR_FD) = 0 [pid 5287] close(4) = 0 [pid 5287] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5286] exit_group(0 [pid 5287] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5288] <... futex resumed>) = ? [pid 5287] <... futex resumed>) = ? [pid 5286] <... exit_group resumed>) = ? [pid 5287] +++ exited with 0 +++ [pid 5288] +++ exited with 0 +++ [pid 5286] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5286, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- umount2("./84", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./84/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./84/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./84/binderfs") = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./84/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./84/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./84") = 0 mkdir("./85", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5289 ./strace-static-x86_64: Process 5289 attached [pid 5289] set_robust_list(0x555555f176a0, 24) = 0 [ 95.519523][ T5287] loop0: detected capacity change from 0 to 4096 [ 95.542784][ T5287] ntfs: volume version 12.0. [pid 5289] chdir("./85") = 0 [pid 5289] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5289] setpgid(0, 0) = 0 [pid 5289] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5289] write(3, "1000", 4) = 4 [pid 5289] close(3) = 0 [pid 5289] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5289] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5289] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5289] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5289] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5289] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5289] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5289] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5290 attached [pid 5290] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5289] <... clone3 resumed> => {parent_tid=[5290]}, 88) = 5290 [pid 5290] <... rseq resumed>) = 0 [pid 5289] rt_sigprocmask(SIG_SETMASK, [], [pid 5290] set_robust_list(0x7f79473519a0, 24 [pid 5289] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5290] <... set_robust_list resumed>) = 0 [pid 5289] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5290] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5289] <... futex resumed>) = 0 [pid 5289] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5290] memfd_create("syzkaller", 0 [pid 5289] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5290] <... memfd_create resumed>) = 3 [pid 5289] <... mmap resumed>) = 0x7f7947310000 [pid 5289] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5290] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5289] <... mprotect resumed>) = 0 [pid 5290] <... mmap resumed>) = 0x7f793ef10000 [pid 5289] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5289] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5291 attached => {parent_tid=[5291]}, 88) = 5291 [pid 5291] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5290] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5289] rt_sigprocmask(SIG_SETMASK, [], [pid 5291] <... rseq resumed>) = 0 [pid 5289] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5291] set_robust_list(0x7f79473309a0, 24 [pid 5289] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5291] <... set_robust_list resumed>) = 0 [pid 5289] <... futex resumed>) = 0 [pid 5291] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5289] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5291] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5291] write(4, "85", 2) = 2 [pid 5291] memfd_create("syzkaller", 0) = 5 [pid 5291] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5290] <... write resumed>) = 2097152 [ 95.668949][ T5291] FAULT_INJECTION: forcing a failure. [ 95.668949][ T5291] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 95.682484][ T5291] CPU: 1 PID: 5291 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 95.692949][ T5291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 95.703084][ T5291] Call Trace: [ 95.706372][ T5291] [ 95.709309][ T5291] dump_stack_lvl+0x1e7/0x2d0 [ 95.714008][ T5291] ? nf_tcp_handle_invalid+0x650/0x650 [ 95.719464][ T5291] ? panic+0x770/0x770 [ 95.723533][ T5291] should_fail_ex+0x3aa/0x4e0 [ 95.728220][ T5291] prepare_alloc_pages+0x1d9/0x5b0 [ 95.733331][ T5291] __alloc_pages+0x165/0x670 [ 95.737919][ T5291] ? zone_statistics+0x170/0x170 [ 95.743377][ T5291] ? verify_lock_unused+0x140/0x140 [ 95.748594][ T5291] ? handle_mm_fault+0x11d/0x62b0 [ 95.753618][ T5291] ? __lock_acquire+0x7f70/0x7f70 [ 95.758678][ T5291] ? pte_offset_map_nolock+0x137/0x1e0 [ 95.764138][ T5291] __folio_alloc+0x13/0x30 [ 95.768556][ T5291] vma_alloc_folio+0x48a/0x9a0 [ 95.773340][ T5291] handle_mm_fault+0x2376/0x62b0 [ 95.778280][ T5291] ? handle_mm_fault+0x11d/0x62b0 [ 95.783409][ T5291] ? numa_migrate_prep+0x380/0x380 [ 95.788605][ T5291] ? mtree_range_walk+0x6a0/0x7e0 [ 95.793636][ T5291] ? lock_vma_under_rcu+0x187/0x6f0 [ 95.798931][ T5291] ? __lock_acquire+0x7f70/0x7f70 [ 95.804049][ T5291] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 95.809248][ T5291] ? lock_vma_under_rcu+0x5df/0x6f0 [ 95.814455][ T5291] ? lock_vma_under_rcu+0x187/0x6f0 [ 95.819670][ T5291] ? exc_page_fault+0x10f/0x860 [ 95.824602][ T5291] exc_page_fault+0x455/0x860 [ 95.829298][ T5291] asm_exc_page_fault+0x26/0x30 [ 95.834146][ T5291] RIP: 0033:0x7f794735bc53 [ 95.838565][ T5291] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 95.858221][ T5291] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 95.864285][ T5291] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 95.872510][ T5291] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 95.880490][ T5291] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 95.888625][ T5291] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 95.896682][ T5291] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 95.904763][ T5291] [ 95.909417][ T5291] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5290] munmap(0x7f793ef10000, 2097152) = 0 [pid 5290] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5290] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5290] close(3) = 0 [pid 5290] mkdir("./file0", 0777) = 0 [pid 5290] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5290] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5290] chdir("./file0") = 0 [pid 5290] ioctl(6, LOOP_CLR_FD) = 0 [pid 5290] close(6) = 0 [pid 5290] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5290] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5291] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5291] munmap(0x7f7936b10000, 2097152) = 0 [pid 5291] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5291] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5291] ioctl(6, LOOP_CLR_FD) = 0 [ 95.919559][ T5290] loop0: detected capacity change from 0 to 4096 [ 95.933386][ T5290] ntfs: volume version 12.0. [pid 5291] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5291] close(6) = 0 [pid 5291] close(5) = 0 [pid 5291] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5289] <... futex resumed>) = 0 [pid 5289] exit_group(0) = ? [pid 5290] <... futex resumed>) = ? [pid 5290] +++ exited with 0 +++ [pid 5291] <... futex resumed>) = ? [pid 5291] +++ exited with 0 +++ [pid 5289] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5289, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=13 /* 0.13 s */} --- umount2("./85", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./85/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./85/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./85/binderfs") = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./85/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./85/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./85") = 0 mkdir("./86", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5292 ./strace-static-x86_64: Process 5292 attached [pid 5292] set_robust_list(0x555555f176a0, 24) = 0 [pid 5292] chdir("./86") = 0 [pid 5292] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5292] setpgid(0, 0) = 0 [pid 5292] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5292] write(3, "1000", 4) = 4 [pid 5292] close(3) = 0 [pid 5292] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5292] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5292] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5292] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5292] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5292] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5292] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5292] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5293 attached [pid 5293] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5293] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5293] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5293] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5292] <... clone3 resumed> => {parent_tid=[5293]}, 88) = 5293 [pid 5292] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5292] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5292] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5293] <... futex resumed>) = 0 [pid 5293] memfd_create("syzkaller", 0 [pid 5292] <... futex resumed>) = 0 [pid 5292] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5293] <... memfd_create resumed>) = 3 [pid 5293] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5292] <... mmap resumed>) = 0x7f793ef10000 [pid 5292] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5292] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5292] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5294 attached => {parent_tid=[5294]}, 88) = 5294 [pid 5294] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5292] rt_sigprocmask(SIG_SETMASK, [], [pid 5294] <... rseq resumed>) = 0 [pid 5294] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5294] rt_sigprocmask(SIG_SETMASK, [], [pid 5292] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5294] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5292] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5294] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5294] write(4, "85", 2) = 2 [pid 5294] memfd_create("syzkaller", 0) = 5 [pid 5294] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5293] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5292] <... futex resumed>) = 0 [pid 5292] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5293] <... write resumed>) = 2097152 [ 96.094179][ T5294] FAULT_INJECTION: forcing a failure. [ 96.094179][ T5294] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 96.107846][ T5294] CPU: 1 PID: 5294 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 96.118288][ T5294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 96.128369][ T5294] Call Trace: [ 96.131677][ T5294] [ 96.134625][ T5294] dump_stack_lvl+0x1e7/0x2d0 [ 96.139518][ T5294] ? nf_tcp_handle_invalid+0x650/0x650 [ 96.144975][ T5294] ? panic+0x770/0x770 [ 96.149144][ T5294] should_fail_ex+0x3aa/0x4e0 [ 96.153829][ T5294] prepare_alloc_pages+0x1d9/0x5b0 [ 96.159218][ T5294] __alloc_pages+0x165/0x670 [ 96.163807][ T5294] ? zone_statistics+0x170/0x170 [ 96.168772][ T5294] ? verify_lock_unused+0x140/0x140 [ 96.173965][ T5294] ? handle_mm_fault+0x11d/0x62b0 [ 96.178987][ T5294] ? __lock_acquire+0x7f70/0x7f70 [ 96.184004][ T5294] ? pte_offset_map_nolock+0x137/0x1e0 [ 96.189461][ T5294] __folio_alloc+0x13/0x30 [ 96.193879][ T5294] vma_alloc_folio+0x48a/0x9a0 [ 96.198644][ T5294] handle_mm_fault+0x2376/0x62b0 [ 96.203587][ T5294] ? handle_mm_fault+0x11d/0x62b0 [ 96.208617][ T5294] ? numa_migrate_prep+0x380/0x380 [ 96.213735][ T5294] ? mtree_range_walk+0x6a0/0x7e0 [ 96.218763][ T5294] ? lock_vma_under_rcu+0x187/0x6f0 [ 96.224046][ T5294] ? __lock_acquire+0x7f70/0x7f70 [ 96.229063][ T5294] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 96.234270][ T5294] ? lock_vma_under_rcu+0x5df/0x6f0 [ 96.239550][ T5294] ? lock_vma_under_rcu+0x187/0x6f0 [ 96.244755][ T5294] ? exc_page_fault+0x10f/0x860 [ 96.249605][ T5294] exc_page_fault+0x455/0x860 [ 96.254286][ T5294] asm_exc_page_fault+0x26/0x30 [ 96.259146][ T5294] RIP: 0033:0x7f794735bc53 [ 96.263648][ T5294] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 96.283248][ T5294] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5293] munmap(0x7f793ef31000, 2097152) = 0 [pid 5293] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 96.289310][ T5294] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 96.297274][ T5294] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 96.305237][ T5294] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 96.313287][ T5294] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 96.321257][ T5294] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 96.329235][ T5294] [ 96.332764][ T5294] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5293] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5293] close(3) = 0 [pid 5293] mkdir("./file0", 0777) = 0 [pid 5293] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5293] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5293] chdir("./file0") = 0 [pid 5293] ioctl(6, LOOP_CLR_FD) = 0 [pid 5293] close(6) = 0 [pid 5293] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5293] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [ 96.348777][ T5293] loop0: detected capacity change from 0 to 4096 [ 96.363486][ T5293] ntfs: volume version 12.0. [pid 5294] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5294] munmap(0x7f7936b10000, 2097152) = 0 [pid 5294] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5294] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5294] ioctl(6, LOOP_CLR_FD) = 0 [pid 5294] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5294] close(6) = 0 [pid 5294] close(5) = 0 [pid 5294] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5292] <... futex resumed>) = 0 [pid 5292] exit_group(0) = ? [pid 5293] <... futex resumed>) = ? [pid 5294] <... futex resumed>) = ? [pid 5293] +++ exited with 0 +++ [pid 5294] +++ exited with 0 +++ [pid 5292] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5292, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./86", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./86/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./86/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./86/binderfs") = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./86/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./86/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./86") = 0 mkdir("./87", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5295 attached , child_tidptr=0x555555f17690) = 5295 [pid 5295] set_robust_list(0x555555f176a0, 24) = 0 [pid 5295] chdir("./87") = 0 [pid 5295] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5295] setpgid(0, 0) = 0 [pid 5295] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5295] write(3, "1000", 4) = 4 [pid 5295] close(3) = 0 [pid 5295] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5295] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5295] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5295] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5295] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5295] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5295] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5295] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5296 attached => {parent_tid=[5296]}, 88) = 5296 [pid 5296] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5295] rt_sigprocmask(SIG_SETMASK, [], [pid 5296] <... rseq resumed>) = 0 [pid 5295] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5296] set_robust_list(0x7f79473519a0, 24 [pid 5295] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... set_robust_list resumed>) = 0 [pid 5295] <... futex resumed>) = 0 [pid 5296] rt_sigprocmask(SIG_SETMASK, [], [pid 5295] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5295] <... futex resumed>) = 0 [pid 5295] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5296] memfd_create("syzkaller", 0 [pid 5295] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5296] <... memfd_create resumed>) = 3 [pid 5295] <... mprotect resumed>) = 0 [pid 5296] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5295] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5295] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5297 attached [pid 5297] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5297] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5297] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5295] <... clone3 resumed> => {parent_tid=[5297]}, 88) = 5297 [pid 5295] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5295] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5297] <... futex resumed>) = 0 [pid 5297] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5297] write(4, "85", 2) = 2 [pid 5295] <... futex resumed>) = 1 [pid 5297] memfd_create("syzkaller", 0 [pid 5295] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5297] <... memfd_create resumed>) = 5 [pid 5297] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 96.539479][ T5297] FAULT_INJECTION: forcing a failure. [ 96.539479][ T5297] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 96.553707][ T5297] CPU: 0 PID: 5297 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 96.564395][ T5297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 96.574471][ T5297] Call Trace: [ 96.577750][ T5297] [ 96.580670][ T5297] dump_stack_lvl+0x1e7/0x2d0 [ 96.585338][ T5297] ? nf_tcp_handle_invalid+0x650/0x650 [ 96.590794][ T5297] ? panic+0x770/0x770 [ 96.594856][ T5297] should_fail_ex+0x3aa/0x4e0 [ 96.599524][ T5297] prepare_alloc_pages+0x1d9/0x5b0 [ 96.604653][ T5297] __alloc_pages+0x165/0x670 [ 96.609291][ T5297] ? zone_statistics+0x170/0x170 [ 96.614265][ T5297] ? verify_lock_unused+0x140/0x140 [ 96.619550][ T5297] ? handle_mm_fault+0x11d/0x62b0 [ 96.624576][ T5297] ? __lock_acquire+0x7f70/0x7f70 [ 96.629593][ T5297] ? pte_offset_map_nolock+0x137/0x1e0 [ 96.635058][ T5297] __folio_alloc+0x13/0x30 [ 96.639574][ T5297] vma_alloc_folio+0x48a/0x9a0 [ 96.644340][ T5297] handle_mm_fault+0x2376/0x62b0 [ 96.649283][ T5297] ? handle_mm_fault+0x11d/0x62b0 [ 96.654312][ T5297] ? numa_migrate_prep+0x380/0x380 [ 96.659429][ T5297] ? mtree_range_walk+0x6a0/0x7e0 [ 96.664452][ T5297] ? lock_vma_under_rcu+0x187/0x6f0 [ 96.669650][ T5297] ? __lock_acquire+0x7f70/0x7f70 [ 96.674671][ T5297] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 96.679875][ T5297] ? lock_vma_under_rcu+0x5df/0x6f0 [ 96.685078][ T5297] ? lock_vma_under_rcu+0x187/0x6f0 [ 96.690558][ T5297] ? exc_page_fault+0x10f/0x860 [ 96.695408][ T5297] exc_page_fault+0x455/0x860 [ 96.700090][ T5297] asm_exc_page_fault+0x26/0x30 [ 96.705021][ T5297] RIP: 0033:0x7f794735bc53 [ 96.709446][ T5297] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 96.729051][ T5297] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5296] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5296] munmap(0x7f793ef10000, 2097152) = 0 [pid 5296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 96.735117][ T5297] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 96.743079][ T5297] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 96.751048][ T5297] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 96.759276][ T5297] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 96.767256][ T5297] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 96.775246][ T5297] [ 96.782758][ T5297] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5296] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5296] close(3) = 0 [pid 5297] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5296] mkdir("./file0", 0777) = 0 [pid 5296] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5297] <... write resumed>) = 2097152 [ 96.786144][ T5296] loop0: detected capacity change from 0 to 4096 [ 96.815572][ T5296] __ntfs_error: 242 callbacks suppressed [ 96.815589][ T5296] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [pid 5297] munmap(0x7f7936b10000, 2097152) = 0 [pid 5297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5297] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5297] ioctl(3, LOOP_CLR_FD) = 0 [pid 5297] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5297] close(3) = 0 [pid 5297] close(5) = 0 [pid 5297] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5295] <... futex resumed>) = 0 [pid 5297] <... futex resumed>) = 1 [ 96.832543][ T5296] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 96.846164][ T5296] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 96.869683][ T5296] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 96.879824][ T5296] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 96.888561][ T5296] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 96.902019][ T5296] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 96.914824][ T5296] ntfs: volume version 12.0. [ 96.919809][ T5296] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [pid 5297] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5296] <... mount resumed>) = 0 [pid 5296] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5296] chdir("./file0") = 0 [pid 5296] ioctl(6, LOOP_CLR_FD) = 0 [pid 5296] close(6) = 0 [pid 5296] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5295] exit_group(0) = ? [pid 5296] +++ exited with 0 +++ [pid 5297] <... futex resumed>) = ? [pid 5297] +++ exited with 0 +++ [pid 5295] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5295, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./87", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./87/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./87/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./87/binderfs") = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./87/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./87/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./87") = 0 [ 96.928326][ T5296] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 96.941936][ T5296] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. mkdir("./88", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5298 attached , child_tidptr=0x555555f17690) = 5298 [pid 5298] set_robust_list(0x555555f176a0, 24) = 0 [pid 5298] chdir("./88") = 0 [pid 5298] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5298] setpgid(0, 0) = 0 [pid 5298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5298] write(3, "1000", 4) = 4 [pid 5298] close(3) = 0 [pid 5298] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5298] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5298] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5298] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5298] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5298] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5298] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5298] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5299 attached [pid 5299] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5298] <... clone3 resumed> => {parent_tid=[5299]}, 88) = 5299 [pid 5299] set_robust_list(0x7f79473519a0, 24 [pid 5298] rt_sigprocmask(SIG_SETMASK, [], [pid 5299] <... set_robust_list resumed>) = 0 [pid 5298] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5299] rt_sigprocmask(SIG_SETMASK, [], [pid 5298] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5299] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5298] <... futex resumed>) = 0 [pid 5299] memfd_create("syzkaller", 0 [pid 5298] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5298] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5298] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5298] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5298] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5300]}, 88) = 5300 [pid 5298] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5299] <... memfd_create resumed>) = 3 [pid 5298] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5299] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5298] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5300 attached [pid 5300] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5300] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5300] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5300] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5300] write(4, "85", 2) = 2 [pid 5300] memfd_create("syzkaller", 0) = 5 [pid 5300] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5299] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 97.047482][ T5300] FAULT_INJECTION: forcing a failure. [ 97.047482][ T5300] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 97.061006][ T5300] CPU: 0 PID: 5300 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 97.071442][ T5300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 97.081512][ T5300] Call Trace: [ 97.084796][ T5300] [ 97.087719][ T5300] dump_stack_lvl+0x1e7/0x2d0 [ 97.092391][ T5300] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.097851][ T5300] ? panic+0x770/0x770 [ 97.101963][ T5300] should_fail_ex+0x3aa/0x4e0 [ 97.106664][ T5300] prepare_alloc_pages+0x1d9/0x5b0 [ 97.111773][ T5300] __alloc_pages+0x165/0x670 [ 97.116363][ T5300] ? zone_statistics+0x170/0x170 [ 97.121303][ T5300] ? verify_lock_unused+0x140/0x140 [ 97.126496][ T5300] ? handle_mm_fault+0x11d/0x62b0 [ 97.131554][ T5300] ? __lock_acquire+0x7f70/0x7f70 [ 97.136571][ T5300] ? pte_offset_map_nolock+0x137/0x1e0 [ 97.142380][ T5300] __folio_alloc+0x13/0x30 [ 97.146794][ T5300] vma_alloc_folio+0x48a/0x9a0 [ 97.151564][ T5300] handle_mm_fault+0x2376/0x62b0 [ 97.156506][ T5300] ? handle_mm_fault+0x11d/0x62b0 [ 97.161531][ T5300] ? numa_migrate_prep+0x380/0x380 [ 97.166647][ T5300] ? mtree_range_walk+0x6a0/0x7e0 [ 97.171669][ T5300] ? lock_vma_under_rcu+0x187/0x6f0 [ 97.176863][ T5300] ? __lock_acquire+0x7f70/0x7f70 [ 97.181876][ T5300] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 97.187117][ T5300] ? lock_vma_under_rcu+0x5df/0x6f0 [ 97.192310][ T5300] ? lock_vma_under_rcu+0x187/0x6f0 [ 97.197526][ T5300] ? exc_page_fault+0x10f/0x860 [ 97.202460][ T5300] exc_page_fault+0x455/0x860 [ 97.207169][ T5300] asm_exc_page_fault+0x26/0x30 [ 97.212008][ T5300] RIP: 0033:0x7f794735bc53 [ 97.216414][ T5300] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 97.236012][ T5300] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5299] munmap(0x7f793ef10000, 2097152) = 0 [pid 5299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5299] ioctl(6, LOOP_SET_FD, 3 [ 97.242070][ T5300] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 97.250035][ T5300] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 97.257995][ T5300] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 97.266221][ T5300] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 97.274182][ T5300] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 97.282159][ T5300] [ 97.289186][ T5300] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5300] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5299] <... ioctl resumed>) = 0 [pid 5299] close(3) = 0 [pid 5299] mkdir("./file0", 0777) = 0 [pid 5299] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5300] <... write resumed>) = 2097152 [pid 5300] munmap(0x7f7936b10000, 2097152 [pid 5299] <... mount resumed>) = 0 [pid 5299] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5299] chdir("./file0" [pid 5300] <... munmap resumed>) = 0 [pid 5300] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 7 [pid 5300] ioctl(7, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5300] ioctl(7, LOOP_CLR_FD) = 0 [pid 5299] <... chdir resumed>) = 0 [pid 5299] ioctl(6, LOOP_CLR_FD [pid 5300] ioctl(7, LOOP_SET_FD, 5 [pid 5299] <... ioctl resumed>) = 0 [pid 5299] close(6 [pid 5300] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5300] close(7) = 0 [pid 5300] close(5 [pid 5299] <... close resumed>) = 0 [pid 5299] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5299] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5300] <... close resumed>) = 0 [pid 5300] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5298] <... futex resumed>) = 0 [pid 5300] <... futex resumed>) = 1 [pid 5300] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5298] exit_group(0 [pid 5300] <... futex resumed>) = ? [pid 5299] <... futex resumed>) = ? [pid 5298] <... exit_group resumed>) = ? [pid 5300] +++ exited with 0 +++ [pid 5299] +++ exited with 0 +++ [pid 5298] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5298, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./88", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./88/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./88/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./88/binderfs") = 0 [ 97.317077][ T5299] loop0: detected capacity change from 0 to 4096 [ 97.334624][ T5299] ntfs: volume version 12.0. umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./88/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./88/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./88") = 0 mkdir("./89", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5302 ./strace-static-x86_64: Process 5302 attached [pid 5302] set_robust_list(0x555555f176a0, 24) = 0 [pid 5302] chdir("./89") = 0 [pid 5302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5302] setpgid(0, 0) = 0 [pid 5302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5302] write(3, "1000", 4) = 4 [pid 5302] close(3) = 0 [pid 5302] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5302] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5302] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5302] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5302] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5302] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5302] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5302] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5303 attached [pid 5303] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5302] <... clone3 resumed> => {parent_tid=[5303]}, 88) = 5303 [pid 5303] <... rseq resumed>) = 0 [pid 5302] rt_sigprocmask(SIG_SETMASK, [], [pid 5303] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5302] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5303] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5302] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5303] memfd_create("syzkaller", 0 [pid 5302] <... futex resumed>) = 0 [pid 5302] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5302] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5303] <... memfd_create resumed>) = 3 [pid 5303] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5302] <... mmap resumed>) = 0x7f793ef10000 [pid 5302] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5302] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5302] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5304 attached => {parent_tid=[5304]}, 88) = 5304 [pid 5302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5302] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5302] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5304] <... rseq resumed>) = 0 [pid 5304] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5304] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5304] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5304] write(4, "85", 2) = 2 [pid 5304] memfd_create("syzkaller", 0) = 5 [pid 5304] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 97.432905][ T5304] FAULT_INJECTION: forcing a failure. [ 97.432905][ T5304] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 97.446261][ T5304] CPU: 0 PID: 5304 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 97.456705][ T5304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 97.466758][ T5304] Call Trace: [ 97.470089][ T5304] [ 97.473064][ T5304] dump_stack_lvl+0x1e7/0x2d0 [ 97.477831][ T5304] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.483277][ T5304] ? panic+0x770/0x770 [ 97.487448][ T5304] should_fail_ex+0x3aa/0x4e0 [ 97.492119][ T5304] prepare_alloc_pages+0x1d9/0x5b0 [ 97.497309][ T5304] __alloc_pages+0x165/0x670 [ 97.501903][ T5304] ? zone_statistics+0x170/0x170 [ 97.506861][ T5304] ? verify_lock_unused+0x140/0x140 [ 97.512095][ T5304] ? handle_mm_fault+0x11d/0x62b0 [ 97.517136][ T5304] ? __lock_acquire+0x7f70/0x7f70 [ 97.522166][ T5304] ? pte_offset_map_nolock+0x137/0x1e0 [ 97.527757][ T5304] __folio_alloc+0x13/0x30 [ 97.532187][ T5304] vma_alloc_folio+0x48a/0x9a0 [ 97.536947][ T5304] handle_mm_fault+0x2376/0x62b0 [ 97.541948][ T5304] ? handle_mm_fault+0x11d/0x62b0 [ 97.547001][ T5304] ? numa_migrate_prep+0x380/0x380 [ 97.552208][ T5304] ? mtree_range_walk+0x6a0/0x7e0 [ 97.557240][ T5304] ? lock_vma_under_rcu+0x187/0x6f0 [ 97.562453][ T5304] ? __lock_acquire+0x7f70/0x7f70 [ 97.567499][ T5304] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 97.572732][ T5304] ? lock_vma_under_rcu+0x5df/0x6f0 [ 97.577929][ T5304] ? lock_vma_under_rcu+0x187/0x6f0 [pid 5303] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 97.583147][ T5304] ? exc_page_fault+0x10f/0x860 [ 97.587997][ T5304] exc_page_fault+0x455/0x860 [ 97.592693][ T5304] asm_exc_page_fault+0x26/0x30 [ 97.597562][ T5304] RIP: 0033:0x7f794735bc53 [ 97.601994][ T5304] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 97.621791][ T5304] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [ 97.627859][ T5304] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 97.635824][ T5304] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 97.643788][ T5304] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 97.651756][ T5304] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 97.659722][ T5304] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 97.667786][ T5304] [pid 5303] munmap(0x7f793ef31000, 2097152) = 0 [pid 5303] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5303] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5303] close(3) = 0 [pid 5303] mkdir("./file0", 0777) = 0 [pid 5303] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5304] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5303] <... mount resumed>) = 0 [pid 5303] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5303] chdir("./file0") = 0 [pid 5303] ioctl(6, LOOP_CLR_FD) = 0 [pid 5303] close(6) = 0 [pid 5303] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5303] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5304] <... write resumed>) = 2097152 [pid 5304] munmap(0x7f7936b10000, 2097152) = 0 [pid 5304] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5304] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5304] ioctl(6, LOOP_CLR_FD) = 0 [pid 5304] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5304] close(6) = 0 [ 97.679292][ T5304] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 97.695533][ T5303] loop0: detected capacity change from 0 to 4096 [ 97.714499][ T5303] ntfs: volume version 12.0. [pid 5304] close(5) = 0 [pid 5304] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5302] <... futex resumed>) = 0 [pid 5302] exit_group(0) = ? [pid 5304] <... futex resumed>) = ? [pid 5304] +++ exited with 0 +++ [pid 5303] <... futex resumed>) = ? [pid 5303] +++ exited with 0 +++ [pid 5302] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5302, si_uid=0, si_status=0, si_utime=0, si_stime=24 /* 0.24 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./89", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./89", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./89/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./89/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./89/binderfs") = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./89/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./89/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./89/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./89") = 0 mkdir("./90", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5306 attached , child_tidptr=0x555555f17690) = 5306 [pid 5306] set_robust_list(0x555555f176a0, 24) = 0 [pid 5306] chdir("./90") = 0 [pid 5306] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5306] setpgid(0, 0) = 0 [pid 5306] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5306] write(3, "1000", 4) = 4 [pid 5306] close(3) = 0 [pid 5306] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5306] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5306] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5306] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5306] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5306] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5306] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5306] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5308 attached [pid 5308] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5308] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5308] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5308] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5306] <... clone3 resumed> => {parent_tid=[5308]}, 88) = 5308 [pid 5306] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5306] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5308] <... futex resumed>) = 0 [pid 5306] <... futex resumed>) = 1 [pid 5308] memfd_create("syzkaller", 0 [pid 5306] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5308] <... memfd_create resumed>) = 3 [pid 5308] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5306] <... futex resumed>) = 0 [pid 5306] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5308] <... mmap resumed>) = 0x7f793ef31000 [pid 5306] <... mmap resumed>) = 0x7f793ef10000 [pid 5306] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5306] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5306] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5309 attached [pid 5309] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5306] <... clone3 resumed> => {parent_tid=[5309]}, 88) = 5309 [pid 5309] <... rseq resumed>) = 0 [pid 5309] set_robust_list(0x7f793ef309a0, 24 [pid 5306] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5306] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] <... set_robust_list resumed>) = 0 [pid 5306] <... futex resumed>) = 0 [pid 5309] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5306] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5309] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5308] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5309] write(4, "85", 2) = 2 [pid 5309] memfd_create("syzkaller", 0) = 5 [pid 5309] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5308] <... write resumed>) = 2097152 [ 97.909303][ T5309] FAULT_INJECTION: forcing a failure. [ 97.909303][ T5309] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 97.922760][ T5309] CPU: 1 PID: 5309 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 97.933193][ T5309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 97.943246][ T5309] Call Trace: [ 97.946530][ T5309] [ 97.949477][ T5309] dump_stack_lvl+0x1e7/0x2d0 [ 97.954155][ T5309] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.959716][ T5309] ? panic+0x770/0x770 [ 97.963800][ T5309] should_fail_ex+0x3aa/0x4e0 [ 97.968565][ T5309] prepare_alloc_pages+0x1d9/0x5b0 [ 97.973677][ T5309] __alloc_pages+0x165/0x670 [ 97.978265][ T5309] ? zone_statistics+0x170/0x170 [ 97.983200][ T5309] ? verify_lock_unused+0x140/0x140 [ 97.988481][ T5309] ? handle_mm_fault+0x11d/0x62b0 [ 97.993599][ T5309] ? __lock_acquire+0x7f70/0x7f70 [ 97.998610][ T5309] ? pte_offset_map_nolock+0x137/0x1e0 [ 98.004065][ T5309] __folio_alloc+0x13/0x30 [ 98.008475][ T5309] vma_alloc_folio+0x48a/0x9a0 [ 98.013236][ T5309] handle_mm_fault+0x2376/0x62b0 [ 98.018180][ T5309] ? handle_mm_fault+0x11d/0x62b0 [ 98.023210][ T5309] ? numa_migrate_prep+0x380/0x380 [ 98.028348][ T5309] ? mtree_range_walk+0x6a0/0x7e0 [ 98.033371][ T5309] ? lock_vma_under_rcu+0x187/0x6f0 [ 98.038575][ T5309] ? __lock_acquire+0x7f70/0x7f70 [ 98.043686][ T5309] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 98.048923][ T5309] ? lock_vma_under_rcu+0x5df/0x6f0 [ 98.054121][ T5309] ? lock_vma_under_rcu+0x187/0x6f0 [ 98.059330][ T5309] ? exc_page_fault+0x10f/0x860 [ 98.064176][ T5309] exc_page_fault+0x455/0x860 [ 98.068854][ T5309] asm_exc_page_fault+0x26/0x30 [ 98.073697][ T5309] RIP: 0033:0x7f794735bc53 [ 98.078105][ T5309] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 98.097732][ T5309] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5308] munmap(0x7f793ef31000, 2097152) = 0 [pid 5308] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 98.103816][ T5309] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 98.111790][ T5309] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 98.119763][ T5309] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 98.127732][ T5309] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 98.135697][ T5309] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 98.143675][ T5309] [ 98.151179][ T5309] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5308] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5308] close(3) = 0 [pid 5308] mkdir("./file0", 0777) = 0 [pid 5308] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5308] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5308] chdir("./file0") = 0 [pid 5308] ioctl(6, LOOP_CLR_FD) = 0 [pid 5308] close(6 [pid 5309] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5308] <... close resumed>) = 0 [pid 5308] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5308] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5309] <... write resumed>) = 2097152 [pid 5309] munmap(0x7f7936b10000, 2097152) = 0 [pid 5309] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5309] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5309] ioctl(6, LOOP_CLR_FD) = 0 [ 98.152686][ T5308] loop0: detected capacity change from 0 to 4096 [ 98.176714][ T5308] ntfs: volume version 12.0. [pid 5309] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5309] close(6) = 0 [pid 5309] close(5) = 0 [pid 5309] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5309] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5306] <... futex resumed>) = 0 [pid 5306] exit_group(0 [pid 5309] <... futex resumed>) = ? [pid 5308] <... futex resumed>) = ? [pid 5308] +++ exited with 0 +++ [pid 5306] <... exit_group resumed>) = ? [pid 5309] +++ exited with 0 +++ [pid 5306] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5306, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./90", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./90", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./90/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./90/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./90/binderfs") = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./90/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./90/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./90/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./90") = 0 mkdir("./91", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5310 attached , child_tidptr=0x555555f17690) = 5310 [pid 5310] set_robust_list(0x555555f176a0, 24) = 0 [pid 5310] chdir("./91") = 0 [pid 5310] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5310] setpgid(0, 0) = 0 [pid 5310] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5310] write(3, "1000", 4) = 4 [pid 5310] close(3) = 0 [pid 5310] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5310] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5310] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5310] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5310] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5310] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5310] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5310] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5311 attached => {parent_tid=[5311]}, 88) = 5311 [pid 5311] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5311] set_robust_list(0x7f79473519a0, 24 [pid 5310] rt_sigprocmask(SIG_SETMASK, [], [pid 5311] <... set_robust_list resumed>) = 0 [pid 5310] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5311] rt_sigprocmask(SIG_SETMASK, [], [pid 5310] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5311] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5310] <... futex resumed>) = 0 [pid 5310] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5311] memfd_create("syzkaller", 0 [pid 5310] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5311] <... memfd_create resumed>) = 3 [pid 5311] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5310] <... mmap resumed>) = 0x7f793ef10000 [pid 5310] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5310] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5310] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5312 attached => {parent_tid=[5312]}, 88) = 5312 [pid 5310] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5310] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5310] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5312] <... rseq resumed>) = 0 [pid 5312] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5312] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5312] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5312] write(4, "85", 2) = 2 [pid 5312] memfd_create("syzkaller", 0) = 5 [pid 5312] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5311] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 98.344410][ T5312] FAULT_INJECTION: forcing a failure. [ 98.344410][ T5312] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 98.370081][ T5312] CPU: 0 PID: 5312 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 98.380545][ T5312] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 98.390698][ T5312] Call Trace: [ 98.393991][ T5312] [ 98.397021][ T5312] dump_stack_lvl+0x1e7/0x2d0 [ 98.401709][ T5312] ? nf_tcp_handle_invalid+0x650/0x650 [ 98.407442][ T5312] ? panic+0x770/0x770 [ 98.411604][ T5312] should_fail_ex+0x3aa/0x4e0 [ 98.416302][ T5312] prepare_alloc_pages+0x1d9/0x5b0 [ 98.421432][ T5312] __alloc_pages+0x165/0x670 [ 98.426031][ T5312] ? zone_statistics+0x170/0x170 [ 98.431082][ T5312] ? verify_lock_unused+0x140/0x140 [ 98.436275][ T5312] ? handle_mm_fault+0x11d/0x62b0 [ 98.441316][ T5312] ? __lock_acquire+0x7f70/0x7f70 [ 98.446349][ T5312] ? pte_offset_map_nolock+0x137/0x1e0 [ 98.451844][ T5312] __folio_alloc+0x13/0x30 [ 98.456260][ T5312] vma_alloc_folio+0x48a/0x9a0 [ 98.461034][ T5312] handle_mm_fault+0x2376/0x62b0 [ 98.466111][ T5312] ? handle_mm_fault+0x11d/0x62b0 [ 98.471134][ T5312] ? numa_migrate_prep+0x380/0x380 [ 98.476257][ T5312] ? mtree_range_walk+0x6a0/0x7e0 [ 98.481289][ T5312] ? lock_vma_under_rcu+0x187/0x6f0 [ 98.486476][ T5312] ? __lock_acquire+0x7f70/0x7f70 [ 98.491519][ T5312] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 98.496747][ T5312] ? lock_vma_under_rcu+0x5df/0x6f0 [ 98.501944][ T5312] ? lock_vma_under_rcu+0x187/0x6f0 [ 98.507163][ T5312] ? exc_page_fault+0x10f/0x860 [ 98.512047][ T5312] exc_page_fault+0x455/0x860 [ 98.516766][ T5312] asm_exc_page_fault+0x26/0x30 [ 98.521627][ T5312] RIP: 0033:0x7f794735bc53 [ 98.526037][ T5312] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 98.545641][ T5312] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [ 98.551704][ T5312] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 98.559683][ T5312] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 98.567647][ T5312] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 98.575615][ T5312] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 98.583577][ T5312] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 98.591556][ T5312] [pid 5311] munmap(0x7f793ef31000, 2097152) = 0 [pid 5311] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5311] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5311] close(3) = 0 [pid 5311] mkdir("./file0", 0777) = 0 [pid 5311] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5311] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5311] chdir("./file0") = 0 [pid 5311] ioctl(6, LOOP_CLR_FD) = 0 [pid 5311] close(6) = 0 [pid 5311] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5311] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5312] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5312] munmap(0x7f7936b10000, 2097152) = 0 [pid 5312] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5312] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5312] ioctl(6, LOOP_CLR_FD) = 0 [pid 5312] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 98.598558][ T5312] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 98.607546][ T5311] loop0: detected capacity change from 0 to 4096 [ 98.621647][ T5311] ntfs: volume version 12.0. [pid 5312] close(6) = 0 [pid 5312] close(5) = 0 [pid 5312] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5310] <... futex resumed>) = 0 [pid 5312] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5310] exit_group(0 [pid 5312] <... futex resumed>) = ? [pid 5311] <... futex resumed>) = ? [pid 5312] +++ exited with 0 +++ [pid 5311] +++ exited with 0 +++ [pid 5310] <... exit_group resumed>) = ? [pid 5310] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5310, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./91", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./91", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./91/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./91/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./91/binderfs") = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./91/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./91/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./91/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./91") = 0 mkdir("./92", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5313 attached , child_tidptr=0x555555f17690) = 5313 [pid 5313] set_robust_list(0x555555f176a0, 24) = 0 [pid 5313] chdir("./92") = 0 [pid 5313] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5313] setpgid(0, 0) = 0 [pid 5313] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5313] write(3, "1000", 4) = 4 [pid 5313] close(3) = 0 [pid 5313] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5313] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5313] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5313] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5313] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5313] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5313] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5314]}, 88) = 5314 [pid 5313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5313] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5313] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 ./strace-static-x86_64: Process 5314 attached [pid 5314] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5313] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5314] <... rseq resumed>) = 0 [pid 5314] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5314] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5313] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5313] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5314] memfd_create("syzkaller", 0) = 3 ./strace-static-x86_64: Process 5315 attached [pid 5314] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5313] <... clone3 resumed> => {parent_tid=[5315]}, 88) = 5315 [pid 5315] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5315] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5315] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5315] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5314] <... mmap resumed>) = 0x7f793ef10000 [pid 5313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5313] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5313] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5315] <... futex resumed>) = 0 [pid 5315] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5315] write(4, "85", 2) = 2 [pid 5315] memfd_create("syzkaller", 0) = 5 [pid 5315] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 98.797640][ T5315] FAULT_INJECTION: forcing a failure. [ 98.797640][ T5315] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 98.811764][ T5315] CPU: 0 PID: 5315 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 98.822216][ T5315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 98.832379][ T5315] Call Trace: [ 98.835670][ T5315] [ 98.838635][ T5315] dump_stack_lvl+0x1e7/0x2d0 [ 98.843303][ T5315] ? nf_tcp_handle_invalid+0x650/0x650 [ 98.848747][ T5315] ? panic+0x770/0x770 [ 98.852811][ T5315] should_fail_ex+0x3aa/0x4e0 [ 98.857476][ T5315] prepare_alloc_pages+0x1d9/0x5b0 [ 98.862574][ T5315] __alloc_pages+0x165/0x670 [ 98.867169][ T5315] ? zone_statistics+0x170/0x170 [ 98.872130][ T5315] ? verify_lock_unused+0x140/0x140 [ 98.877329][ T5315] ? handle_mm_fault+0x11d/0x62b0 [ 98.882349][ T5315] ? __lock_acquire+0x7f70/0x7f70 [ 98.887362][ T5315] ? pte_offset_map_nolock+0x137/0x1e0 [ 98.892816][ T5315] __folio_alloc+0x13/0x30 [ 98.897318][ T5315] vma_alloc_folio+0x48a/0x9a0 [ 98.902080][ T5315] handle_mm_fault+0x2376/0x62b0 [ 98.907034][ T5315] ? handle_mm_fault+0x11d/0x62b0 [ 98.912063][ T5315] ? numa_migrate_prep+0x380/0x380 [ 98.917202][ T5315] ? mtree_range_walk+0x6a0/0x7e0 [ 98.922245][ T5315] ? lock_vma_under_rcu+0x187/0x6f0 [ 98.927461][ T5315] ? __lock_acquire+0x7f70/0x7f70 [ 98.932494][ T5315] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 98.937796][ T5315] ? lock_vma_under_rcu+0x5df/0x6f0 [ 98.943017][ T5315] ? lock_vma_under_rcu+0x187/0x6f0 [ 98.948333][ T5315] ? exc_page_fault+0x10f/0x860 [ 98.953193][ T5315] exc_page_fault+0x455/0x860 [ 98.957887][ T5315] asm_exc_page_fault+0x26/0x30 [ 98.962745][ T5315] RIP: 0033:0x7f794735bc53 [ 98.967157][ T5315] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 98.986767][ T5315] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5314] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777) = 2028777 [pid 5314] munmap(0x7f793ef10000, 2028777) = 0 [pid 5314] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 98.992915][ T5315] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 99.000878][ T5315] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 99.008842][ T5315] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 99.016805][ T5315] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 99.024854][ T5315] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 99.032841][ T5315] [ 99.041163][ T5315] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5314] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5314] close(3) = 0 [pid 5314] mkdir("./file0", 0777) = 0 [pid 5314] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5314] ioctl(6, LOOP_CLR_FD [pid 5315] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5315] munmap(0x7f7936b10000, 2097152) = 0 [pid 5315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5315] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5315] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5315] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5315] close(3) = 0 [pid 5315] close(5) = 0 [pid 5315] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5313] <... futex resumed>) = 0 [pid 5315] <... futex resumed>) = 1 [ 99.062208][ T5314] loop0: detected capacity change from 0 to 3962 [pid 5315] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5314] <... ioctl resumed>) = 0 [pid 5314] close(6) = 0 [pid 5314] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5313] exit_group(0 [pid 5314] <... futex resumed>) = ? [pid 5313] <... exit_group resumed>) = ? [pid 5315] <... futex resumed>) = ? [pid 5314] +++ exited with 0 +++ [pid 5315] +++ exited with 0 +++ [pid 5313] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5313, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=15 /* 0.15 s */} --- umount2("./92", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./92", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./92/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./92/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./92/binderfs") = 0 umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./92/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./92/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./92/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./92") = 0 mkdir("./93", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5318 attached , child_tidptr=0x555555f17690) = 5318 [pid 5318] set_robust_list(0x555555f176a0, 24) = 0 [pid 5318] chdir("./93") = 0 [pid 5318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5318] setpgid(0, 0) = 0 [pid 5318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5318] write(3, "1000", 4) = 4 [pid 5318] close(3) = 0 [pid 5318] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5318] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5318] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5318] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5318] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5318] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5319 attached => {parent_tid=[5319]}, 88) = 5319 [pid 5318] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5319] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5318] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5319] <... rseq resumed>) = 0 [pid 5318] <... futex resumed>) = 0 [pid 5318] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5319] set_robust_list(0x7f79473519a0, 24 [pid 5318] <... mmap resumed>) = 0x7f7947310000 [pid 5318] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5319] <... set_robust_list resumed>) = 0 [pid 5318] <... mprotect resumed>) = 0 [pid 5319] rt_sigprocmask(SIG_SETMASK, [], [pid 5318] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5318] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5320 attached [pid 5319] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5320] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5318] <... clone3 resumed> => {parent_tid=[5320]}, 88) = 5320 [pid 5318] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5318] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5320] <... rseq resumed>) = 0 [pid 5319] memfd_create("syzkaller", 0) = 3 [ 99.127484][ T5238] I/O error, dev loop0, sector 3712 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5319] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5320] set_robust_list(0x7f79473309a0, 24 [pid 5319] <... mmap resumed>) = 0x7f793ef10000 [pid 5320] <... set_robust_list resumed>) = 0 [pid 5320] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5320] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5320] write(4, "85", 2) = 2 [pid 5320] memfd_create("syzkaller", 0 [pid 5319] munmap(0x7f793ef10000, 138412032 [pid 5320] <... memfd_create resumed>) = 5 [pid 5320] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5319] <... munmap resumed>) = 0 [pid 5319] close(3) = 0 [pid 5320] <... mmap resumed>) = 0x7f793ef10000 [pid 5319] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 99.199989][ T5320] FAULT_INJECTION: forcing a failure. [ 99.199989][ T5320] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 99.213638][ T5320] CPU: 0 PID: 5320 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 99.224073][ T5320] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 99.234126][ T5320] Call Trace: [ 99.237412][ T5320] [ 99.240334][ T5320] dump_stack_lvl+0x1e7/0x2d0 [ 99.245014][ T5320] ? nf_tcp_handle_invalid+0x650/0x650 [ 99.250465][ T5320] ? panic+0x770/0x770 [ 99.254542][ T5320] should_fail_ex+0x3aa/0x4e0 [ 99.259313][ T5320] prepare_alloc_pages+0x1d9/0x5b0 [ 99.264455][ T5320] __alloc_pages+0x165/0x670 [ 99.269079][ T5320] ? zone_statistics+0x170/0x170 [ 99.274028][ T5320] ? verify_lock_unused+0x140/0x140 [ 99.279215][ T5320] ? handle_mm_fault+0x11d/0x62b0 [ 99.284228][ T5320] ? __lock_acquire+0x7f70/0x7f70 [ 99.289268][ T5320] ? pte_offset_map_nolock+0x137/0x1e0 [ 99.294730][ T5320] __folio_alloc+0x13/0x30 [ 99.299165][ T5320] vma_alloc_folio+0x48a/0x9a0 [ 99.304031][ T5320] handle_mm_fault+0x2376/0x62b0 [ 99.308975][ T5320] ? handle_mm_fault+0x11d/0x62b0 [ 99.313995][ T5320] ? numa_migrate_prep+0x380/0x380 [ 99.319113][ T5320] ? mtree_range_walk+0x6a0/0x7e0 [ 99.324139][ T5320] ? lock_vma_under_rcu+0x187/0x6f0 [ 99.329346][ T5320] ? __lock_acquire+0x7f70/0x7f70 [ 99.334358][ T5320] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 99.339572][ T5320] ? lock_vma_under_rcu+0x5df/0x6f0 [ 99.344779][ T5320] ? lock_vma_under_rcu+0x187/0x6f0 [ 99.349973][ T5320] ? exc_page_fault+0x10f/0x860 [ 99.354921][ T5320] exc_page_fault+0x455/0x860 [ 99.359601][ T5320] asm_exc_page_fault+0x26/0x30 [ 99.364445][ T5320] RIP: 0033:0x7f794735bd00 [ 99.368980][ T5320] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 99.388747][ T5320] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 99.394805][ T5320] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 99.402862][ T5320] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 99.410836][ T5320] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 99.418795][ T5320] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 99.426755][ T5320] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 99.434740][ T5320] [pid 5319] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5320] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5320] munmap(0x7f793ef10000, 2097152) = 0 [pid 5320] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 99.444473][ T5320] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5320] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5320] close(5) = 0 [pid 5320] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5320] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 99.482641][ T5320] loop0: detected capacity change from 0 to 4096 [ 99.501814][ T5320] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 99.508918][ T5320] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5320] ioctl(3, LOOP_CLR_FD) = 0 [pid 5320] close(3) = 0 [pid 5320] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5318] <... futex resumed>) = 0 [pid 5320] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5318] exit_group(0) = ? [pid 5319] <... futex resumed>) = ? [pid 5320] <... futex resumed>) = ? [pid 5319] +++ exited with 0 +++ [pid 5320] +++ exited with 0 +++ [pid 5318] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5318, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./93", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./93", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./93/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./93/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./93/binderfs") = 0 umount2("\x2e\x2f\x39\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x39\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x39\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x39\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x39\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./93") = 0 mkdir("./94", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5322 attached , child_tidptr=0x555555f17690) = 5322 [pid 5322] set_robust_list(0x555555f176a0, 24) = 0 [pid 5322] chdir("./94") = 0 [pid 5322] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5322] setpgid(0, 0) = 0 [pid 5322] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5322] write(3, "1000", 4) = 4 [pid 5322] close(3) = 0 [pid 5322] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5322] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5322] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5322] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5322] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5322] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5322] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5323 attached => {parent_tid=[5323]}, 88) = 5323 [pid 5322] rt_sigprocmask(SIG_SETMASK, [], [pid 5323] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5323] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5323] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5323] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5322] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5322] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5323] <... futex resumed>) = 0 [pid 5322] <... futex resumed>) = 1 [pid 5323] memfd_create("syzkaller", 0 [pid 5322] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5323] <... memfd_create resumed>) = 3 [pid 5323] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5322] <... mmap resumed>) = 0x7f793ef10000 [pid 5322] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5322] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5323] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5322] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5322] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5324 attached [pid 5324] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5324] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5324] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5324] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5322] <... clone3 resumed> => {parent_tid=[5324]}, 88) = 5324 [pid 5322] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5322] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5324] <... futex resumed>) = 0 [pid 5322] <... futex resumed>) = 1 [pid 5324] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5322] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5324] <... openat resumed>) = 4 [pid 5324] write(4, "85", 2) = 2 [pid 5324] memfd_create("syzkaller", 0) = 5 [pid 5324] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5323] <... write resumed>) = 2097152 [ 99.663265][ T5324] FAULT_INJECTION: forcing a failure. [ 99.663265][ T5324] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 99.676942][ T5324] CPU: 1 PID: 5324 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 99.680490][ T5323] loop0: detected capacity change from 0 to 4096 [ 99.687368][ T5324] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 99.687408][ T5324] Call Trace: [ 99.687416][ T5324] [ 99.687423][ T5324] dump_stack_lvl+0x1e7/0x2d0 [ 99.687448][ T5324] ? nf_tcp_handle_invalid+0x650/0x650 [ 99.720080][ T5324] ? panic+0x770/0x770 [ 99.724231][ T5324] should_fail_ex+0x3aa/0x4e0 [ 99.728912][ T5324] prepare_alloc_pages+0x1d9/0x5b0 [ 99.734025][ T5324] __alloc_pages+0x165/0x670 [ 99.738613][ T5324] ? zone_statistics+0x170/0x170 [ 99.743556][ T5324] ? verify_lock_unused+0x140/0x140 [ 99.748840][ T5324] ? handle_mm_fault+0x11d/0x62b0 [ 99.753860][ T5324] ? __lock_acquire+0x7f70/0x7f70 [ 99.758877][ T5324] ? pte_offset_map_nolock+0x137/0x1e0 [ 99.764335][ T5324] __folio_alloc+0x13/0x30 [ 99.768836][ T5324] vma_alloc_folio+0x48a/0x9a0 [ 99.773612][ T5324] handle_mm_fault+0x2376/0x62b0 [ 99.778566][ T5324] ? handle_mm_fault+0x11d/0x62b0 [ 99.783592][ T5324] ? numa_migrate_prep+0x380/0x380 [ 99.788707][ T5324] ? mtree_range_walk+0x6a0/0x7e0 [ 99.793728][ T5324] ? lock_vma_under_rcu+0x187/0x6f0 [ 99.798935][ T5324] ? __lock_acquire+0x7f70/0x7f70 [ 99.803951][ T5324] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 99.809154][ T5324] ? lock_vma_under_rcu+0x5df/0x6f0 [ 99.814867][ T5324] ? lock_vma_under_rcu+0x187/0x6f0 [ 99.820067][ T5324] ? exc_page_fault+0x10f/0x860 [ 99.824912][ T5324] exc_page_fault+0x455/0x860 [ 99.829682][ T5324] asm_exc_page_fault+0x26/0x30 [ 99.834529][ T5324] RIP: 0033:0x7f794735bc53 [ 99.838962][ T5324] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [pid 5323] munmap(0x7f793ef31000, 2097152) = 0 [pid 5323] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5323] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5323] close(3) = 0 [pid 5323] mkdir("./file0", 0777) = 0 [ 99.858556][ T5324] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [ 99.864617][ T5324] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 99.872584][ T5324] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 99.880739][ T5324] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 99.888810][ T5324] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 99.896794][ T5324] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 99.905606][ T5324] [pid 5323] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5323] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5323] chdir("./file0") = 0 [pid 5323] ioctl(6, LOOP_CLR_FD) = 0 [pid 5323] close(6) = 0 [pid 5323] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5323] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [ 99.921123][ T5323] ntfs: volume version 12.0. [pid 5324] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5324] munmap(0x7f7936b10000, 2097152) = 0 [pid 5324] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5324] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5324] ioctl(6, LOOP_CLR_FD) = 0 [pid 5324] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5324] close(6) = 0 [pid 5324] close(5) = 0 [pid 5324] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5322] <... futex resumed>) = 0 [pid 5322] exit_group(0 [pid 5323] <... futex resumed>) = ? [pid 5323] +++ exited with 0 +++ [pid 5322] <... exit_group resumed>) = ? [pid 5324] <... futex resumed>) = ? [pid 5324] +++ exited with 0 +++ [pid 5322] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5322, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=13 /* 0.13 s */} --- umount2("./94", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./94", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./94/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./94/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./94/binderfs") = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./94/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./94/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./94/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./94") = 0 mkdir("./95", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5325 attached , child_tidptr=0x555555f17690) = 5325 [pid 5325] set_robust_list(0x555555f176a0, 24) = 0 [pid 5325] chdir("./95") = 0 [pid 5325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5325] setpgid(0, 0) = 0 [pid 5325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5325] write(3, "1000", 4) = 4 [pid 5325] close(3) = 0 [pid 5325] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5325] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5325] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5325] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5325] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5325] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5326 attached => {parent_tid=[5326]}, 88) = 5326 [pid 5326] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5325] rt_sigprocmask(SIG_SETMASK, [], [pid 5326] set_robust_list(0x7f79473519a0, 24 [pid 5325] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5326] <... set_robust_list resumed>) = 0 [pid 5325] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5326] rt_sigprocmask(SIG_SETMASK, [], [pid 5325] <... futex resumed>) = 0 [pid 5326] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5325] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5326] memfd_create("syzkaller", 0 [pid 5325] <... mmap resumed>) = 0x7f7947310000 [pid 5326] <... memfd_create resumed>) = 3 [pid 5325] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5326] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5325] <... mprotect resumed>) = 0 [pid 5326] <... mmap resumed>) = 0x7f793ef10000 [pid 5325] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5325] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5327 attached => {parent_tid=[5327]}, 88) = 5327 [pid 5325] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5325] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5327] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5327] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5327] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5327] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5327] write(4, "85", 2) = 2 [pid 5327] memfd_create("syzkaller", 0) = 5 [pid 5327] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 100.113794][ T5327] FAULT_INJECTION: forcing a failure. [ 100.113794][ T5327] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 100.128638][ T5327] CPU: 0 PID: 5327 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 100.139169][ T5327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 100.149227][ T5327] Call Trace: [ 100.152508][ T5327] [ 100.155434][ T5327] dump_stack_lvl+0x1e7/0x2d0 [ 100.160109][ T5327] ? nf_tcp_handle_invalid+0x650/0x650 [ 100.165562][ T5327] ? panic+0x770/0x770 [ 100.169633][ T5327] should_fail_ex+0x3aa/0x4e0 [ 100.174313][ T5327] prepare_alloc_pages+0x1d9/0x5b0 [ 100.179424][ T5327] __alloc_pages+0x165/0x670 [ 100.184009][ T5327] ? zone_statistics+0x170/0x170 [ 100.188947][ T5327] ? verify_lock_unused+0x140/0x140 [ 100.194139][ T5327] ? handle_mm_fault+0x11d/0x62b0 [ 100.199159][ T5327] ? __lock_acquire+0x7f70/0x7f70 [ 100.204197][ T5327] ? pte_offset_map_nolock+0x137/0x1e0 [ 100.209672][ T5327] __folio_alloc+0x13/0x30 [ 100.214113][ T5327] vma_alloc_folio+0x48a/0x9a0 [ 100.218925][ T5327] handle_mm_fault+0x2376/0x62b0 [ 100.223865][ T5327] ? handle_mm_fault+0x11d/0x62b0 [ 100.228900][ T5327] ? numa_migrate_prep+0x380/0x380 [ 100.234015][ T5327] ? mtree_range_walk+0x6a0/0x7e0 [ 100.239034][ T5327] ? lock_vma_under_rcu+0x187/0x6f0 [ 100.244226][ T5327] ? __lock_acquire+0x7f70/0x7f70 [ 100.249248][ T5327] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 100.254450][ T5327] ? lock_vma_under_rcu+0x5df/0x6f0 [ 100.259642][ T5327] ? lock_vma_under_rcu+0x187/0x6f0 [ 100.264843][ T5327] ? exc_page_fault+0x10f/0x860 [ 100.269690][ T5327] exc_page_fault+0x455/0x860 [ 100.274383][ T5327] asm_exc_page_fault+0x26/0x30 [ 100.279234][ T5327] RIP: 0033:0x7f794735bc53 [ 100.283641][ T5327] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 100.303325][ T5327] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5326] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5326] munmap(0x7f793ef10000, 2097152) = 0 [pid 5326] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 100.309388][ T5327] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 100.317349][ T5327] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 100.325312][ T5327] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 100.333272][ T5327] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 100.341270][ T5327] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 100.349247][ T5327] [pid 5326] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5326] close(3) = 0 [pid 5326] mkdir("./file0", 0777) = 0 [pid 5326] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5327] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5326] <... mount resumed>) = 0 [pid 5326] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5327] <... write resumed>) = 2097152 [pid 5326] <... openat resumed>) = 3 [pid 5326] chdir("./file0") = 0 [pid 5326] ioctl(6, LOOP_CLR_FD [pid 5327] munmap(0x7f7936b10000, 2097152) = 0 [pid 5326] <... ioctl resumed>) = 0 [pid 5327] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5326] close(6 [pid 5327] <... openat resumed>) = 7 [pid 5326] <... close resumed>) = 0 [pid 5327] ioctl(7, LOOP_SET_FD, 5 [pid 5326] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5327] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5327] ioctl(7, LOOP_CLR_FD [pid 5326] <... futex resumed>) = 0 [pid 5326] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5327] <... ioctl resumed>) = 0 [pid 5327] ioctl(7, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5327] close(7) = 0 [pid 5327] close(5) = 0 [ 100.366531][ T5326] loop0: detected capacity change from 0 to 4096 [ 100.379492][ T5326] ntfs: volume version 12.0. [pid 5327] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5325] <... futex resumed>) = 0 [pid 5327] <... futex resumed>) = 1 [pid 5327] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5325] exit_group(0 [pid 5327] <... futex resumed>) = ? [pid 5326] <... futex resumed>) = ? [pid 5325] <... exit_group resumed>) = ? [pid 5326] +++ exited with 0 +++ [pid 5327] +++ exited with 0 +++ [pid 5325] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5325, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=7 /* 0.07 s */} --- umount2("./95", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./95", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./95/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./95/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./95/binderfs") = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./95/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./95/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./95/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./95") = 0 mkdir("./96", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5328 ./strace-static-x86_64: Process 5328 attached [pid 5328] set_robust_list(0x555555f176a0, 24) = 0 [pid 5328] chdir("./96") = 0 [pid 5328] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5328] setpgid(0, 0) = 0 [pid 5328] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5328] write(3, "1000", 4) = 4 [pid 5328] close(3) = 0 [pid 5328] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5328] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5328] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5328] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5328] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5328] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5328] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5329 attached => {parent_tid=[5329]}, 88) = 5329 [pid 5329] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5328] rt_sigprocmask(SIG_SETMASK, [], [pid 5329] set_robust_list(0x7f79473519a0, 24 [pid 5328] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5329] <... set_robust_list resumed>) = 0 [pid 5328] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5329] rt_sigprocmask(SIG_SETMASK, [], [pid 5328] <... futex resumed>) = 0 [pid 5329] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5329] memfd_create("syzkaller", 0 [pid 5328] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5328] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5328] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5329] <... memfd_create resumed>) = 3 [pid 5328] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5329] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5328] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5329] <... mmap resumed>) = 0x7f793ef10000 ./strace-static-x86_64: Process 5330 attached [pid 5330] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5330] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5328] <... clone3 resumed> => {parent_tid=[5330]}, 88) = 5330 [pid 5330] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5330] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5328] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5328] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5330] <... futex resumed>) = 0 [pid 5330] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5330] write(4, "85", 2) = 2 [pid 5330] memfd_create("syzkaller", 0) = 5 [pid 5330] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5328] <... futex resumed>) = 1 [pid 5328] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [ 100.544579][ T5330] FAULT_INJECTION: forcing a failure. [ 100.544579][ T5330] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 100.558579][ T5330] CPU: 0 PID: 5330 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 100.569034][ T5330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 100.579189][ T5330] Call Trace: [ 100.582454][ T5330] [ 100.585371][ T5330] dump_stack_lvl+0x1e7/0x2d0 [pid 5329] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 100.590042][ T5330] ? nf_tcp_handle_invalid+0x650/0x650 [ 100.595485][ T5330] ? panic+0x770/0x770 [ 100.599550][ T5330] should_fail_ex+0x3aa/0x4e0 [ 100.604310][ T5330] prepare_alloc_pages+0x1d9/0x5b0 [ 100.609419][ T5330] __alloc_pages+0x165/0x670 [ 100.614023][ T5330] ? zone_statistics+0x170/0x170 [ 100.618964][ T5330] ? verify_lock_unused+0x140/0x140 [ 100.624167][ T5330] ? handle_mm_fault+0x11d/0x62b0 [ 100.629201][ T5330] ? __lock_acquire+0x7f70/0x7f70 [ 100.634212][ T5330] ? pte_offset_map_nolock+0x137/0x1e0 [ 100.639661][ T5330] __folio_alloc+0x13/0x30 [ 100.644070][ T5330] vma_alloc_folio+0x48a/0x9a0 [ 100.648828][ T5330] handle_mm_fault+0x2376/0x62b0 [ 100.653772][ T5330] ? handle_mm_fault+0x11d/0x62b0 [ 100.658811][ T5330] ? numa_migrate_prep+0x380/0x380 [ 100.663940][ T5330] ? mtree_range_walk+0x6a0/0x7e0 [ 100.669053][ T5330] ? lock_vma_under_rcu+0x187/0x6f0 [ 100.674252][ T5330] ? __lock_acquire+0x7f70/0x7f70 [ 100.679281][ T5330] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 100.684567][ T5330] ? lock_vma_under_rcu+0x5df/0x6f0 [ 100.689758][ T5330] ? lock_vma_under_rcu+0x187/0x6f0 [ 100.695075][ T5330] ? exc_page_fault+0x10f/0x860 [ 100.699932][ T5330] exc_page_fault+0x455/0x860 [ 100.704620][ T5330] asm_exc_page_fault+0x26/0x30 [ 100.709475][ T5330] RIP: 0033:0x7f794735bc53 [ 100.713881][ T5330] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 100.733478][ T5330] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5329] munmap(0x7f793ef10000, 2097152) = 0 [ 100.739547][ T5330] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 100.747531][ T5330] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 100.755591][ T5330] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 100.763555][ T5330] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 100.771554][ T5330] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 100.779541][ T5330] [ 100.784615][ T5330] pagefault_out_of_memory: 2 callbacks suppressed [pid 5329] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5329] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5329] close(3) = 0 [pid 5329] mkdir("./file0", 0777) = 0 [pid 5329] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5330] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5329] <... mount resumed>) = 0 [pid 5329] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5329] chdir("./file0") = 0 [pid 5329] ioctl(6, LOOP_CLR_FD) = 0 [pid 5329] close(6) = 0 [pid 5329] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5330] <... write resumed>) = 2097152 [pid 5330] munmap(0x7f7936b10000, 2097152) = 0 [pid 5330] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5330] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5330] ioctl(6, LOOP_CLR_FD) = 0 [pid 5330] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5330] close(6) = 0 [pid 5330] close(5) = 0 [pid 5330] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5328] <... futex resumed>) = 0 [pid 5330] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5328] exit_group(0 [pid 5330] <... futex resumed>) = ? [pid 5329] <... futex resumed>) = ? [pid 5328] <... exit_group resumed>) = ? [pid 5330] +++ exited with 0 +++ [pid 5329] +++ exited with 0 +++ [pid 5328] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5328, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./96", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./96", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./96/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./96/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./96/binderfs") = 0 [ 100.784629][ T5330] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 100.798086][ T5329] loop0: detected capacity change from 0 to 4096 [ 100.816595][ T5329] ntfs: volume version 12.0. umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./96/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./96/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./96/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./96") = 0 mkdir("./97", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5331 attached , child_tidptr=0x555555f17690) = 5331 [pid 5331] set_robust_list(0x555555f176a0, 24) = 0 [pid 5331] chdir("./97") = 0 [pid 5331] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5331] setpgid(0, 0) = 0 [pid 5331] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5331] write(3, "1000", 4) = 4 [pid 5331] close(3) = 0 [pid 5331] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5331] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5331] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5331] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5331] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5331] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5331] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5331] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5332 attached [pid 5332] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5332] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5332] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5332] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5331] <... clone3 resumed> => {parent_tid=[5332]}, 88) = 5332 [pid 5331] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5331] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5332] <... futex resumed>) = 0 [pid 5331] <... futex resumed>) = 1 [pid 5331] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5332] memfd_create("syzkaller", 0 [pid 5331] <... futex resumed>) = 0 [pid 5332] <... memfd_create resumed>) = 3 [pid 5331] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5332] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5331] <... mmap resumed>) = 0x7f7947310000 [pid 5332] <... mmap resumed>) = 0x7f793ef10000 [pid 5331] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5331] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5331] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5333 attached => {parent_tid=[5333]}, 88) = 5333 [pid 5331] rt_sigprocmask(SIG_SETMASK, [], [pid 5333] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5331] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5333] <... rseq resumed>) = 0 [pid 5333] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5331] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5333] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5331] <... futex resumed>) = 0 [pid 5331] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5333] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5333] write(4, "85", 2) = 2 [pid 5333] memfd_create("syzkaller", 0) = 5 [pid 5333] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 100.963497][ T5333] FAULT_INJECTION: forcing a failure. [ 100.963497][ T5333] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 100.977677][ T5333] CPU: 0 PID: 5333 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 100.988819][ T5333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 100.998887][ T5333] Call Trace: [ 101.002177][ T5333] [ 101.005102][ T5333] dump_stack_lvl+0x1e7/0x2d0 [ 101.009778][ T5333] ? nf_tcp_handle_invalid+0x650/0x650 [ 101.015228][ T5333] ? panic+0x770/0x770 [ 101.019298][ T5333] should_fail_ex+0x3aa/0x4e0 [ 101.023970][ T5333] prepare_alloc_pages+0x1d9/0x5b0 [ 101.029104][ T5333] __alloc_pages+0x165/0x670 [ 101.033804][ T5333] ? zone_statistics+0x170/0x170 [ 101.038848][ T5333] ? verify_lock_unused+0x140/0x140 [ 101.044048][ T5333] ? handle_mm_fault+0x11d/0x62b0 [ 101.049068][ T5333] ? __lock_acquire+0x7f70/0x7f70 [ 101.054082][ T5333] ? pte_offset_map_nolock+0x137/0x1e0 [ 101.059541][ T5333] __folio_alloc+0x13/0x30 [ 101.063950][ T5333] vma_alloc_folio+0x48a/0x9a0 [ 101.068716][ T5333] handle_mm_fault+0x2376/0x62b0 [ 101.073661][ T5333] ? handle_mm_fault+0x11d/0x62b0 [ 101.078690][ T5333] ? numa_migrate_prep+0x380/0x380 [ 101.083810][ T5333] ? mtree_range_walk+0x6a0/0x7e0 [ 101.088860][ T5333] ? lock_vma_under_rcu+0x187/0x6f0 [ 101.094070][ T5333] ? __lock_acquire+0x7f70/0x7f70 [ 101.099093][ T5333] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 101.104309][ T5333] ? lock_vma_under_rcu+0x5df/0x6f0 [ 101.109513][ T5333] ? lock_vma_under_rcu+0x187/0x6f0 [ 101.114723][ T5333] ? exc_page_fault+0x10f/0x860 [ 101.119579][ T5333] exc_page_fault+0x455/0x860 [ 101.124258][ T5333] asm_exc_page_fault+0x26/0x30 [ 101.129106][ T5333] RIP: 0033:0x7f794735bc53 [ 101.133514][ T5333] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 101.153199][ T5333] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5332] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2083456) = 2083456 [pid 5332] munmap(0x7f793ef10000, 2083456) = 0 [pid 5332] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 101.159260][ T5333] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 101.167233][ T5333] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 101.175201][ T5333] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 101.183251][ T5333] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 101.191307][ T5333] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 101.199289][ T5333] [ 101.203052][ T5333] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5332] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5332] close(3) = 0 [pid 5332] mkdir("./file0", 0777) = 0 [pid 5332] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5332] ioctl(6, LOOP_CLR_FD [pid 5333] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5333] munmap(0x7f7936b10000, 2097152) = 0 [pid 5333] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5333] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5333] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5333] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5333] close(3) = 0 [pid 5333] close(5) = 0 [pid 5333] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5331] <... futex resumed>) = 0 [ 101.215477][ T5332] loop0: detected capacity change from 0 to 4069 [pid 5333] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5332] <... ioctl resumed>) = 0 [pid 5332] close(6) = 0 [pid 5332] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5331] exit_group(0) = ? [pid 5332] <... futex resumed>) = ? [pid 5332] +++ exited with 0 +++ [pid 5333] <... futex resumed>) = ? [pid 5333] +++ exited with 0 +++ [pid 5331] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5331, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./97", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./97", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./97/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./97/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./97/binderfs") = 0 umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./97/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./97/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./97/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./97") = 0 mkdir("./98", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5334 attached [pid 5334] set_robust_list(0x555555f176a0, 24) = 0 [pid 5334] chdir("./98") = 0 [pid 5334] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5334] setpgid(0, 0) = 0 [pid 5334] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5334] write(3, "1000", 4) = 4 [pid 5334] close(3) = 0 [pid 5334] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5334] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5334] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5334] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5334] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5334] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5334] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5334] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5335 attached [pid 5335] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5334] <... clone3 resumed> => {parent_tid=[5335]}, 88) = 5335 [pid 5335] <... rseq resumed>) = 0 [pid 5334] rt_sigprocmask(SIG_SETMASK, [], [pid 5335] set_robust_list(0x7f79473519a0, 24 [pid 5334] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5335] <... set_robust_list resumed>) = 0 [pid 5334] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5335] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5334] <... futex resumed>) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5334 [pid 5335] memfd_create("syzkaller", 0 [pid 5334] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5334] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5334] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5334] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5335] <... memfd_create resumed>) = 3 [pid 5335] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5334] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5334] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5336 attached => {parent_tid=[5336]}, 88) = 5336 [pid 5334] rt_sigprocmask(SIG_SETMASK, [], [pid 5336] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5334] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5334] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5336] <... rseq resumed>) = 0 [pid 5334] <... futex resumed>) = 0 [pid 5334] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5336] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5336] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5336] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5336] write(4, "85", 2) = 2 [pid 5336] memfd_create("syzkaller", 0) = 5 [pid 5336] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5335] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 101.363673][ T5336] FAULT_INJECTION: forcing a failure. [ 101.363673][ T5336] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 101.378144][ T5336] CPU: 0 PID: 5336 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 101.388664][ T5336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 101.398713][ T5336] Call Trace: [ 101.402000][ T5336] [ 101.404917][ T5336] dump_stack_lvl+0x1e7/0x2d0 [ 101.409585][ T5336] ? nf_tcp_handle_invalid+0x650/0x650 [ 101.415028][ T5336] ? panic+0x770/0x770 [ 101.419095][ T5336] should_fail_ex+0x3aa/0x4e0 [ 101.423764][ T5336] prepare_alloc_pages+0x1d9/0x5b0 [ 101.428957][ T5336] __alloc_pages+0x165/0x670 [ 101.433531][ T5336] ? zone_statistics+0x170/0x170 [ 101.438456][ T5336] ? verify_lock_unused+0x140/0x140 [ 101.443724][ T5336] ? handle_mm_fault+0x11d/0x62b0 [ 101.448758][ T5336] ? __lock_acquire+0x7f70/0x7f70 [ 101.453806][ T5336] ? pte_offset_map_nolock+0x137/0x1e0 [ 101.459262][ T5336] __folio_alloc+0x13/0x30 [ 101.463663][ T5336] vma_alloc_folio+0x48a/0x9a0 [ 101.468418][ T5336] handle_mm_fault+0x2376/0x62b0 [ 101.473347][ T5336] ? handle_mm_fault+0x11d/0x62b0 [ 101.478364][ T5336] ? numa_migrate_prep+0x380/0x380 [ 101.483467][ T5336] ? mtree_range_walk+0x6a0/0x7e0 [ 101.488494][ T5336] ? lock_vma_under_rcu+0x187/0x6f0 [ 101.493675][ T5336] ? __lock_acquire+0x7f70/0x7f70 [ 101.498769][ T5336] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 101.503960][ T5336] ? lock_vma_under_rcu+0x5df/0x6f0 [ 101.509160][ T5336] ? lock_vma_under_rcu+0x187/0x6f0 [ 101.514345][ T5336] ? exc_page_fault+0x10f/0x860 [ 101.521095][ T5336] exc_page_fault+0x455/0x860 [ 101.525778][ T5336] asm_exc_page_fault+0x26/0x30 [ 101.530624][ T5336] RIP: 0033:0x7f794735bc53 [ 101.535021][ T5336] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 101.554622][ T5336] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5335] munmap(0x7f793ef10000, 2097152) = 0 [pid 5335] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 101.560694][ T5336] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 101.568661][ T5336] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 101.576623][ T5336] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 101.584597][ T5336] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 101.592565][ T5336] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 101.600543][ T5336] [ 101.604319][ T5336] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5335] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5335] close(3) = 0 [pid 5335] mkdir("./file0", 0777) = 0 [pid 5335] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5336] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5335] <... mount resumed>) = 0 [pid 5335] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5335] chdir("./file0") = 0 [pid 5335] ioctl(6, LOOP_CLR_FD) = 0 [pid 5335] close(6) = 0 [pid 5335] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5335] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5336] <... write resumed>) = 2097152 [pid 5336] munmap(0x7f7936b10000, 2097152) = 0 [pid 5336] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5336] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5336] ioctl(6, LOOP_CLR_FD) = 0 [pid 5336] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5336] close(6) = 0 [ 101.620568][ T5335] loop0: detected capacity change from 0 to 4096 [ 101.636887][ T5335] ntfs: volume version 12.0. [pid 5336] close(5) = 0 [pid 5336] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5334] <... futex resumed>) = 0 [pid 5334] exit_group(0 [pid 5335] <... futex resumed>) = ? [pid 5334] <... exit_group resumed>) = ? [pid 5335] +++ exited with 0 +++ [pid 5336] <... futex resumed>) = ? [pid 5336] +++ exited with 0 +++ [pid 5334] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5334, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./98", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./98", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./98/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./98/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./98/binderfs") = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./98/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./98/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./98/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./98") = 0 mkdir("./99", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5337 ./strace-static-x86_64: Process 5337 attached [pid 5337] set_robust_list(0x555555f176a0, 24) = 0 [pid 5337] chdir("./99") = 0 [pid 5337] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5337] setpgid(0, 0) = 0 [pid 5337] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5337] write(3, "1000", 4) = 4 [pid 5337] close(3) = 0 [pid 5337] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5337] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5337] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5337] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5337] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5337] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5337] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5338 attached [pid 5338] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5337] <... clone3 resumed> => {parent_tid=[5338]}, 88) = 5338 [pid 5338] <... rseq resumed>) = 0 [pid 5337] rt_sigprocmask(SIG_SETMASK, [], [pid 5338] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5337] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5337] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5338] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5338] memfd_create("syzkaller", 0 [pid 5337] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5338] <... memfd_create resumed>) = 3 [pid 5338] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5337] <... mmap resumed>) = 0x7f793ef10000 [pid 5337] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5337] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5337] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0} => {parent_tid=[5339]}, 88) = 5339 [pid 5337] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5337] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5337] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5339 attached [pid 5339] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5339] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5339] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5339] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5339] write(4, "85", 2 [pid 5338] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5339] <... write resumed>) = 2 [pid 5339] memfd_create("syzkaller", 0) = 5 [pid 5339] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5338] <... write resumed>) = 2097152 [ 101.799262][ T5339] FAULT_INJECTION: forcing a failure. [ 101.799262][ T5339] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 101.813537][ T5339] CPU: 0 PID: 5339 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 101.823972][ T5339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 101.834028][ T5339] Call Trace: [ 101.837307][ T5339] [ 101.840233][ T5339] dump_stack_lvl+0x1e7/0x2d0 [ 101.844910][ T5339] ? nf_tcp_handle_invalid+0x650/0x650 [ 101.850363][ T5339] ? panic+0x770/0x770 [ 101.854434][ T5339] should_fail_ex+0x3aa/0x4e0 [ 101.859196][ T5339] prepare_alloc_pages+0x1d9/0x5b0 [ 101.864315][ T5339] __alloc_pages+0x165/0x670 [ 101.868908][ T5339] ? zone_statistics+0x170/0x170 [ 101.873863][ T5339] ? verify_lock_unused+0x140/0x140 [ 101.879053][ T5339] ? handle_mm_fault+0x11d/0x62b0 [ 101.884070][ T5339] ? __lock_acquire+0x7f70/0x7f70 [ 101.889084][ T5339] ? pte_offset_map_nolock+0x137/0x1e0 [ 101.894539][ T5339] __folio_alloc+0x13/0x30 [ 101.898953][ T5339] vma_alloc_folio+0x48a/0x9a0 [ 101.903733][ T5339] handle_mm_fault+0x2376/0x62b0 [ 101.908693][ T5339] ? handle_mm_fault+0x11d/0x62b0 [ 101.913751][ T5339] ? numa_migrate_prep+0x380/0x380 [ 101.918879][ T5339] ? mtree_range_walk+0x6a0/0x7e0 [ 101.923909][ T5339] ? lock_vma_under_rcu+0x187/0x6f0 [ 101.929118][ T5339] ? __lock_acquire+0x7f70/0x7f70 [ 101.934144][ T5339] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 101.939354][ T5339] ? lock_vma_under_rcu+0x5df/0x6f0 [ 101.944555][ T5339] ? lock_vma_under_rcu+0x187/0x6f0 [ 101.949766][ T5339] ? exc_page_fault+0x10f/0x860 [ 101.954620][ T5339] exc_page_fault+0x455/0x860 [ 101.959321][ T5339] asm_exc_page_fault+0x26/0x30 [ 101.964166][ T5339] RIP: 0033:0x7f794735bc53 [ 101.968588][ T5339] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 101.988535][ T5339] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5338] munmap(0x7f793ef31000, 2097152) = 0 [pid 5338] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 101.994598][ T5339] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 102.002560][ T5339] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 102.010533][ T5339] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 102.018495][ T5339] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 102.026543][ T5339] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 102.034520][ T5339] [ 102.038883][ T5339] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5338] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5338] close(3) = 0 [pid 5338] mkdir("./file0", 0777) = 0 [pid 5338] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 102.046776][ T5338] loop0: detected capacity change from 0 to 4096 [ 102.057802][ T5338] __ntfs_error: 183 callbacks suppressed [ 102.057815][ T5338] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 102.074790][ T5338] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5339] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5339] munmap(0x7f7936b10000, 2097152) = 0 [pid 5339] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5339] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5339] ioctl(3, LOOP_CLR_FD) = 0 [pid 5339] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5339] close(3) = 0 [pid 5339] close(5) = 0 [pid 5339] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5339] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5337] <... futex resumed>) = 0 [ 102.088129][ T5338] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 102.103245][ T5338] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 102.113362][ T5338] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 102.121844][ T5338] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 102.135531][ T5338] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [pid 5338] <... mount resumed>) = 0 [pid 5338] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5338] chdir("./file0") = 0 [pid 5338] ioctl(6, LOOP_CLR_FD) = 0 [pid 5338] close(6) = 0 [pid 5338] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5338] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5337] exit_group(0 [pid 5339] <... futex resumed>) = ? [pid 5339] +++ exited with 0 +++ [pid 5338] <... futex resumed>) = ? [pid 5337] <... exit_group resumed>) = ? [pid 5338] +++ exited with 0 +++ [pid 5337] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5337, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=44 /* 0.44 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./99", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./99", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./99/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./99/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./99/binderfs") = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./99/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./99/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./99/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./99") = 0 [ 102.158167][ T5338] ntfs: volume version 12.0. [ 102.163232][ T5338] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 102.172161][ T5338] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 102.186022][ T5338] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. mkdir("./100", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5340 ./strace-static-x86_64: Process 5340 attached [pid 5340] set_robust_list(0x555555f176a0, 24) = 0 [pid 5340] chdir("./100") = 0 [pid 5340] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5340] setpgid(0, 0) = 0 [pid 5340] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5340] write(3, "1000", 4) = 4 [pid 5340] close(3) = 0 [pid 5340] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5340] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5340] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5340] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5340] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5340] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5340] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5340] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5341]}, 88) = 5341 [pid 5340] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5340] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5341 attached [pid 5340] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5341] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5340] <... futex resumed>) = 0 [pid 5341] <... rseq resumed>) = 0 [pid 5340] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5341] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5340] <... mmap resumed>) = 0x7f7947310000 [pid 5341] rt_sigprocmask(SIG_SETMASK, [], [pid 5340] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5341] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5340] <... mprotect resumed>) = 0 [pid 5340] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5341] memfd_create("syzkaller", 0 [pid 5340] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5340] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5342 attached => {parent_tid=[5342]}, 88) = 5342 [pid 5342] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5340] rt_sigprocmask(SIG_SETMASK, [], [pid 5341] <... memfd_create resumed>) = 3 [pid 5342] <... rseq resumed>) = 0 [pid 5340] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5342] set_robust_list(0x7f79473309a0, 24 [pid 5341] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5342] <... set_robust_list resumed>) = 0 [pid 5340] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5341] <... mmap resumed>) = 0x7f793ef10000 [pid 5342] rt_sigprocmask(SIG_SETMASK, [], [pid 5340] <... futex resumed>) = 0 [pid 5342] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5340] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5342] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5341] munmap(0x7f793ef10000, 138412032 [pid 5342] <... openat resumed>) = 4 [pid 5342] write(4, "85", 2) = 2 [pid 5341] <... munmap resumed>) = 0 [pid 5342] memfd_create("syzkaller", 0 [pid 5341] close(3 [pid 5342] <... memfd_create resumed>) = 5 [pid 5341] <... close resumed>) = 0 [pid 5341] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5342] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5341] <... futex resumed>) = 0 [ 102.294984][ T5342] FAULT_INJECTION: forcing a failure. [ 102.294984][ T5342] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 102.308392][ T5342] CPU: 0 PID: 5342 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 102.318816][ T5342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 102.328897][ T5342] Call Trace: [ 102.332174][ T5342] [ 102.335114][ T5342] dump_stack_lvl+0x1e7/0x2d0 [ 102.339804][ T5342] ? nf_tcp_handle_invalid+0x650/0x650 [ 102.345255][ T5342] ? panic+0x770/0x770 [ 102.349334][ T5342] should_fail_ex+0x3aa/0x4e0 [ 102.354018][ T5342] prepare_alloc_pages+0x1d9/0x5b0 [ 102.359139][ T5342] __alloc_pages+0x165/0x670 [ 102.363728][ T5342] ? zone_statistics+0x170/0x170 [ 102.368693][ T5342] ? verify_lock_unused+0x140/0x140 [ 102.374106][ T5342] ? handle_mm_fault+0x11d/0x62b0 [ 102.379156][ T5342] ? __lock_acquire+0x7f70/0x7f70 [ 102.384180][ T5342] ? pte_offset_map_nolock+0x137/0x1e0 [ 102.389659][ T5342] __folio_alloc+0x13/0x30 [ 102.394089][ T5342] vma_alloc_folio+0x48a/0x9a0 [ 102.399652][ T5342] handle_mm_fault+0x2376/0x62b0 [ 102.404620][ T5342] ? handle_mm_fault+0x11d/0x62b0 [ 102.409970][ T5342] ? numa_migrate_prep+0x380/0x380 [ 102.415187][ T5342] ? mtree_range_walk+0x6a0/0x7e0 [ 102.420225][ T5342] ? lock_vma_under_rcu+0x187/0x6f0 [ 102.425425][ T5342] ? __lock_acquire+0x7f70/0x7f70 [ 102.430446][ T5342] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 102.435653][ T5342] ? lock_vma_under_rcu+0x5df/0x6f0 [ 102.440850][ T5342] ? lock_vma_under_rcu+0x187/0x6f0 [ 102.446079][ T5342] ? exc_page_fault+0x10f/0x860 [ 102.450928][ T5342] exc_page_fault+0x455/0x860 [ 102.455707][ T5342] asm_exc_page_fault+0x26/0x30 [ 102.460643][ T5342] RIP: 0033:0x7f794735bd00 [ 102.465052][ T5342] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 102.484839][ T5342] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5341] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5342] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5342] munmap(0x7f793ef10000, 2097152) = 0 [pid 5342] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 102.490906][ T5342] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 102.498965][ T5342] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 102.506935][ T5342] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 102.514899][ T5342] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 102.522887][ T5342] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 102.531559][ T5342] [ 102.534769][ T5342] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5342] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5342] close(5) = 0 [pid 5342] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5342] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 102.572743][ T5342] loop0: detected capacity change from 0 to 4096 [ 102.592802][ T5342] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 102.599960][ T5342] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5342] ioctl(3, LOOP_CLR_FD) = 0 [pid 5342] close(3) = 0 [pid 5342] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5340] <... futex resumed>) = 0 [pid 5342] <... futex resumed>) = 1 [pid 5340] exit_group(0 [pid 5342] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5341] <... futex resumed>) = ? [pid 5340] <... exit_group resumed>) = ? [pid 5341] +++ exited with 0 +++ [pid 5342] +++ exited with 0 +++ [pid 5340] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5340, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- umount2("./100", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./100", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./100/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./100/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./100/binderfs") = 0 umount2("\x2e\x2f\x31\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./100") = 0 mkdir("./101", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5343 attached , child_tidptr=0x555555f17690) = 5343 [pid 5343] set_robust_list(0x555555f176a0, 24) = 0 [pid 5343] chdir("./101") = 0 [pid 5343] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5343] setpgid(0, 0) = 0 [pid 5343] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5343] write(3, "1000", 4) = 4 [pid 5343] close(3) = 0 [pid 5343] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5343] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5343] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5343] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5343] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5343] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5343] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5343] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5344 attached [pid 5344] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5344] set_robust_list(0x7f79473519a0, 24 [pid 5343] <... clone3 resumed> => {parent_tid=[5344]}, 88) = 5344 [pid 5344] <... set_robust_list resumed>) = 0 [pid 5344] rt_sigprocmask(SIG_SETMASK, [], [pid 5343] rt_sigprocmask(SIG_SETMASK, [], [pid 5344] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5343] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5344] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5343] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5344] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5343] <... futex resumed>) = 0 [pid 5343] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5343] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5343] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5344] memfd_create("syzkaller", 0) = 3 [pid 5343] <... mprotect resumed>) = 0 [pid 5344] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5343] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5344] <... mmap resumed>) = 0x7f793ef10000 [pid 5343] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5343] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5345]}, 88) = 5345 [pid 5343] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5343] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5343] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5345 attached [pid 5345] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5345] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5345] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5344] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5345] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5345] write(4, "85", 2) = 2 [pid 5345] memfd_create("syzkaller", 0) = 5 [pid 5345] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5344] <... write resumed>) = 2097152 [pid 5344] munmap(0x7f793ef10000, 2097152) = 0 [pid 5344] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5344] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5344] close(3) = 0 [pid 5344] mkdir("./file0", 0777) = 0 [pid 5344] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5344] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5344] chdir("./file0") = 0 [pid 5344] ioctl(6, LOOP_CLR_FD) = 0 [pid 5344] close(6) = 0 [pid 5344] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 102.752482][ T5344] loop0: detected capacity change from 0 to 4096 [ 102.754946][ T5345] FAULT_INJECTION: forcing a failure. [ 102.754946][ T5345] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 102.766680][ T5344] ntfs: volume version 12.0. [ 102.777662][ T5345] CPU: 1 PID: 5345 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 102.788109][ T5345] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 102.798189][ T5345] Call Trace: [ 102.801486][ T5345] [ 102.804432][ T5345] dump_stack_lvl+0x1e7/0x2d0 [ 102.809134][ T5345] ? nf_tcp_handle_invalid+0x650/0x650 [ 102.814618][ T5345] ? panic+0x770/0x770 [ 102.818821][ T5345] should_fail_ex+0x3aa/0x4e0 [ 102.823530][ T5345] prepare_alloc_pages+0x1d9/0x5b0 [ 102.828677][ T5345] __alloc_pages+0x165/0x670 [ 102.833291][ T5345] ? zone_statistics+0x170/0x170 [ 102.838239][ T5345] ? verify_lock_unused+0x140/0x140 [ 102.843607][ T5345] ? handle_mm_fault+0x11d/0x62b0 [ 102.848633][ T5345] ? __lock_acquire+0x7f70/0x7f70 [ 102.853664][ T5345] ? pte_offset_map_nolock+0x137/0x1e0 [ 102.859153][ T5345] __folio_alloc+0x13/0x30 [ 102.863564][ T5345] vma_alloc_folio+0x48a/0x9a0 [ 102.868413][ T5345] handle_mm_fault+0x2376/0x62b0 [ 102.873352][ T5345] ? handle_mm_fault+0x11d/0x62b0 [ 102.878379][ T5345] ? numa_migrate_prep+0x380/0x380 [ 102.883504][ T5345] ? mtree_range_walk+0x6a0/0x7e0 [ 102.888537][ T5345] ? lock_vma_under_rcu+0x187/0x6f0 [ 102.893740][ T5345] ? __lock_acquire+0x7f70/0x7f70 [ 102.898859][ T5345] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 102.904082][ T5345] ? lock_vma_under_rcu+0x5df/0x6f0 [ 102.909279][ T5345] ? lock_vma_under_rcu+0x187/0x6f0 [ 102.914478][ T5345] ? exc_page_fault+0x10f/0x860 [ 102.919431][ T5345] exc_page_fault+0x455/0x860 [ 102.924121][ T5345] asm_exc_page_fault+0x26/0x30 [ 102.929073][ T5345] RIP: 0033:0x7f794735bc53 [ 102.933477][ T5345] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 102.953100][ T5345] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 102.959259][ T5345] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 102.967253][ T5345] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 102.975227][ T5345] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 102.983228][ T5345] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 102.991212][ T5345] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 102.999326][ T5345] [pid 5344] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5345] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5345] munmap(0x7f7936b10000, 2097152) = 0 [pid 5345] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5345] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5345] ioctl(6, LOOP_CLR_FD) = 0 [pid 5345] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5345] close(6) = 0 [ 103.002619][ T5345] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5345] close(5) = 0 [pid 5345] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5345] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5343] <... futex resumed>) = 0 [pid 5343] exit_group(0 [pid 5344] <... futex resumed>) = ? [pid 5343] <... exit_group resumed>) = ? [pid 5344] +++ exited with 0 +++ [pid 5345] <... futex resumed>) = ? [pid 5345] +++ exited with 0 +++ [pid 5343] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5343, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./101", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./101", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./101/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./101/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./101/binderfs") = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./101/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./101/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./101/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./101") = 0 mkdir("./102", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5346 attached , child_tidptr=0x555555f17690) = 5346 [pid 5346] set_robust_list(0x555555f176a0, 24) = 0 [pid 5346] chdir("./102") = 0 [pid 5346] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5346] setpgid(0, 0) = 0 [pid 5346] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5346] write(3, "1000", 4) = 4 [pid 5346] close(3) = 0 [pid 5346] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5346] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5346] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5346] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5346] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5346] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5346] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5347 attached [pid 5347] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5346] <... clone3 resumed> => {parent_tid=[5347]}, 88) = 5347 [pid 5347] <... rseq resumed>) = 0 [pid 5346] rt_sigprocmask(SIG_SETMASK, [], [pid 5347] set_robust_list(0x7f79473519a0, 24 [pid 5346] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5347] <... set_robust_list resumed>) = 0 [pid 5346] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5347] rt_sigprocmask(SIG_SETMASK, [], [pid 5346] <... futex resumed>) = 0 [pid 5347] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5346] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5346] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5347] memfd_create("syzkaller", 0) = 3 [pid 5346] <... mprotect resumed>) = 0 [pid 5347] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5346] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5347] <... mmap resumed>) = 0x7f793ef10000 [pid 5346] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5346] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5348]}, 88) = 5348 [pid 5346] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5346] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5346] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5348 attached [pid 5348] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5348] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5348] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5348] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5348] write(4, "85", 2) = 2 [pid 5348] memfd_create("syzkaller", 0) = 5 [pid 5348] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5347] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 103.145510][ T5348] FAULT_INJECTION: forcing a failure. [ 103.145510][ T5348] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 103.159049][ T5348] CPU: 1 PID: 5348 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 103.169490][ T5348] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 103.179586][ T5348] Call Trace: [ 103.182889][ T5348] [ 103.185821][ T5348] dump_stack_lvl+0x1e7/0x2d0 [ 103.190492][ T5348] ? nf_tcp_handle_invalid+0x650/0x650 [ 103.195945][ T5348] ? panic+0x770/0x770 [ 103.200012][ T5348] should_fail_ex+0x3aa/0x4e0 [ 103.204685][ T5348] prepare_alloc_pages+0x1d9/0x5b0 [ 103.209794][ T5348] __alloc_pages+0x165/0x670 [ 103.214402][ T5348] ? zone_statistics+0x170/0x170 [ 103.219337][ T5348] ? verify_lock_unused+0x140/0x140 [ 103.224536][ T5348] ? handle_mm_fault+0x11d/0x62b0 [ 103.229579][ T5348] ? __lock_acquire+0x7f70/0x7f70 [ 103.234615][ T5348] ? pte_offset_map_nolock+0x137/0x1e0 [ 103.240071][ T5348] __folio_alloc+0x13/0x30 [ 103.245004][ T5348] vma_alloc_folio+0x48a/0x9a0 [ 103.249767][ T5348] handle_mm_fault+0x2376/0x62b0 [ 103.254704][ T5348] ? handle_mm_fault+0x11d/0x62b0 [ 103.259813][ T5348] ? numa_migrate_prep+0x380/0x380 [ 103.264924][ T5348] ? mtree_range_walk+0x6a0/0x7e0 [ 103.269955][ T5348] ? lock_vma_under_rcu+0x187/0x6f0 [ 103.275155][ T5348] ? __lock_acquire+0x7f70/0x7f70 [ 103.280171][ T5348] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 103.285378][ T5348] ? lock_vma_under_rcu+0x5df/0x6f0 [ 103.290611][ T5348] ? lock_vma_under_rcu+0x187/0x6f0 [ 103.295820][ T5348] ? exc_page_fault+0x10f/0x860 [ 103.300673][ T5348] exc_page_fault+0x455/0x860 [ 103.305350][ T5348] asm_exc_page_fault+0x26/0x30 [ 103.310195][ T5348] RIP: 0033:0x7f794735bc53 [ 103.314615][ T5348] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 103.334823][ T5348] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5347] munmap(0x7f793ef10000, 2097152) = 0 [pid 5347] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 103.340887][ T5348] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 103.348855][ T5348] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 103.356819][ T5348] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 103.364784][ T5348] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 103.372751][ T5348] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 103.380745][ T5348] [ 103.384413][ T5348] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5347] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5347] close(3) = 0 [pid 5347] mkdir("./file0", 0777) = 0 [pid 5347] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5348] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5347] <... mount resumed>) = 0 [pid 5347] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5347] chdir("./file0") = 0 [pid 5347] ioctl(6, LOOP_CLR_FD) = 0 [pid 5347] close(6) = 0 [pid 5347] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5347] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5348] <... write resumed>) = 2097152 [pid 5348] munmap(0x7f7936b10000, 2097152) = 0 [pid 5348] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5348] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5348] ioctl(6, LOOP_CLR_FD) = 0 [pid 5348] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5348] close(6) = 0 [ 103.395975][ T5347] loop0: detected capacity change from 0 to 4096 [ 103.410654][ T5347] ntfs: volume version 12.0. [pid 5348] close(5) = 0 [pid 5348] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5348] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5346] <... futex resumed>) = 0 [pid 5346] exit_group(0 [pid 5348] <... futex resumed>) = ? [pid 5347] <... futex resumed>) = ? [pid 5348] +++ exited with 0 +++ [pid 5347] +++ exited with 0 +++ [pid 5346] <... exit_group resumed>) = ? [pid 5346] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5346, si_uid=0, si_status=0, si_utime=0, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./102", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./102", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./102/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./102/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./102/binderfs") = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./102/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./102/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./102/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./102") = 0 mkdir("./103", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5349 attached [pid 5349] set_robust_list(0x555555f176a0, 24) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5349 [pid 5349] chdir("./103") = 0 [pid 5349] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5349] setpgid(0, 0) = 0 [pid 5349] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5349] write(3, "1000", 4) = 4 [pid 5349] close(3) = 0 [pid 5349] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5349] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5349] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5349] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5349] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5349] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5349] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5349] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5350 attached [pid 5350] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5349] <... clone3 resumed> => {parent_tid=[5350]}, 88) = 5350 [pid 5350] <... rseq resumed>) = 0 [pid 5349] rt_sigprocmask(SIG_SETMASK, [], [pid 5350] set_robust_list(0x7f79473519a0, 24 [pid 5349] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5350] <... set_robust_list resumed>) = 0 [pid 5349] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5350] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5349] <... futex resumed>) = 0 [pid 5349] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5349] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5350] memfd_create("syzkaller", 0) = 3 [pid 5350] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5349] <... mmap resumed>) = 0x7f7947310000 [pid 5350] <... mmap resumed>) = 0x7f793ef10000 [pid 5349] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5349] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5349] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5351 attached [pid 5351] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5349] <... clone3 resumed> => {parent_tid=[5351]}, 88) = 5351 [pid 5351] <... rseq resumed>) = 0 [pid 5349] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5351] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5349] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5351] rt_sigprocmask(SIG_SETMASK, [], [pid 5349] <... futex resumed>) = 0 [pid 5351] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5349] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5351] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5351] write(4, "85", 2) = 2 [pid 5351] memfd_create("syzkaller", 0) = 5 [pid 5351] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5350] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 103.573735][ T5351] FAULT_INJECTION: forcing a failure. [ 103.573735][ T5351] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 103.587067][ T5351] CPU: 1 PID: 5351 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 103.597507][ T5351] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 103.607592][ T5351] Call Trace: [ 103.610888][ T5351] [ 103.613812][ T5351] dump_stack_lvl+0x1e7/0x2d0 [ 103.618486][ T5351] ? nf_tcp_handle_invalid+0x650/0x650 [ 103.623948][ T5351] ? panic+0x770/0x770 [ 103.628051][ T5351] should_fail_ex+0x3aa/0x4e0 [ 103.632754][ T5351] prepare_alloc_pages+0x1d9/0x5b0 [ 103.637876][ T5351] __alloc_pages+0x165/0x670 [ 103.642566][ T5351] ? zone_statistics+0x170/0x170 [ 103.647600][ T5351] ? verify_lock_unused+0x140/0x140 [ 103.652806][ T5351] ? handle_mm_fault+0x11d/0x62b0 [ 103.657848][ T5351] ? __lock_acquire+0x7f70/0x7f70 [ 103.662866][ T5351] ? pte_offset_map_nolock+0x137/0x1e0 [ 103.668323][ T5351] __folio_alloc+0x13/0x30 [ 103.672744][ T5351] vma_alloc_folio+0x48a/0x9a0 [ 103.677505][ T5351] handle_mm_fault+0x2376/0x62b0 [ 103.682446][ T5351] ? handle_mm_fault+0x11d/0x62b0 [ 103.687476][ T5351] ? numa_migrate_prep+0x380/0x380 [ 103.692596][ T5351] ? mtree_range_walk+0x6a0/0x7e0 [ 103.697621][ T5351] ? lock_vma_under_rcu+0x187/0x6f0 [ 103.702811][ T5351] ? __lock_acquire+0x7f70/0x7f70 [ 103.707822][ T5351] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 103.713022][ T5351] ? lock_vma_under_rcu+0x5df/0x6f0 [ 103.718212][ T5351] ? lock_vma_under_rcu+0x187/0x6f0 [ 103.723499][ T5351] ? exc_page_fault+0x10f/0x860 [ 103.728344][ T5351] exc_page_fault+0x455/0x860 [ 103.733015][ T5351] asm_exc_page_fault+0x26/0x30 [ 103.737862][ T5351] RIP: 0033:0x7f794735bc53 [ 103.742270][ T5351] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 103.761953][ T5351] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5350] munmap(0x7f793ef10000, 2097152) = 0 [pid 5350] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 103.768109][ T5351] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 103.776157][ T5351] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 103.784122][ T5351] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 103.792084][ T5351] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 103.800046][ T5351] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 103.808021][ T5351] [ 103.811743][ T5351] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5350] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5350] close(3) = 0 [pid 5350] mkdir("./file0", 0777) = 0 [pid 5350] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5351] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5350] <... mount resumed>) = 0 [pid 5350] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5350] chdir("./file0") = 0 [pid 5350] ioctl(6, LOOP_CLR_FD) = 0 [pid 5350] close(6) = 0 [pid 5350] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5350] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5351] <... write resumed>) = 2097152 [pid 5351] munmap(0x7f7936b10000, 2097152) = 0 [pid 5351] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5351] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5351] ioctl(6, LOOP_CLR_FD) = 0 [pid 5351] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5351] close(6) = 0 [ 103.823403][ T5350] loop0: detected capacity change from 0 to 4096 [ 103.842249][ T5350] ntfs: volume version 12.0. [pid 5351] close(5) = 0 [pid 5351] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5349] <... futex resumed>) = 0 [pid 5351] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5349] exit_group(0 [pid 5351] <... futex resumed>) = ? [pid 5350] <... futex resumed>) = ? [pid 5349] <... exit_group resumed>) = ? [pid 5351] +++ exited with 0 +++ [pid 5350] +++ exited with 0 +++ [pid 5349] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5349, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./103", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./103", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./103/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./103/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./103/binderfs") = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./103/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./103/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./103/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./103") = 0 mkdir("./104", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5352 attached , child_tidptr=0x555555f17690) = 5352 [pid 5352] set_robust_list(0x555555f176a0, 24) = 0 [pid 5352] chdir("./104") = 0 [pid 5352] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5352] setpgid(0, 0) = 0 [pid 5352] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5352] write(3, "1000", 4) = 4 [pid 5352] close(3) = 0 [pid 5352] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5352] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5352] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5352] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5352] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5352] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5352] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5352] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5353 attached => {parent_tid=[5353]}, 88) = 5353 [pid 5352] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5352] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5352] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5353] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5352] <... futex resumed>) = 0 [pid 5353] set_robust_list(0x7f79473519a0, 24 [pid 5352] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5353] <... set_robust_list resumed>) = 0 [pid 5353] rt_sigprocmask(SIG_SETMASK, [], [pid 5352] <... mmap resumed>) = 0x7f7947310000 [pid 5353] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5352] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5352] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5352] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5353] memfd_create("syzkaller", 0./strace-static-x86_64: Process 5354 attached [pid 5354] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5353] <... memfd_create resumed>) = 3 [pid 5352] <... clone3 resumed> => {parent_tid=[5354]}, 88) = 5354 [pid 5354] <... rseq resumed>) = 0 [pid 5352] rt_sigprocmask(SIG_SETMASK, [], [pid 5354] set_robust_list(0x7f79473309a0, 24 [pid 5352] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5354] <... set_robust_list resumed>) = 0 [pid 5352] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5353] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5354] rt_sigprocmask(SIG_SETMASK, [], [pid 5353] <... mmap resumed>) = 0x7f793ef10000 [pid 5352] <... futex resumed>) = 0 [pid 5354] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5353] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5354] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5352] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5354] <... openat resumed>) = 4 [pid 5354] write(4, "85", 2) = 2 [pid 5354] memfd_create("syzkaller", 0) = 5 [pid 5354] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5353] <... write resumed>) = 2097152 [ 103.989068][ T5354] FAULT_INJECTION: forcing a failure. [ 103.989068][ T5354] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 104.002438][ T5354] CPU: 1 PID: 5354 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 104.012862][ T5354] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 104.022912][ T5354] Call Trace: [ 104.026201][ T5354] [ 104.029142][ T5354] dump_stack_lvl+0x1e7/0x2d0 [ 104.033828][ T5354] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.039277][ T5354] ? panic+0x770/0x770 [ 104.043342][ T5354] should_fail_ex+0x3aa/0x4e0 [ 104.048018][ T5354] prepare_alloc_pages+0x1d9/0x5b0 [ 104.053130][ T5354] __alloc_pages+0x165/0x670 [ 104.057720][ T5354] ? zone_statistics+0x170/0x170 [ 104.062660][ T5354] ? verify_lock_unused+0x140/0x140 [ 104.067861][ T5354] ? handle_mm_fault+0x11d/0x62b0 [ 104.072969][ T5354] ? __lock_acquire+0x7f70/0x7f70 [ 104.078001][ T5354] ? pte_offset_map_nolock+0x137/0x1e0 [ 104.083462][ T5354] __folio_alloc+0x13/0x30 [ 104.087874][ T5354] vma_alloc_folio+0x48a/0x9a0 [ 104.092659][ T5354] handle_mm_fault+0x2376/0x62b0 [ 104.097602][ T5354] ? handle_mm_fault+0x11d/0x62b0 [ 104.102650][ T5354] ? numa_migrate_prep+0x380/0x380 [ 104.107784][ T5354] ? mtree_range_walk+0x6a0/0x7e0 [ 104.112817][ T5354] ? lock_vma_under_rcu+0x187/0x6f0 [ 104.118021][ T5354] ? __lock_acquire+0x7f70/0x7f70 [ 104.123038][ T5354] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 104.128245][ T5354] ? lock_vma_under_rcu+0x5df/0x6f0 [ 104.133437][ T5354] ? lock_vma_under_rcu+0x187/0x6f0 [ 104.138637][ T5354] ? exc_page_fault+0x10f/0x860 [ 104.143482][ T5354] exc_page_fault+0x455/0x860 [ 104.148157][ T5354] asm_exc_page_fault+0x26/0x30 [ 104.152998][ T5354] RIP: 0033:0x7f794735bc53 [ 104.157404][ T5354] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 104.177002][ T5354] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5353] munmap(0x7f793ef10000, 2097152) = 0 [pid 5353] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5354] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5353] <... openat resumed>) = 6 [ 104.183085][ T5354] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 104.191051][ T5354] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 104.199014][ T5354] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 104.207061][ T5354] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 104.215033][ T5354] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 104.223006][ T5354] [ 104.226704][ T5354] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5353] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5353] close(3) = 0 [pid 5353] mkdir("./file0", 0777) = 0 [pid 5353] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5354] <... write resumed>) = 2097152 [pid 5354] munmap(0x7f7936b10000, 2097152 [pid 5353] <... mount resumed>) = 0 [pid 5353] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5353] chdir("./file0") = 0 [pid 5353] ioctl(6, LOOP_CLR_FD [pid 5354] <... munmap resumed>) = 0 [pid 5353] <... ioctl resumed>) = 0 [pid 5354] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 7 [pid 5353] close(6 [pid 5354] ioctl(7, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5354] ioctl(7, LOOP_CLR_FD [pid 5353] <... close resumed>) = 0 [pid 5353] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5353] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5354] <... ioctl resumed>) = 0 [pid 5354] ioctl(7, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5354] close(7) = 0 [pid 5354] close(5) = 0 [pid 5354] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5352] <... futex resumed>) = 0 [pid 5354] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5352] exit_group(0) = ? [pid 5354] <... futex resumed>) = ? [pid 5353] <... futex resumed>) = ? [pid 5354] +++ exited with 0 +++ [ 104.249226][ T5353] loop0: detected capacity change from 0 to 4096 [ 104.264424][ T5353] ntfs: volume version 12.0. [pid 5353] +++ exited with 0 +++ [pid 5352] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5352, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./104", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./104", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./104/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./104/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./104/binderfs") = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./104/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./104/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./104/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./104") = 0 mkdir("./105", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5355 ./strace-static-x86_64: Process 5355 attached [pid 5355] set_robust_list(0x555555f176a0, 24) = 0 [pid 5355] chdir("./105") = 0 [pid 5355] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5355] setpgid(0, 0) = 0 [pid 5355] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5355] write(3, "1000", 4) = 4 [pid 5355] close(3) = 0 [pid 5355] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5355] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5355] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5355] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5355] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5355] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5355] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5355] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5356 attached => {parent_tid=[5356]}, 88) = 5356 [pid 5356] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5355] rt_sigprocmask(SIG_SETMASK, [], [pid 5356] <... rseq resumed>) = 0 [pid 5355] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5355] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5356] set_robust_list(0x7f79473519a0, 24 [pid 5355] <... futex resumed>) = 0 [pid 5356] <... set_robust_list resumed>) = 0 [pid 5355] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5356] rt_sigprocmask(SIG_SETMASK, [], [pid 5355] <... futex resumed>) = 0 [pid 5356] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5355] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5356] memfd_create("syzkaller", 0 [pid 5355] <... mmap resumed>) = 0x7f7947310000 [pid 5356] <... memfd_create resumed>) = 3 [pid 5355] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5356] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5355] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5356] <... mmap resumed>) = 0x7f793ef10000 [pid 5355] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5355] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5357]}, 88) = 5357 [pid 5355] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5355] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5355] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5357 attached [pid 5357] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5357] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5357] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5357] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5356] munmap(0x7f793ef10000, 138412032 [pid 5357] <... openat resumed>) = 4 [pid 5357] write(4, "85", 2) = 2 [pid 5357] memfd_create("syzkaller", 0) = 5 [pid 5357] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5356] <... munmap resumed>) = 0 [pid 5356] close(3) = 0 [pid 5356] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 104.392594][ T5357] FAULT_INJECTION: forcing a failure. [ 104.392594][ T5357] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 104.406407][ T5357] CPU: 0 PID: 5357 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 104.416861][ T5357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 104.426911][ T5357] Call Trace: [ 104.430180][ T5357] [ 104.433115][ T5357] dump_stack_lvl+0x1e7/0x2d0 [ 104.437802][ T5357] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.443249][ T5357] ? panic+0x770/0x770 [ 104.447333][ T5357] should_fail_ex+0x3aa/0x4e0 [ 104.452022][ T5357] prepare_alloc_pages+0x1d9/0x5b0 [ 104.457217][ T5357] __alloc_pages+0x165/0x670 [ 104.461800][ T5357] ? zone_statistics+0x170/0x170 [ 104.466749][ T5357] ? verify_lock_unused+0x140/0x140 [ 104.471956][ T5357] ? handle_mm_fault+0x11d/0x62b0 [ 104.476973][ T5357] ? __lock_acquire+0x7f70/0x7f70 [ 104.482004][ T5357] ? pte_offset_map_nolock+0x137/0x1e0 [ 104.487491][ T5357] __folio_alloc+0x13/0x30 [ 104.491925][ T5357] vma_alloc_folio+0x48a/0x9a0 [ 104.496692][ T5357] handle_mm_fault+0x2376/0x62b0 [ 104.501653][ T5357] ? handle_mm_fault+0x11d/0x62b0 [ 104.506677][ T5357] ? numa_migrate_prep+0x380/0x380 [ 104.511789][ T5357] ? mtree_range_walk+0x6a0/0x7e0 [ 104.516814][ T5357] ? lock_vma_under_rcu+0x187/0x6f0 [ 104.522020][ T5357] ? __lock_acquire+0x7f70/0x7f70 [ 104.527122][ T5357] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 104.532340][ T5357] ? lock_vma_under_rcu+0x5df/0x6f0 [ 104.537539][ T5357] ? lock_vma_under_rcu+0x187/0x6f0 [ 104.542766][ T5357] ? exc_page_fault+0x10f/0x860 [ 104.547669][ T5357] exc_page_fault+0x455/0x860 [ 104.552350][ T5357] asm_exc_page_fault+0x26/0x30 [ 104.557199][ T5357] RIP: 0033:0x7f794735bc53 [ 104.561628][ T5357] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 104.581254][ T5357] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5356] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5357] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5357] munmap(0x7f7936b10000, 2097152) = 0 [pid 5357] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 104.587338][ T5357] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 104.595300][ T5357] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 104.603275][ T5357] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 104.611264][ T5357] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 104.619399][ T5357] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 104.627370][ T5357] [ 104.630960][ T5357] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5357] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5357] close(5) = 0 [pid 5357] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5357] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 104.667630][ T5357] loop0: detected capacity change from 0 to 4096 [ 104.682582][ T5357] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 104.689741][ T5357] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5357] ioctl(3, LOOP_CLR_FD) = 0 [pid 5357] close(3) = 0 [pid 5357] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5355] <... futex resumed>) = 0 [pid 5355] exit_group(0 [pid 5356] <... futex resumed>) = ? [pid 5355] <... exit_group resumed>) = ? [pid 5356] +++ exited with 0 +++ [pid 5357] <... futex resumed>) = ? [pid 5357] +++ exited with 0 +++ [pid 5355] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5355, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./105", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./105", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./105/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./105/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./105/binderfs") = 0 umount2("\x2e\x2f\x31\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./105") = 0 mkdir("./106", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5358 ./strace-static-x86_64: Process 5358 attached [pid 5358] set_robust_list(0x555555f176a0, 24) = 0 [pid 5358] chdir("./106") = 0 [pid 5358] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5358] setpgid(0, 0) = 0 [pid 5358] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5358] write(3, "1000", 4) = 4 [pid 5358] close(3) = 0 [pid 5358] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5358] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5358] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5358] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5358] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5358] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5358] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5359]}, 88) = 5359 [pid 5358] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5358] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5358] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5358] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5358] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5358] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5360 attached => {parent_tid=[5360]}, 88) = 5360 [pid 5360] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5358] rt_sigprocmask(SIG_SETMASK, [], [pid 5360] <... rseq resumed>) = 0 [pid 5358] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5360] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5358] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5360] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5358] <... futex resumed>) = 0 [pid 5358] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5359 attached [pid 5359] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5360] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5359] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5359] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5360] <... openat resumed>) = 3 [pid 5360] write(3, "85", 2) = 2 [pid 5360] memfd_create("syzkaller", 0 [pid 5359] memfd_create("syzkaller", 0 [pid 5360] <... memfd_create resumed>) = 4 [pid 5360] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5359] <... memfd_create resumed>) = 5 [pid 5359] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 104.825002][ T5360] FAULT_INJECTION: forcing a failure. [ 104.825002][ T5360] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 104.839294][ T5360] CPU: 0 PID: 5360 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 104.849732][ T5360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 104.859780][ T5360] Call Trace: [ 104.863049][ T5360] [ 104.865975][ T5360] dump_stack_lvl+0x1e7/0x2d0 [ 104.870662][ T5360] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.876112][ T5360] ? panic+0x770/0x770 [ 104.880182][ T5360] should_fail_ex+0x3aa/0x4e0 [ 104.884863][ T5360] prepare_alloc_pages+0x1d9/0x5b0 [ 104.889979][ T5360] __alloc_pages+0x165/0x670 [ 104.894568][ T5360] ? zone_statistics+0x170/0x170 [ 104.899509][ T5360] ? verify_lock_unused+0x140/0x140 [ 104.904700][ T5360] ? handle_mm_fault+0x11d/0x62b0 [ 104.909722][ T5360] ? __lock_acquire+0x7f70/0x7f70 [ 104.914734][ T5360] ? pte_offset_map_nolock+0x137/0x1e0 [ 104.920284][ T5360] __folio_alloc+0x13/0x30 [ 104.924691][ T5360] vma_alloc_folio+0x48a/0x9a0 [ 104.929456][ T5360] handle_mm_fault+0x2376/0x62b0 [ 104.934415][ T5360] ? handle_mm_fault+0x11d/0x62b0 [ 104.939457][ T5360] ? numa_migrate_prep+0x380/0x380 [ 104.944594][ T5360] ? mtree_range_walk+0x6a0/0x7e0 [ 104.949640][ T5360] ? lock_vma_under_rcu+0x187/0x6f0 [ 104.954853][ T5360] ? __lock_acquire+0x7f70/0x7f70 [ 104.959883][ T5360] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 104.965626][ T5360] ? lock_vma_under_rcu+0x5df/0x6f0 [ 104.970918][ T5360] ? lock_vma_under_rcu+0x187/0x6f0 [ 104.976141][ T5360] ? exc_page_fault+0x10f/0x860 [ 104.981006][ T5360] exc_page_fault+0x455/0x860 [ 104.985688][ T5360] asm_exc_page_fault+0x26/0x30 [ 104.990540][ T5360] RIP: 0033:0x7f794735bc53 [ 104.995051][ T5360] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 105.014654][ T5360] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5360] munmap(0x7f793ef10000, 138412032) = 0 [pid 5360] close(4) = 0 [pid 5360] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5358] <... futex resumed>) = 0 [pid 5360] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5359] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5359] munmap(0x7f7936b10000, 2097152) = 0 [ 105.020718][ T5360] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 105.028683][ T5360] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 105.037601][ T5360] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 105.045561][ T5360] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 105.053528][ T5360] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 105.061520][ T5360] [pid 5359] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5359] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5359] close(5) = 0 [pid 5359] mkdir("./file0", 0777) = 0 [pid 5359] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5359] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5359] chdir("./file0") = 0 [pid 5359] ioctl(4, LOOP_CLR_FD) = 0 [pid 5359] close(4) = 0 [pid 5359] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5359] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5358] exit_group(0) = ? [pid 5360] <... futex resumed>) = ? [pid 5360] +++ exited with 0 +++ [pid 5359] <... futex resumed>) = ? [pid 5359] +++ exited with 0 +++ [pid 5358] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5358, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./106", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./106", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./106/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./106/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./106/binderfs") = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./106/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./106/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./106/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 [ 105.107653][ T5359] loop0: detected capacity change from 0 to 4096 [ 105.121509][ T5359] ntfs: volume version 12.0. rmdir("./106") = 0 mkdir("./107", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5361 ./strace-static-x86_64: Process 5361 attached [pid 5361] set_robust_list(0x555555f176a0, 24) = 0 [pid 5361] chdir("./107") = 0 [pid 5361] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5361] setpgid(0, 0) = 0 [pid 5361] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5361] write(3, "1000", 4) = 4 [pid 5361] close(3) = 0 [pid 5361] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5361] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5361] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5361] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5361] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5361] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5361] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5361] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5362 attached [pid 5362] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5361] <... clone3 resumed> => {parent_tid=[5362]}, 88) = 5362 [pid 5362] <... rseq resumed>) = 0 [pid 5361] rt_sigprocmask(SIG_SETMASK, [], [pid 5362] set_robust_list(0x7f79473519a0, 24 [pid 5361] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5362] <... set_robust_list resumed>) = 0 [pid 5361] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5362] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5361] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5362] memfd_create("syzkaller", 0 [pid 5361] <... futex resumed>) = 0 [pid 5362] <... memfd_create resumed>) = 3 [pid 5361] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5362] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5361] <... mmap resumed>) = 0x7f7947310000 [pid 5361] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5362] <... mmap resumed>) = 0x7f793ef10000 [pid 5361] <... mprotect resumed>) = 0 [pid 5361] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5361] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5363 attached => {parent_tid=[5363]}, 88) = 5363 [pid 5363] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5361] rt_sigprocmask(SIG_SETMASK, [], [pid 5363] <... rseq resumed>) = 0 [pid 5361] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5363] set_robust_list(0x7f79473309a0, 24 [pid 5361] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5363] <... set_robust_list resumed>) = 0 [pid 5361] <... futex resumed>) = 0 [pid 5363] rt_sigprocmask(SIG_SETMASK, [], [pid 5361] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5363] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5363] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5363] write(4, "85", 2) = 2 [pid 5363] memfd_create("syzkaller", 0 [pid 5362] munmap(0x7f793ef10000, 138412032 [pid 5363] <... memfd_create resumed>) = 5 [pid 5363] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5362] <... munmap resumed>) = 0 [pid 5362] close(3) = 0 [pid 5362] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 105.236642][ T5363] FAULT_INJECTION: forcing a failure. [ 105.236642][ T5363] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 105.250235][ T5363] CPU: 0 PID: 5363 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 105.260657][ T5363] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 105.270703][ T5363] Call Trace: [ 105.273993][ T5363] [ 105.276925][ T5363] dump_stack_lvl+0x1e7/0x2d0 [ 105.281680][ T5363] ? nf_tcp_handle_invalid+0x650/0x650 [ 105.287130][ T5363] ? panic+0x770/0x770 [ 105.291194][ T5363] should_fail_ex+0x3aa/0x4e0 [ 105.295865][ T5363] prepare_alloc_pages+0x1d9/0x5b0 [ 105.300972][ T5363] __alloc_pages+0x165/0x670 [ 105.305551][ T5363] ? zone_statistics+0x170/0x170 [ 105.310480][ T5363] ? verify_lock_unused+0x140/0x140 [ 105.315725][ T5363] ? handle_mm_fault+0x11d/0x62b0 [ 105.320757][ T5363] ? __lock_acquire+0x7f70/0x7f70 [ 105.325780][ T5363] ? pte_offset_map_nolock+0x137/0x1e0 [ 105.331252][ T5363] __folio_alloc+0x13/0x30 [ 105.335757][ T5363] vma_alloc_folio+0x48a/0x9a0 [ 105.340543][ T5363] handle_mm_fault+0x2376/0x62b0 [ 105.345507][ T5363] ? handle_mm_fault+0x11d/0x62b0 [ 105.350553][ T5363] ? numa_migrate_prep+0x380/0x380 [ 105.355674][ T5363] ? mtree_range_walk+0x6a0/0x7e0 [ 105.360816][ T5363] ? lock_vma_under_rcu+0x187/0x6f0 [ 105.366027][ T5363] ? __lock_acquire+0x7f70/0x7f70 [ 105.371087][ T5363] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 105.376363][ T5363] ? lock_vma_under_rcu+0x5df/0x6f0 [ 105.381762][ T5363] ? lock_vma_under_rcu+0x187/0x6f0 [ 105.386995][ T5363] ? exc_page_fault+0x10f/0x860 [ 105.391881][ T5363] exc_page_fault+0x455/0x860 [ 105.396565][ T5363] asm_exc_page_fault+0x26/0x30 [ 105.401419][ T5363] RIP: 0033:0x7f794735bd00 [ 105.405851][ T5363] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 105.425637][ T5363] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5362] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5363] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5363] munmap(0x7f793ef10000, 2097152) = 0 [pid 5363] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 105.431700][ T5363] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 105.439664][ T5363] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 105.447636][ T5363] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 105.455696][ T5363] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 105.463679][ T5363] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 105.471660][ T5363] [pid 5363] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5363] close(5) = 0 [pid 5363] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5363] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5363] ioctl(3, LOOP_CLR_FD) = 0 [ 105.508718][ T5363] loop0: detected capacity change from 0 to 4096 [ 105.527834][ T5363] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 105.534881][ T5363] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5363] close(3) = 0 [pid 5363] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5361] <... futex resumed>) = 0 [pid 5363] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5361] exit_group(0) = ? [pid 5363] <... futex resumed>) = ? [pid 5363] +++ exited with 0 +++ [pid 5362] <... futex resumed>) = ? [pid 5362] +++ exited with 0 +++ [pid 5361] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5361, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./107", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./107", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./107/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./107/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./107/binderfs") = 0 umount2("\x2e\x2f\x31\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./107") = 0 mkdir("./108", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5364 attached , child_tidptr=0x555555f17690) = 5364 [pid 5364] set_robust_list(0x555555f176a0, 24) = 0 [pid 5364] chdir("./108") = 0 [pid 5364] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5364] setpgid(0, 0) = 0 [pid 5364] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5364] write(3, "1000", 4) = 4 [pid 5364] close(3) = 0 [pid 5364] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5364] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5364] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5364] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5364] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5364] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5364] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5365 attached [pid 5365] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5364] <... clone3 resumed> => {parent_tid=[5365]}, 88) = 5365 [pid 5365] <... rseq resumed>) = 0 [pid 5365] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5365] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5364] rt_sigprocmask(SIG_SETMASK, [], [pid 5365] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5364] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5364] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5365] <... futex resumed>) = 0 [pid 5364] <... futex resumed>) = 1 [pid 5365] memfd_create("syzkaller", 0 [pid 5364] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5365] <... memfd_create resumed>) = 3 [pid 5365] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5364] <... mmap resumed>) = 0x7f7947310000 [pid 5364] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5365] <... mmap resumed>) = 0x7f793ef10000 [pid 5364] <... mprotect resumed>) = 0 [pid 5364] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5364] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5366 attached => {parent_tid=[5366]}, 88) = 5366 [pid 5366] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5364] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5366] <... rseq resumed>) = 0 [pid 5364] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5366] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5366] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5366] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5364] <... futex resumed>) = 0 [pid 5364] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5366] <... openat resumed>) = 4 [pid 5366] write(4, "85", 2) = 2 [pid 5366] memfd_create("syzkaller", 0) = 5 [pid 5366] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5365] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 105.664155][ T5366] FAULT_INJECTION: forcing a failure. [ 105.664155][ T5366] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 105.677695][ T5366] CPU: 1 PID: 5366 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 105.688150][ T5366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 105.698313][ T5366] Call Trace: [ 105.701599][ T5366] [ 105.705399][ T5366] dump_stack_lvl+0x1e7/0x2d0 [ 105.710111][ T5366] ? nf_tcp_handle_invalid+0x650/0x650 [ 105.715561][ T5366] ? panic+0x770/0x770 [ 105.719644][ T5366] should_fail_ex+0x3aa/0x4e0 [ 105.724416][ T5366] prepare_alloc_pages+0x1d9/0x5b0 [ 105.729528][ T5366] __alloc_pages+0x165/0x670 [ 105.734123][ T5366] ? zone_statistics+0x170/0x170 [ 105.739060][ T5366] ? verify_lock_unused+0x140/0x140 [ 105.744257][ T5366] ? handle_mm_fault+0x11d/0x62b0 [ 105.749291][ T5366] ? __lock_acquire+0x7f70/0x7f70 [ 105.754312][ T5366] ? pte_offset_map_nolock+0x137/0x1e0 [ 105.759798][ T5366] __folio_alloc+0x13/0x30 [ 105.764231][ T5366] vma_alloc_folio+0x48a/0x9a0 [ 105.768998][ T5366] handle_mm_fault+0x2376/0x62b0 [ 105.773935][ T5366] ? handle_mm_fault+0x11d/0x62b0 [ 105.778967][ T5366] ? numa_migrate_prep+0x380/0x380 [ 105.784081][ T5366] ? mtree_range_walk+0x6a0/0x7e0 [ 105.789109][ T5366] ? lock_vma_under_rcu+0x187/0x6f0 [ 105.794319][ T5366] ? __lock_acquire+0x7f70/0x7f70 [ 105.799347][ T5366] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 105.806466][ T5366] ? lock_vma_under_rcu+0x5df/0x6f0 [ 105.811679][ T5366] ? lock_vma_under_rcu+0x187/0x6f0 [ 105.816901][ T5366] ? exc_page_fault+0x10f/0x860 [ 105.821767][ T5366] exc_page_fault+0x455/0x860 [ 105.826443][ T5366] asm_exc_page_fault+0x26/0x30 [ 105.831295][ T5366] RIP: 0033:0x7f794735bc53 [ 105.835706][ T5366] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 105.855312][ T5366] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 105.861559][ T5366] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 105.869538][ T5366] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 105.877506][ T5366] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 105.885473][ T5366] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 105.893448][ T5366] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 105.901497][ T5366] [ 105.908467][ T5366] pagefault_out_of_memory: 2 callbacks suppressed [pid 5365] munmap(0x7f793ef10000, 2097152) = 0 [pid 5365] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5365] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5365] close(3) = 0 [pid 5365] mkdir("./file0", 0777) = 0 [pid 5365] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5365] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5365] chdir("./file0") = 0 [pid 5365] ioctl(6, LOOP_CLR_FD) = 0 [pid 5365] close(6 [pid 5366] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5365] <... close resumed>) = 0 [pid 5365] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5365] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5366] <... write resumed>) = 2097152 [pid 5366] munmap(0x7f7936b10000, 2097152) = 0 [pid 5366] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5366] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5366] ioctl(6, LOOP_CLR_FD) = 0 [pid 5366] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5366] close(6) = 0 [ 105.908481][ T5366] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 105.923578][ T5365] loop0: detected capacity change from 0 to 4096 [ 105.940087][ T5365] ntfs: volume version 12.0. [pid 5366] close(5) = 0 [pid 5366] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5366] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5364] <... futex resumed>) = 0 [pid 5364] exit_group(0 [pid 5366] <... futex resumed>) = ? [pid 5365] <... futex resumed>) = ? [pid 5364] <... exit_group resumed>) = ? [pid 5366] +++ exited with 0 +++ [pid 5365] +++ exited with 0 +++ [pid 5364] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5364, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=16 /* 0.16 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./108", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./108", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./108/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./108/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./108/binderfs") = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./108/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./108/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./108/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./108") = 0 mkdir("./109", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5367 attached , child_tidptr=0x555555f17690) = 5367 [pid 5367] set_robust_list(0x555555f176a0, 24) = 0 [pid 5367] chdir("./109") = 0 [pid 5367] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5367] setpgid(0, 0) = 0 [pid 5367] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5367] write(3, "1000", 4) = 4 [pid 5367] close(3) = 0 [pid 5367] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5367] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5367] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5367] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5367] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5367] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5367] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5367] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5368 attached => {parent_tid=[5368]}, 88) = 5368 [pid 5367] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5367] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5367] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5367] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5368] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5368] set_robust_list(0x7f79473519a0, 24 [pid 5367] <... mmap resumed>) = 0x7f7947310000 [pid 5368] <... set_robust_list resumed>) = 0 [pid 5368] rt_sigprocmask(SIG_SETMASK, [], [pid 5367] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5368] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5367] <... mprotect resumed>) = 0 [pid 5367] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5367] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5368] memfd_create("syzkaller", 0) = 3 ./strace-static-x86_64: Process 5369 attached [pid 5367] <... clone3 resumed> => {parent_tid=[5369]}, 88) = 5369 [pid 5369] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5368] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5367] rt_sigprocmask(SIG_SETMASK, [], [pid 5369] set_robust_list(0x7f79473309a0, 24 [pid 5367] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5369] <... set_robust_list resumed>) = 0 [pid 5369] rt_sigprocmask(SIG_SETMASK, [], [pid 5367] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5369] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5367] <... futex resumed>) = 0 [pid 5369] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5368] <... mmap resumed>) = 0x7f793ef10000 [pid 5367] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5369] <... openat resumed>) = 4 [pid 5368] munmap(0x7f793ef10000, 138412032) = 0 [pid 5369] write(4, "85", 2 [pid 5368] close(3 [pid 5369] <... write resumed>) = 2 [pid 5369] memfd_create("syzkaller", 0 [pid 5368] <... close resumed>) = 0 [pid 5369] <... memfd_create resumed>) = 3 [pid 5368] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5369] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5368] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5369] <... mmap resumed>) = 0x7f793ef10000 [ 106.076884][ T5369] FAULT_INJECTION: forcing a failure. [ 106.076884][ T5369] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 106.090469][ T5369] CPU: 0 PID: 5369 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 106.100905][ T5369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 106.110980][ T5369] Call Trace: [ 106.114259][ T5369] [ 106.117181][ T5369] dump_stack_lvl+0x1e7/0x2d0 [ 106.121867][ T5369] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.127865][ T5369] ? panic+0x770/0x770 [ 106.131960][ T5369] should_fail_ex+0x3aa/0x4e0 [ 106.136658][ T5369] prepare_alloc_pages+0x1d9/0x5b0 [ 106.141792][ T5369] __alloc_pages+0x165/0x670 [ 106.146394][ T5369] ? zone_statistics+0x170/0x170 [ 106.151374][ T5369] ? verify_lock_unused+0x140/0x140 [ 106.156583][ T5369] ? handle_mm_fault+0x11d/0x62b0 [ 106.161603][ T5369] ? __lock_acquire+0x7f70/0x7f70 [ 106.166617][ T5369] ? pte_offset_map_nolock+0x137/0x1e0 [ 106.172071][ T5369] __folio_alloc+0x13/0x30 [ 106.176489][ T5369] vma_alloc_folio+0x48a/0x9a0 [ 106.181268][ T5369] handle_mm_fault+0x2376/0x62b0 [ 106.186224][ T5369] ? handle_mm_fault+0x11d/0x62b0 [ 106.191265][ T5369] ? numa_migrate_prep+0x380/0x380 [ 106.196374][ T5369] ? mtree_range_walk+0x6a0/0x7e0 [ 106.201392][ T5369] ? lock_vma_under_rcu+0x187/0x6f0 [ 106.206668][ T5369] ? __lock_acquire+0x7f70/0x7f70 [ 106.211680][ T5369] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 106.216895][ T5369] ? lock_vma_under_rcu+0x5df/0x6f0 [ 106.222100][ T5369] ? lock_vma_under_rcu+0x187/0x6f0 [ 106.227296][ T5369] ? exc_page_fault+0x10f/0x860 [ 106.232149][ T5369] exc_page_fault+0x455/0x860 [ 106.236836][ T5369] asm_exc_page_fault+0x26/0x30 [ 106.241678][ T5369] RIP: 0033:0x7f794735bd00 [ 106.246176][ T5369] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 106.265971][ T5369] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5369] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5369] munmap(0x7f793ef10000, 2097152) = 0 [pid 5369] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 106.272029][ T5369] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 106.279990][ T5369] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 106.287962][ T5369] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 106.295941][ T5369] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 106.303975][ T5369] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 106.311967][ T5369] [ 106.316693][ T5369] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5369] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5369] close(3) = 0 [pid 5369] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5369] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5369] ioctl(5, LOOP_CLR_FD) = 0 [ 106.353914][ T5369] loop0: detected capacity change from 0 to 4096 [ 106.370119][ T5369] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 106.377458][ T5369] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5369] close(5) = 0 [pid 5369] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5369] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5367] <... futex resumed>) = 0 [pid 5367] exit_group(0 [pid 5369] <... futex resumed>) = ? [pid 5369] +++ exited with 0 +++ [pid 5368] <... futex resumed>) = ? [pid 5368] +++ exited with 0 +++ [pid 5367] <... exit_group resumed>) = ? [pid 5367] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5367, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=8 /* 0.08 s */} --- umount2("./109", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./109", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./109/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./109/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./109/binderfs") = 0 umount2("\x2e\x2f\x31\x30\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x30\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x30\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x30\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x30\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./109") = 0 mkdir("./110", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5370 attached , child_tidptr=0x555555f17690) = 5370 [pid 5370] set_robust_list(0x555555f176a0, 24) = 0 [pid 5370] chdir("./110") = 0 [pid 5370] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5370] setpgid(0, 0) = 0 [pid 5370] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5370] write(3, "1000", 4) = 4 [pid 5370] close(3) = 0 [pid 5370] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5370] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5370] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5370] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5370] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5370] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5370] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5371 attached [pid 5371] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5371] set_robust_list(0x7f79473519a0, 24 [pid 5370] <... clone3 resumed> => {parent_tid=[5371]}, 88) = 5371 [pid 5370] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5370] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5370] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5370] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5370] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5370] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5372 attached [pid 5372] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5370] <... clone3 resumed> => {parent_tid=[5372]}, 88) = 5372 [pid 5372] set_robust_list(0x7f79473309a0, 24 [pid 5370] rt_sigprocmask(SIG_SETMASK, [], [pid 5372] <... set_robust_list resumed>) = 0 [pid 5370] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5372] rt_sigprocmask(SIG_SETMASK, [], [pid 5370] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5372] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5370] <... futex resumed>) = 0 [pid 5372] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5371] <... set_robust_list resumed>) = 0 [pid 5370] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5371] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5371] memfd_create("syzkaller", 0 [pid 5372] <... openat resumed>) = 3 [pid 5371] <... memfd_create resumed>) = 4 [pid 5372] write(3, "85", 2 [pid 5371] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5372] <... write resumed>) = 2 [pid 5371] <... mmap resumed>) = 0x7f793ef10000 [pid 5372] memfd_create("syzkaller", 0) = 5 [pid 5372] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 106.497130][ T5372] FAULT_INJECTION: forcing a failure. [ 106.497130][ T5372] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 106.510783][ T5372] CPU: 0 PID: 5372 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 106.521213][ T5372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 106.531272][ T5372] Call Trace: [ 106.534550][ T5372] [ 106.537477][ T5372] dump_stack_lvl+0x1e7/0x2d0 [ 106.542153][ T5372] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.547602][ T5372] ? panic+0x770/0x770 [ 106.551674][ T5372] should_fail_ex+0x3aa/0x4e0 [ 106.556353][ T5372] prepare_alloc_pages+0x1d9/0x5b0 [ 106.561467][ T5372] __alloc_pages+0x165/0x670 [ 106.566058][ T5372] ? zone_statistics+0x170/0x170 [ 106.570997][ T5372] ? verify_lock_unused+0x140/0x140 [ 106.576188][ T5372] ? handle_mm_fault+0x11d/0x62b0 [ 106.581208][ T5372] ? __lock_acquire+0x7f70/0x7f70 [ 106.586224][ T5372] ? pte_offset_map_nolock+0x137/0x1e0 [ 106.591792][ T5372] __folio_alloc+0x13/0x30 [ 106.596209][ T5372] vma_alloc_folio+0x48a/0x9a0 [ 106.600976][ T5372] handle_mm_fault+0x2376/0x62b0 [ 106.605918][ T5372] ? handle_mm_fault+0x11d/0x62b0 [ 106.610946][ T5372] ? numa_migrate_prep+0x380/0x380 [ 106.616064][ T5372] ? mtree_range_walk+0x6a0/0x7e0 [ 106.621091][ T5372] ? lock_vma_under_rcu+0x187/0x6f0 [ 106.626291][ T5372] ? __lock_acquire+0x7f70/0x7f70 [ 106.631313][ T5372] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 106.636951][ T5372] ? lock_vma_under_rcu+0x5df/0x6f0 [ 106.642145][ T5372] ? lock_vma_under_rcu+0x187/0x6f0 [ 106.647348][ T5372] ? exc_page_fault+0x10f/0x860 [ 106.652201][ T5372] exc_page_fault+0x455/0x860 [ 106.656879][ T5372] asm_exc_page_fault+0x26/0x30 [ 106.661723][ T5372] RIP: 0033:0x7f794735bc53 [ 106.666132][ T5372] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 106.685754][ T5372] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5371] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5372] munmap(0x7f7936b10000, 138412032) = 0 [pid 5371] <... write resumed>) = 2097152 [pid 5371] munmap(0x7f793ef10000, 2097152 [pid 5372] close(5) = 0 [pid 5372] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5370] <... futex resumed>) = 0 [pid 5372] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5371] <... munmap resumed>) = 0 [pid 5371] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 106.691815][ T5372] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 106.699781][ T5372] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 106.707744][ T5372] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 106.715793][ T5372] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 106.723754][ T5372] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 106.731731][ T5372] [ 106.735176][ T5372] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5371] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5371] close(4) = 0 [pid 5371] mkdir("./file0", 0777) = 0 [pid 5371] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5371] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5371] chdir("./file0") = 0 [pid 5371] ioctl(5, LOOP_CLR_FD) = 0 [pid 5371] close(5) = 0 [pid 5371] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5371] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5370] exit_group(0 [pid 5371] <... futex resumed>) = ? [pid 5370] <... exit_group resumed>) = ? [pid 5371] +++ exited with 0 +++ [pid 5372] <... futex resumed>) = ? [pid 5372] +++ exited with 0 +++ [pid 5370] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5370, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- umount2("./110", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./110", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./110/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./110/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./110/binderfs") = 0 [ 106.772111][ T5371] loop0: detected capacity change from 0 to 4096 [ 106.785346][ T5371] ntfs: volume version 12.0. umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./110/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./110/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./110/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./110") = 0 mkdir("./111", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5373 ./strace-static-x86_64: Process 5373 attached [pid 5373] set_robust_list(0x555555f176a0, 24) = 0 [pid 5373] chdir("./111") = 0 [pid 5373] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5373] setpgid(0, 0) = 0 [pid 5373] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5373] write(3, "1000", 4) = 4 [pid 5373] close(3) = 0 [pid 5373] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5373] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5373] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5373] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5373] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5373] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5373] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5373] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5374 attached [pid 5374] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5373] <... clone3 resumed> => {parent_tid=[5374]}, 88) = 5374 [pid 5374] <... rseq resumed>) = 0 [pid 5374] set_robust_list(0x7f79473519a0, 24 [pid 5373] rt_sigprocmask(SIG_SETMASK, [], [pid 5374] <... set_robust_list resumed>) = 0 [pid 5374] rt_sigprocmask(SIG_SETMASK, [], [pid 5373] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5374] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5374] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5373] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5374] <... futex resumed>) = 0 [pid 5373] <... futex resumed>) = 1 [pid 5373] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] memfd_create("syzkaller", 0 [pid 5373] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5374] <... memfd_create resumed>) = 3 [pid 5374] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5373] <... mmap resumed>) = 0x7f7947310000 [pid 5373] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5374] <... mmap resumed>) = 0x7f793ef10000 [pid 5373] <... mprotect resumed>) = 0 [pid 5373] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5373] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5375 attached => {parent_tid=[5375]}, 88) = 5375 [pid 5373] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5373] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5373] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5375] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5375] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5375] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5375] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5375] write(4, "85", 2) = 2 [pid 5375] memfd_create("syzkaller", 0) = 5 [pid 5375] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5374] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 106.910626][ T5375] FAULT_INJECTION: forcing a failure. [ 106.910626][ T5375] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 106.924422][ T5375] CPU: 0 PID: 5375 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 106.934964][ T5375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 106.945029][ T5375] Call Trace: [ 106.948298][ T5375] [ 106.951218][ T5375] dump_stack_lvl+0x1e7/0x2d0 [ 106.955895][ T5375] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.961360][ T5375] ? panic+0x770/0x770 [ 106.965436][ T5375] should_fail_ex+0x3aa/0x4e0 [ 106.970125][ T5375] prepare_alloc_pages+0x1d9/0x5b0 [ 106.975278][ T5375] __alloc_pages+0x165/0x670 [ 106.979863][ T5375] ? zone_statistics+0x170/0x170 [ 106.984809][ T5375] ? verify_lock_unused+0x140/0x140 [ 106.990007][ T5375] ? handle_mm_fault+0x11d/0x62b0 [ 106.995047][ T5375] ? __lock_acquire+0x7f70/0x7f70 [ 107.000130][ T5375] ? pte_offset_map_nolock+0x137/0x1e0 [ 107.005589][ T5375] __folio_alloc+0x13/0x30 [ 107.011568][ T5375] vma_alloc_folio+0x48a/0x9a0 [ 107.016354][ T5375] handle_mm_fault+0x2376/0x62b0 [ 107.021310][ T5375] ? handle_mm_fault+0x11d/0x62b0 [ 107.026336][ T5375] ? numa_migrate_prep+0x380/0x380 [ 107.031470][ T5375] ? mtree_range_walk+0x6a0/0x7e0 [ 107.036510][ T5375] ? lock_vma_under_rcu+0x187/0x6f0 [ 107.042396][ T5375] ? __lock_acquire+0x7f70/0x7f70 [ 107.047444][ T5375] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 107.052661][ T5375] ? lock_vma_under_rcu+0x5df/0x6f0 [ 107.057899][ T5375] ? lock_vma_under_rcu+0x187/0x6f0 [ 107.063108][ T5375] ? exc_page_fault+0x10f/0x860 [ 107.067963][ T5375] exc_page_fault+0x455/0x860 [ 107.072655][ T5375] asm_exc_page_fault+0x26/0x30 [ 107.077696][ T5375] RIP: 0033:0x7f794735bc53 [ 107.082152][ T5375] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 107.101762][ T5375] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 107.107844][ T5375] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 107.115913][ T5375] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 107.123900][ T5375] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 107.131881][ T5375] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 107.139861][ T5375] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 107.147929][ T5375] [ 107.153011][ T5375] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5374] munmap(0x7f793ef10000, 2097152) = 0 [pid 5374] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5374] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5374] close(3) = 0 [pid 5374] mkdir("./file0", 0777) = 0 [ 107.162524][ T5374] loop0: detected capacity change from 0 to 4096 [ 107.174824][ T5374] __ntfs_error: 158 callbacks suppressed [ 107.174839][ T5374] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 107.191660][ T5374] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5374] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5375] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5375] munmap(0x7f7936b10000, 2097152) = 0 [pid 5375] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5375] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5375] ioctl(3, LOOP_CLR_FD) = 0 [pid 5375] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5375] close(3) = 0 [ 107.205143][ T5374] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 107.226160][ T5374] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 107.242965][ T5374] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [pid 5375] close(5) = 0 [pid 5375] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5375] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5373] <... futex resumed>) = 0 [ 107.253915][ T5374] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 107.276915][ T5374] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 107.292733][ T5374] ntfs: volume version 12.0. [ 107.297585][ T5374] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [pid 5374] <... mount resumed>) = 0 [pid 5374] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5374] chdir("./file0") = 0 [pid 5374] ioctl(6, LOOP_CLR_FD) = 0 [pid 5374] close(6) = 0 [pid 5374] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5374] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5373] exit_group(0 [pid 5374] <... futex resumed>) = ? [pid 5373] <... exit_group resumed>) = ? [pid 5374] +++ exited with 0 +++ [pid 5375] <... futex resumed>) = ? [pid 5375] +++ exited with 0 +++ [pid 5373] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5373, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=27 /* 0.27 s */} --- umount2("./111", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./111", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./111/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./111/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./111/binderfs") = 0 [ 107.306801][ T5374] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 107.320262][ T5374] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./111/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./111/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./111/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./111") = 0 mkdir("./112", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5376 attached [pid 5376] set_robust_list(0x555555f176a0, 24) = 0 [pid 5376] chdir("./112") = 0 [pid 5376] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5376] setpgid(0, 0) = 0 [pid 5376] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5376] write(3, "1000", 4) = 4 [pid 5376] close(3) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5376 [pid 5376] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5376] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5376] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5376] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5376] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5376] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5376] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5376] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5377 attached => {parent_tid=[5377]}, 88) = 5377 [pid 5376] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5376] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5377] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5376] <... futex resumed>) = 0 [pid 5377] <... rseq resumed>) = 0 [pid 5376] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5377] set_robust_list(0x7f79473519a0, 24 [pid 5376] <... futex resumed>) = 0 [pid 5377] <... set_robust_list resumed>) = 0 [pid 5376] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5377] rt_sigprocmask(SIG_SETMASK, [], [pid 5376] <... mmap resumed>) = 0x7f7947310000 [pid 5377] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5376] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5376] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5376] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5378 attached => {parent_tid=[5378]}, 88) = 5378 [pid 5378] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5377] memfd_create("syzkaller", 0 [pid 5378] <... rseq resumed>) = 0 [pid 5376] rt_sigprocmask(SIG_SETMASK, [], [pid 5378] set_robust_list(0x7f79473309a0, 24 [pid 5377] <... memfd_create resumed>) = 3 [pid 5376] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5378] <... set_robust_list resumed>) = 0 [pid 5377] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5376] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5378] rt_sigprocmask(SIG_SETMASK, [], [pid 5376] <... futex resumed>) = 0 [pid 5378] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5377] <... mmap resumed>) = 0x7f793ef10000 [pid 5376] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5378] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5378] write(4, "85", 2) = 2 [pid 5378] memfd_create("syzkaller", 0) = 5 [pid 5378] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5377] munmap(0x7f793ef10000, 138412032) = 0 [pid 5377] close(3) = 0 [pid 5377] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 107.428567][ T5378] FAULT_INJECTION: forcing a failure. [ 107.428567][ T5378] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 107.442080][ T5378] CPU: 0 PID: 5378 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 107.452582][ T5378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 107.462629][ T5378] Call Trace: [ 107.465914][ T5378] [ 107.468859][ T5378] dump_stack_lvl+0x1e7/0x2d0 [ 107.473633][ T5378] ? nf_tcp_handle_invalid+0x650/0x650 [ 107.479116][ T5378] ? panic+0x770/0x770 [ 107.483186][ T5378] should_fail_ex+0x3aa/0x4e0 [ 107.487869][ T5378] prepare_alloc_pages+0x1d9/0x5b0 [ 107.492979][ T5378] __alloc_pages+0x165/0x670 [ 107.497567][ T5378] ? zone_statistics+0x170/0x170 [ 107.502532][ T5378] ? verify_lock_unused+0x140/0x140 [ 107.507730][ T5378] ? handle_mm_fault+0x11d/0x62b0 [ 107.512793][ T5378] ? __lock_acquire+0x7f70/0x7f70 [ 107.517808][ T5378] ? pte_offset_map_nolock+0x137/0x1e0 [ 107.523271][ T5378] __folio_alloc+0x13/0x30 [ 107.527693][ T5378] vma_alloc_folio+0x48a/0x9a0 [ 107.532477][ T5378] handle_mm_fault+0x2376/0x62b0 [ 107.537423][ T5378] ? handle_mm_fault+0x11d/0x62b0 [ 107.542451][ T5378] ? numa_migrate_prep+0x380/0x380 [ 107.547570][ T5378] ? mtree_range_walk+0x6a0/0x7e0 [ 107.552683][ T5378] ? lock_vma_under_rcu+0x187/0x6f0 [ 107.557880][ T5378] ? __lock_acquire+0x7f70/0x7f70 [ 107.562897][ T5378] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 107.568102][ T5378] ? lock_vma_under_rcu+0x5df/0x6f0 [ 107.573302][ T5378] ? lock_vma_under_rcu+0x187/0x6f0 [ 107.578521][ T5378] ? exc_page_fault+0x10f/0x860 [ 107.583399][ T5378] exc_page_fault+0x455/0x860 [ 107.588078][ T5378] asm_exc_page_fault+0x26/0x30 [ 107.592921][ T5378] RIP: 0033:0x7f794735bc53 [ 107.597338][ T5378] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 107.616942][ T5378] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5377] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5378] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5378] munmap(0x7f7936b10000, 2097152) = 0 [pid 5378] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 107.623030][ T5378] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 107.630999][ T5378] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 107.638972][ T5378] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 107.646934][ T5378] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 107.654896][ T5378] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 107.662872][ T5378] [ 107.666289][ T5378] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5378] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5378] close(5) = 0 [pid 5378] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5378] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 107.704574][ T5378] loop0: detected capacity change from 0 to 4096 [ 107.723832][ T5378] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 107.730961][ T5378] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5378] ioctl(3, LOOP_CLR_FD) = 0 [pid 5378] close(3) = 0 [pid 5378] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5376] <... futex resumed>) = 0 [pid 5376] exit_group(0 [pid 5378] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5376] <... exit_group resumed>) = ? [pid 5378] <... futex resumed>) = ? [pid 5377] <... futex resumed>) = ? [pid 5377] +++ exited with 0 +++ [pid 5378] +++ exited with 0 +++ [pid 5376] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5376, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./112", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./112", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./112/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./112/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./112/binderfs") = 0 umount2("\x2e\x2f\x31\x31\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x31\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x31\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x31\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x31\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./112") = 0 mkdir("./113", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5379 attached , child_tidptr=0x555555f17690) = 5379 [pid 5379] set_robust_list(0x555555f176a0, 24) = 0 [pid 5379] chdir("./113") = 0 [pid 5379] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5379] setpgid(0, 0) = 0 [pid 5379] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5379] write(3, "1000", 4) = 4 [pid 5379] close(3) = 0 [pid 5379] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5379] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5379] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5379] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5379] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5379] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5379] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5379] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5380 attached => {parent_tid=[5380]}, 88) = 5380 [pid 5379] rt_sigprocmask(SIG_SETMASK, [], [pid 5380] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5379] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5380] <... rseq resumed>) = 0 [pid 5379] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5379] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5379] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5380] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5380] rt_sigprocmask(SIG_SETMASK, [], [pid 5379] <... mmap resumed>) = 0x7f7947310000 [pid 5379] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5379] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5379] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5380] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5381 attached [pid 5381] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5379] <... clone3 resumed> => {parent_tid=[5381]}, 88) = 5381 [pid 5381] <... rseq resumed>) = 0 [pid 5379] rt_sigprocmask(SIG_SETMASK, [], [pid 5381] set_robust_list(0x7f79473309a0, 24 [pid 5379] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5381] <... set_robust_list resumed>) = 0 [pid 5379] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5381] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5379] <... futex resumed>) = 0 [pid 5379] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5380] memfd_create("syzkaller", 0) = 3 [pid 5380] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5381] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5380] <... mmap resumed>) = 0x7f793ef10000 [pid 5380] munmap(0x7f793ef10000, 138412032) = 0 [pid 5380] close(3 [pid 5381] <... openat resumed>) = 4 [pid 5381] write(4, "85", 2) = 2 [pid 5381] memfd_create("syzkaller", 0 [pid 5380] <... close resumed>) = 0 [pid 5380] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5381] <... memfd_create resumed>) = 3 [pid 5380] <... futex resumed>) = 0 [pid 5380] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5381] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 107.876191][ T5381] FAULT_INJECTION: forcing a failure. [ 107.876191][ T5381] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 107.889976][ T5381] CPU: 0 PID: 5381 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 107.900395][ T5381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 107.910443][ T5381] Call Trace: [ 107.913715][ T5381] [ 107.916643][ T5381] dump_stack_lvl+0x1e7/0x2d0 [ 107.921326][ T5381] ? nf_tcp_handle_invalid+0x650/0x650 [ 107.926954][ T5381] ? panic+0x770/0x770 [ 107.931025][ T5381] should_fail_ex+0x3aa/0x4e0 [ 107.935729][ T5381] prepare_alloc_pages+0x1d9/0x5b0 [ 107.940853][ T5381] __alloc_pages+0x165/0x670 [ 107.945445][ T5381] ? zone_statistics+0x170/0x170 [ 107.950386][ T5381] ? verify_lock_unused+0x140/0x140 [ 107.955603][ T5381] ? handle_mm_fault+0x11d/0x62b0 [ 107.960625][ T5381] ? __lock_acquire+0x7f70/0x7f70 [ 107.965641][ T5381] ? pte_offset_map_nolock+0x137/0x1e0 [ 107.971099][ T5381] __folio_alloc+0x13/0x30 [ 107.975512][ T5381] vma_alloc_folio+0x48a/0x9a0 [ 107.980296][ T5381] handle_mm_fault+0x2376/0x62b0 [ 107.985240][ T5381] ? handle_mm_fault+0x11d/0x62b0 [ 107.990269][ T5381] ? numa_migrate_prep+0x380/0x380 [ 107.995393][ T5381] ? mtree_range_walk+0x6a0/0x7e0 [ 108.000419][ T5381] ? lock_vma_under_rcu+0x187/0x6f0 [ 108.005616][ T5381] ? __lock_acquire+0x7f70/0x7f70 [ 108.010642][ T5381] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 108.015936][ T5381] ? lock_vma_under_rcu+0x5df/0x6f0 [ 108.021132][ T5381] ? lock_vma_under_rcu+0x187/0x6f0 [ 108.026337][ T5381] ? exc_page_fault+0x10f/0x860 [ 108.031184][ T5381] exc_page_fault+0x455/0x860 [ 108.035885][ T5381] asm_exc_page_fault+0x26/0x30 [ 108.040729][ T5381] RIP: 0033:0x7f794735bd00 [ 108.045140][ T5381] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 108.064780][ T5381] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5381] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5381] munmap(0x7f793ef10000, 2097152) = 0 [pid 5381] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 108.070950][ T5381] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 108.078946][ T5381] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 108.086928][ T5381] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 108.094909][ T5381] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 108.102904][ T5381] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 108.111062][ T5381] [ 108.114462][ T5381] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5381] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5381] close(3) = 0 [pid 5381] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5381] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5381] ioctl(5, LOOP_CLR_FD) = 0 [ 108.152585][ T5381] loop0: detected capacity change from 0 to 4096 [ 108.171644][ T5381] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 108.178874][ T5381] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5381] close(5) = 0 [pid 5381] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5379] <... futex resumed>) = 0 [pid 5381] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5379] exit_group(0) = ? [pid 5380] <... futex resumed>) = ? [pid 5381] <... futex resumed>) = ? [pid 5381] +++ exited with 0 +++ [pid 5380] +++ exited with 0 +++ [pid 5379] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5379, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./113", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./113", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./113/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./113/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./113/binderfs") = 0 umount2("\x2e\x2f\x31\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./113") = 0 mkdir("./114", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5382 attached [pid 5382] set_robust_list(0x555555f176a0, 24) = 0 [pid 5382] chdir("./114") = 0 [pid 5382] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5382] setpgid(0, 0) = 0 [pid 5382] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5382] write(3, "1000", 4) = 4 [pid 5382] close(3) = 0 [pid 5382] symlink("/dev/binderfs", "./binderfs" [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5382 [pid 5382] <... symlink resumed>) = 0 [pid 5382] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5382] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5382] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5382] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5382] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5382] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5383 attached => {parent_tid=[5383]}, 88) = 5383 [pid 5383] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5382] rt_sigprocmask(SIG_SETMASK, [], [pid 5383] <... rseq resumed>) = 0 [pid 5383] set_robust_list(0x7f79473519a0, 24 [pid 5382] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5383] <... set_robust_list resumed>) = 0 [pid 5382] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5383] rt_sigprocmask(SIG_SETMASK, [], [pid 5382] <... futex resumed>) = 0 [pid 5383] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5382] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5383] memfd_create("syzkaller", 0 [pid 5382] <... futex resumed>) = 0 [pid 5382] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5382] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5382] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5382] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5384 attached => {parent_tid=[5384]}, 88) = 5384 [pid 5382] rt_sigprocmask(SIG_SETMASK, [], [pid 5383] <... memfd_create resumed>) = 3 [pid 5382] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5382] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5383] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5384] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5383] <... mmap resumed>) = 0x7f793ef10000 [pid 5382] <... futex resumed>) = 0 [pid 5384] <... rseq resumed>) = 0 [pid 5382] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5384] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5384] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5384] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5384] write(4, "85", 2) = 2 [pid 5384] memfd_create("syzkaller", 0) = 5 [pid 5384] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5383] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 108.327408][ T5384] FAULT_INJECTION: forcing a failure. [ 108.327408][ T5384] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 108.340991][ T5384] CPU: 0 PID: 5384 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 108.351435][ T5384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 108.361509][ T5384] Call Trace: [ 108.364803][ T5384] [ 108.367731][ T5384] dump_stack_lvl+0x1e7/0x2d0 [ 108.372506][ T5384] ? nf_tcp_handle_invalid+0x650/0x650 [ 108.377977][ T5384] ? panic+0x770/0x770 [ 108.382051][ T5384] should_fail_ex+0x3aa/0x4e0 [ 108.386731][ T5384] prepare_alloc_pages+0x1d9/0x5b0 [ 108.391853][ T5384] __alloc_pages+0x165/0x670 [ 108.396439][ T5384] ? zone_statistics+0x170/0x170 [ 108.401378][ T5384] ? verify_lock_unused+0x140/0x140 [ 108.406584][ T5384] ? handle_mm_fault+0x11d/0x62b0 [ 108.411607][ T5384] ? __lock_acquire+0x7f70/0x7f70 [ 108.416626][ T5384] ? pte_offset_map_nolock+0x137/0x1e0 [ 108.422172][ T5384] __folio_alloc+0x13/0x30 [ 108.426585][ T5384] vma_alloc_folio+0x48a/0x9a0 [ 108.431361][ T5384] handle_mm_fault+0x2376/0x62b0 [ 108.436306][ T5384] ? handle_mm_fault+0x11d/0x62b0 [ 108.441346][ T5384] ? numa_migrate_prep+0x380/0x380 [ 108.446724][ T5384] ? mtree_range_walk+0x6a0/0x7e0 [ 108.452071][ T5384] ? lock_vma_under_rcu+0x187/0x6f0 [ 108.457893][ T5384] ? __lock_acquire+0x7f70/0x7f70 [ 108.462912][ T5384] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 108.468119][ T5384] ? lock_vma_under_rcu+0x5df/0x6f0 [ 108.473575][ T5384] ? lock_vma_under_rcu+0x187/0x6f0 [ 108.478779][ T5384] ? exc_page_fault+0x10f/0x860 [ 108.483627][ T5384] exc_page_fault+0x455/0x860 [ 108.488329][ T5384] asm_exc_page_fault+0x26/0x30 [ 108.493175][ T5384] RIP: 0033:0x7f794735bc53 [ 108.497584][ T5384] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 108.517183][ T5384] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5383] munmap(0x7f793ef10000, 2097152 [pid 5384] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5383] <... munmap resumed>) = 0 [ 108.523243][ T5384] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 108.531205][ T5384] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 108.539165][ T5384] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 108.547127][ T5384] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 108.555173][ T5384] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 108.563147][ T5384] [ 108.566369][ T5384] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5383] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5384] <... write resumed>) = 2097152 [pid 5383] <... openat resumed>) = 6 [pid 5383] ioctl(6, LOOP_SET_FD, 3 [pid 5384] munmap(0x7f7936b10000, 2097152 [pid 5383] <... ioctl resumed>) = 0 [pid 5383] close(3) = 0 [pid 5383] mkdir("./file0", 0777 [pid 5384] <... munmap resumed>) = 0 [pid 5383] <... mkdir resumed>) = 0 [pid 5383] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5384] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5384] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5384] ioctl(3, LOOP_CLR_FD) = 0 [pid 5384] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5384] close(3) = 0 [pid 5384] close(5) = 0 [pid 5384] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5382] <... futex resumed>) = 0 [pid 5384] <... futex resumed>) = 1 [pid 5384] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5383] <... mount resumed>) = 0 [pid 5383] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5383] chdir("./file0") = 0 [pid 5383] ioctl(6, LOOP_CLR_FD) = 0 [pid 5383] close(6) = 0 [pid 5383] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5382] exit_group(0 [pid 5384] <... futex resumed>) = ? [pid 5382] <... exit_group resumed>) = ? [pid 5383] +++ exited with 0 +++ [pid 5384] +++ exited with 0 +++ [pid 5382] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5382, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./114", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./114", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./114/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./114/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./114/binderfs") = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./114/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./114/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./114/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./114") = 0 mkdir("./115", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5385 attached , child_tidptr=0x555555f17690) = 5385 [pid 5385] set_robust_list(0x555555f176a0, 24) = 0 [pid 5385] chdir("./115") = 0 [pid 5385] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5385] setpgid(0, 0) = 0 [pid 5385] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5385] write(3, "1000", 4) = 4 [pid 5385] close(3) = 0 [pid 5385] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5385] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 108.602125][ T5383] loop0: detected capacity change from 0 to 4096 [ 108.626178][ T5383] ntfs: volume version 12.0. [pid 5385] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5385] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5385] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5385] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5385] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5385] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5386 attached [pid 5386] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5385] <... clone3 resumed> => {parent_tid=[5386]}, 88) = 5386 [pid 5386] <... rseq resumed>) = 0 [pid 5386] set_robust_list(0x7f79473519a0, 24 [pid 5385] rt_sigprocmask(SIG_SETMASK, [], [pid 5386] <... set_robust_list resumed>) = 0 [pid 5385] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5386] rt_sigprocmask(SIG_SETMASK, [], [pid 5385] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5386] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5385] <... futex resumed>) = 0 [pid 5386] memfd_create("syzkaller", 0 [pid 5385] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5385] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5385] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5385] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5385] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5387 attached [pid 5387] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5385] <... clone3 resumed> => {parent_tid=[5387]}, 88) = 5387 [pid 5387] <... rseq resumed>) = 0 [pid 5387] set_robust_list(0x7f79473309a0, 24 [pid 5385] rt_sigprocmask(SIG_SETMASK, [], [pid 5387] <... set_robust_list resumed>) = 0 [pid 5387] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5387] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5386] <... memfd_create resumed>) = 3 [pid 5385] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5386] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5385] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5387] <... futex resumed>) = 0 [pid 5386] <... mmap resumed>) = 0x7f793ef10000 [pid 5385] <... futex resumed>) = 1 [pid 5385] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5387] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5386] munmap(0x7f793ef10000, 138412032) = 0 [pid 5386] close(3) = 0 [pid 5386] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5386] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5387] <... openat resumed>) = 3 [pid 5387] write(3, "85", 2) = 2 [pid 5387] memfd_create("syzkaller", 0) = 4 [pid 5387] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 108.709210][ T5387] FAULT_INJECTION: forcing a failure. [ 108.709210][ T5387] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 108.723008][ T5387] CPU: 0 PID: 5387 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 108.733449][ T5387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 108.743525][ T5387] Call Trace: [ 108.746812][ T5387] [ 108.749764][ T5387] dump_stack_lvl+0x1e7/0x2d0 [ 108.754453][ T5387] ? nf_tcp_handle_invalid+0x650/0x650 [ 108.759903][ T5387] ? panic+0x770/0x770 [ 108.763989][ T5387] should_fail_ex+0x3aa/0x4e0 [ 108.768664][ T5387] prepare_alloc_pages+0x1d9/0x5b0 [ 108.773809][ T5387] __alloc_pages+0x165/0x670 [ 108.778394][ T5387] ? zone_statistics+0x170/0x170 [ 108.783343][ T5387] ? verify_lock_unused+0x140/0x140 [ 108.788549][ T5387] ? handle_mm_fault+0x11d/0x62b0 [ 108.793569][ T5387] ? __lock_acquire+0x7f70/0x7f70 [ 108.798587][ T5387] ? pte_offset_map_nolock+0x137/0x1e0 [ 108.804069][ T5387] __folio_alloc+0x13/0x30 [ 108.808497][ T5387] vma_alloc_folio+0x48a/0x9a0 [ 108.813291][ T5387] handle_mm_fault+0x2376/0x62b0 [ 108.818306][ T5387] ? handle_mm_fault+0x11d/0x62b0 [ 108.823343][ T5387] ? numa_migrate_prep+0x380/0x380 [ 108.828470][ T5387] ? mtree_range_walk+0x6a0/0x7e0 [ 108.833488][ T5387] ? lock_vma_under_rcu+0x187/0x6f0 [ 108.838687][ T5387] ? __lock_acquire+0x7f70/0x7f70 [ 108.843715][ T5387] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 108.848915][ T5387] ? lock_vma_under_rcu+0x5df/0x6f0 [ 108.854111][ T5387] ? lock_vma_under_rcu+0x187/0x6f0 [ 108.859419][ T5387] ? exc_page_fault+0x10f/0x860 [ 108.864304][ T5387] exc_page_fault+0x455/0x860 [ 108.868976][ T5387] asm_exc_page_fault+0x26/0x30 [ 108.873812][ T5387] RIP: 0033:0x7f794735bd00 [ 108.878242][ T5387] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 108.897837][ T5387] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5387] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5387] munmap(0x7f793ef10000, 2097152) = 0 [pid 5387] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 108.903925][ T5387] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 108.912072][ T5387] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 108.920035][ T5387] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 108.928007][ T5387] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 108.935985][ T5387] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 108.943959][ T5387] [ 108.947275][ T5387] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5387] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5387] close(4) = 0 [pid 5387] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5387] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5387] ioctl(5, LOOP_CLR_FD) = 0 [ 108.989271][ T5387] loop0: detected capacity change from 0 to 4096 [ 109.007846][ T5387] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 109.014861][ T5387] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5387] close(5) = 0 [pid 5387] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5385] <... futex resumed>) = 0 [pid 5387] <... futex resumed>) = 1 [pid 5385] exit_group(0 [pid 5387] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5385] <... exit_group resumed>) = ? [pid 5386] <... futex resumed>) = ? [pid 5387] <... futex resumed>) = ? [pid 5386] +++ exited with 0 +++ [pid 5387] +++ exited with 0 +++ [pid 5385] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5385, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./115", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./115", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./115/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./115/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./115/binderfs") = 0 umount2("\x2e\x2f\x31\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./115") = 0 mkdir("./116", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5388 attached , child_tidptr=0x555555f17690) = 5388 [pid 5388] set_robust_list(0x555555f176a0, 24) = 0 [pid 5388] chdir("./116") = 0 [pid 5388] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5388] setpgid(0, 0) = 0 [pid 5388] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5388] write(3, "1000", 4) = 4 [pid 5388] close(3) = 0 [pid 5388] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5388] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5388] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5388] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5388] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5388] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5388] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5388] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5389 attached [pid 5389] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5388] <... clone3 resumed> => {parent_tid=[5389]}, 88) = 5389 [pid 5389] <... rseq resumed>) = 0 [pid 5389] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5389] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5389] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5388] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5388] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5389] <... futex resumed>) = 0 [pid 5388] <... futex resumed>) = 1 [pid 5388] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5388] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5389] memfd_create("syzkaller", 0 [pid 5388] <... mmap resumed>) = 0x7f7947310000 [pid 5389] <... memfd_create resumed>) = 3 [pid 5388] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5389] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5388] <... mprotect resumed>) = 0 [pid 5388] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5388] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5390 attached => {parent_tid=[5390]}, 88) = 5390 [pid 5390] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5388] rt_sigprocmask(SIG_SETMASK, [], [pid 5390] <... rseq resumed>) = 0 [pid 5388] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5388] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5390] set_robust_list(0x7f79473309a0, 24 [pid 5388] <... futex resumed>) = 0 [pid 5390] <... set_robust_list resumed>) = 0 [pid 5388] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5390] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5390] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5390] write(4, "85", 2) = 2 [pid 5390] memfd_create("syzkaller", 0) = 5 [pid 5390] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 109.161129][ T5390] FAULT_INJECTION: forcing a failure. [ 109.161129][ T5390] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 109.174522][ T5390] CPU: 0 PID: 5390 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 109.184945][ T5390] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 109.194993][ T5390] Call Trace: [ 109.198263][ T5390] [ 109.201186][ T5390] dump_stack_lvl+0x1e7/0x2d0 [ 109.205872][ T5390] ? nf_tcp_handle_invalid+0x650/0x650 [ 109.211323][ T5390] ? panic+0x770/0x770 [ 109.215397][ T5390] should_fail_ex+0x3aa/0x4e0 [ 109.220074][ T5390] prepare_alloc_pages+0x1d9/0x5b0 [ 109.225252][ T5390] __alloc_pages+0x165/0x670 [ 109.229840][ T5390] ? zone_statistics+0x170/0x170 [ 109.234776][ T5390] ? verify_lock_unused+0x140/0x140 [ 109.239964][ T5390] ? handle_mm_fault+0x11d/0x62b0 [ 109.244986][ T5390] ? __lock_acquire+0x7f70/0x7f70 [ 109.250085][ T5390] ? pte_offset_map_nolock+0x137/0x1e0 [ 109.255542][ T5390] __folio_alloc+0x13/0x30 [ 109.259951][ T5390] vma_alloc_folio+0x48a/0x9a0 [ 109.264718][ T5390] handle_mm_fault+0x2376/0x62b0 [ 109.269746][ T5390] ? handle_mm_fault+0x11d/0x62b0 [ 109.274797][ T5390] ? numa_migrate_prep+0x380/0x380 [ 109.279920][ T5390] ? mtree_range_walk+0x6a0/0x7e0 [ 109.284939][ T5390] ? lock_vma_under_rcu+0x187/0x6f0 [ 109.290134][ T5390] ? __lock_acquire+0x7f70/0x7f70 [ 109.295148][ T5390] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 109.300354][ T5390] ? lock_vma_under_rcu+0x5df/0x6f0 [ 109.305552][ T5390] ? lock_vma_under_rcu+0x187/0x6f0 [ 109.310757][ T5390] ? exc_page_fault+0x10f/0x860 [ 109.315687][ T5390] exc_page_fault+0x455/0x860 [ 109.320366][ T5390] asm_exc_page_fault+0x26/0x30 [ 109.325210][ T5390] RIP: 0033:0x7f794735bc53 [ 109.329618][ T5390] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 109.349227][ T5390] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5389] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2075019) = 2075019 [pid 5389] munmap(0x7f793ef10000, 2075019) = 0 [pid 5390] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5389] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 109.355288][ T5390] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 109.363252][ T5390] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 109.371215][ T5390] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 109.379176][ T5390] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 109.387156][ T5390] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 109.395134][ T5390] [ 109.398473][ T5390] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5389] ioctl(6, LOOP_SET_FD, 3 [pid 5390] <... write resumed>) = 2097152 [pid 5390] munmap(0x7f7936b10000, 2097152 [pid 5389] <... ioctl resumed>) = 0 [pid 5390] <... munmap resumed>) = 0 [pid 5389] close(3 [pid 5390] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5389] <... close resumed>) = 0 [pid 5389] mkdir("./file0", 0777 [pid 5390] <... openat resumed>) = 3 [pid 5390] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5389] <... mkdir resumed>) = 0 [pid 5390] ioctl(3, LOOP_CLR_FD) = 0 [pid 5389] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5390] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5390] close(3 [pid 5389] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5390] <... close resumed>) = 0 [pid 5390] close(5 [pid 5389] ioctl(6, LOOP_CLR_FD) = 0 [pid 5389] close(6) = 0 [pid 5389] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5389] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5390] <... close resumed>) = 0 [pid 5390] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5388] <... futex resumed>) = 0 [pid 5390] <... futex resumed>) = 1 [pid 5390] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 109.446043][ T5389] loop0: detected capacity change from 0 to 4052 [pid 5388] exit_group(0 [pid 5390] <... futex resumed>) = ? [pid 5389] <... futex resumed>) = ? [pid 5390] +++ exited with 0 +++ [pid 5389] +++ exited with 0 +++ [pid 5388] <... exit_group resumed>) = ? [pid 5388] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5388, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- umount2("./116", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./116", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./116/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./116/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./116/binderfs") = 0 umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./116/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./116/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./116/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./116") = 0 mkdir("./117", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5391 attached , child_tidptr=0x555555f17690) = 5391 [pid 5391] set_robust_list(0x555555f176a0, 24) = 0 [pid 5391] chdir("./117") = 0 [pid 5391] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5391] setpgid(0, 0) = 0 [pid 5391] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5391] write(3, "1000", 4) = 4 [pid 5391] close(3) = 0 [pid 5391] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5391] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5391] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5391] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5391] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5391] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5391] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5391] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5392 attached => {parent_tid=[5392]}, 88) = 5392 [pid 5391] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5391] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5391] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5391] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5391] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5392] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5392] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5391] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5392] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5391] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5391] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5393 attached [pid 5393] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5391] <... clone3 resumed> => {parent_tid=[5393]}, 88) = 5393 [pid 5393] <... rseq resumed>) = 0 [pid 5391] rt_sigprocmask(SIG_SETMASK, [], [pid 5393] set_robust_list(0x7f79473309a0, 24 [pid 5391] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5393] <... set_robust_list resumed>) = 0 [pid 5391] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5393] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5391] <... futex resumed>) = 0 [pid 5393] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5392] memfd_create("syzkaller", 0 [pid 5391] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5392] <... memfd_create resumed>) = 4 [pid 5392] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5393] <... openat resumed>) = 3 [pid 5392] <... mmap resumed>) = 0x7f793ef10000 [pid 5393] write(3, "85", 2 [pid 5392] munmap(0x7f793ef10000, 138412032 [pid 5393] <... write resumed>) = 2 [pid 5393] memfd_create("syzkaller", 0 [pid 5392] <... munmap resumed>) = 0 [pid 5393] <... memfd_create resumed>) = 5 [pid 5393] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5392] close(4) = 0 [pid 5392] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 109.551036][ T5393] FAULT_INJECTION: forcing a failure. [ 109.551036][ T5393] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 109.564902][ T5393] CPU: 0 PID: 5393 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 109.575325][ T5393] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 109.585489][ T5393] Call Trace: [ 109.588801][ T5393] [ 109.591727][ T5393] dump_stack_lvl+0x1e7/0x2d0 [ 109.596398][ T5393] ? nf_tcp_handle_invalid+0x650/0x650 [ 109.601847][ T5393] ? panic+0x770/0x770 [ 109.605937][ T5393] should_fail_ex+0x3aa/0x4e0 [ 109.610625][ T5393] prepare_alloc_pages+0x1d9/0x5b0 [ 109.615776][ T5393] __alloc_pages+0x165/0x670 [ 109.620410][ T5393] ? zone_statistics+0x170/0x170 [ 109.625378][ T5393] ? verify_lock_unused+0x140/0x140 [ 109.630585][ T5393] ? handle_mm_fault+0x11d/0x62b0 [ 109.635609][ T5393] ? __lock_acquire+0x7f70/0x7f70 [ 109.640625][ T5393] ? pte_offset_map_nolock+0x137/0x1e0 [ 109.646082][ T5393] __folio_alloc+0x13/0x30 [ 109.650501][ T5393] vma_alloc_folio+0x48a/0x9a0 [ 109.655263][ T5393] handle_mm_fault+0x2376/0x62b0 [ 109.660205][ T5393] ? handle_mm_fault+0x11d/0x62b0 [ 109.665251][ T5393] ? numa_migrate_prep+0x380/0x380 [ 109.670381][ T5393] ? mtree_range_walk+0x6a0/0x7e0 [ 109.675414][ T5393] ? lock_vma_under_rcu+0x187/0x6f0 [ 109.680633][ T5393] ? __lock_acquire+0x7f70/0x7f70 [ 109.685772][ T5393] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 109.691008][ T5393] ? lock_vma_under_rcu+0x5df/0x6f0 [ 109.696213][ T5393] ? lock_vma_under_rcu+0x187/0x6f0 [ 109.701508][ T5393] ? exc_page_fault+0x10f/0x860 [ 109.706357][ T5393] exc_page_fault+0x455/0x860 [ 109.711039][ T5393] asm_exc_page_fault+0x26/0x30 [ 109.715884][ T5393] RIP: 0033:0x7f794735bd00 [ 109.720293][ T5393] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 109.739910][ T5393] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5392] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5393] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5393] munmap(0x7f793ef10000, 2097152) = 0 [pid 5393] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 109.746069][ T5393] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 109.754040][ T5393] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 109.762004][ T5393] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 109.769969][ T5393] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 109.778019][ T5393] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 109.786003][ T5393] [ 109.789564][ T5393] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5393] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5393] close(5) = 0 [pid 5393] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5393] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 109.829485][ T5393] loop0: detected capacity change from 0 to 4096 [ 109.846604][ T5393] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 109.853661][ T5393] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5393] ioctl(4, LOOP_CLR_FD) = 0 [pid 5393] close(4) = 0 [pid 5393] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5391] <... futex resumed>) = 0 [pid 5391] exit_group(0 [pid 5393] <... futex resumed>) = 1 [pid 5391] <... exit_group resumed>) = ? [pid 5393] +++ exited with 0 +++ [pid 5392] <... futex resumed>) = ? [pid 5392] +++ exited with 0 +++ [pid 5391] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5391, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./117", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./117", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./117/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./117/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./117/binderfs") = 0 umount2("\x2e\x2f\x31\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./117") = 0 mkdir("./118", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5394 attached , child_tidptr=0x555555f17690) = 5394 [pid 5394] set_robust_list(0x555555f176a0, 24) = 0 [pid 5394] chdir("./118") = 0 [pid 5394] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5394] setpgid(0, 0) = 0 [pid 5394] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5394] write(3, "1000", 4) = 4 [pid 5394] close(3) = 0 [pid 5394] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5394] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5394] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5394] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5394] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5394] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5394] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5395 attached [pid 5395] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5394] <... clone3 resumed> => {parent_tid=[5395]}, 88) = 5395 [pid 5395] <... rseq resumed>) = 0 [pid 5394] rt_sigprocmask(SIG_SETMASK, [], [pid 5395] set_robust_list(0x7f79473519a0, 24 [pid 5394] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5395] <... set_robust_list resumed>) = 0 [pid 5394] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5395] rt_sigprocmask(SIG_SETMASK, [], [pid 5394] <... futex resumed>) = 0 [pid 5395] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5394] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5395] memfd_create("syzkaller", 0) = 3 [pid 5394] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5395] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5394] <... mmap resumed>) = 0x7f793ef10000 [pid 5394] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5394] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5394] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0} => {parent_tid=[5396]}, 88) = 5396 [pid 5394] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5394] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5394] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5396 attached [pid 5396] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5396] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5396] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5396] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5396] write(4, "85", 2) = 2 [pid 5396] memfd_create("syzkaller", 0) = 5 [pid 5396] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5395] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 109.980377][ T5396] FAULT_INJECTION: forcing a failure. [ 109.980377][ T5396] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 109.994018][ T5396] CPU: 0 PID: 5396 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 110.004489][ T5396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 110.014567][ T5396] Call Trace: [ 110.017873][ T5396] [ 110.020800][ T5396] dump_stack_lvl+0x1e7/0x2d0 [ 110.025567][ T5396] ? nf_tcp_handle_invalid+0x650/0x650 [ 110.031022][ T5396] ? panic+0x770/0x770 [ 110.035093][ T5396] should_fail_ex+0x3aa/0x4e0 [ 110.039776][ T5396] prepare_alloc_pages+0x1d9/0x5b0 [ 110.044892][ T5396] __alloc_pages+0x165/0x670 [ 110.049483][ T5396] ? zone_statistics+0x170/0x170 [ 110.054460][ T5396] ? verify_lock_unused+0x140/0x140 [ 110.059679][ T5396] ? handle_mm_fault+0x11d/0x62b0 [ 110.064712][ T5396] ? __lock_acquire+0x7f70/0x7f70 [ 110.069732][ T5396] ? pte_offset_map_nolock+0x137/0x1e0 [ 110.075191][ T5396] __folio_alloc+0x13/0x30 [ 110.079605][ T5396] vma_alloc_folio+0x48a/0x9a0 [ 110.084388][ T5396] handle_mm_fault+0x2376/0x62b0 [ 110.089344][ T5396] ? handle_mm_fault+0x11d/0x62b0 [ 110.094372][ T5396] ? numa_migrate_prep+0x380/0x380 [ 110.099540][ T5396] ? mtree_range_walk+0x6a0/0x7e0 [ 110.104562][ T5396] ? lock_vma_under_rcu+0x187/0x6f0 [ 110.109760][ T5396] ? __lock_acquire+0x7f70/0x7f70 [ 110.114774][ T5396] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 110.119981][ T5396] ? lock_vma_under_rcu+0x5df/0x6f0 [ 110.125177][ T5396] ? lock_vma_under_rcu+0x187/0x6f0 [ 110.130378][ T5396] ? exc_page_fault+0x10f/0x860 [ 110.135309][ T5396] exc_page_fault+0x455/0x860 [ 110.140007][ T5396] asm_exc_page_fault+0x26/0x30 [ 110.144968][ T5396] RIP: 0033:0x7f794735bc53 [ 110.149385][ T5396] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 110.169082][ T5396] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5395] munmap(0x7f793ef31000, 2097152) = 0 [pid 5395] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5395] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5395] close(3) = 0 [pid 5395] mkdir("./file0", 0777) = 0 [pid 5395] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 110.175321][ T5396] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 110.183284][ T5396] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 110.191250][ T5396] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 110.199209][ T5396] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 110.207173][ T5396] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 110.215153][ T5396] [ 110.224966][ T5395] loop0: detected capacity change from 0 to 4096 [pid 5396] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5395] <... mount resumed>) = 0 [pid 5395] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5395] chdir("./file0") = 0 [pid 5395] ioctl(6, LOOP_CLR_FD) = 0 [pid 5395] close(6) = 0 [pid 5395] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5395] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5396] <... write resumed>) = 2097152 [pid 5396] munmap(0x7f7936b10000, 2097152) = 0 [pid 5396] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5396] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5396] ioctl(6, LOOP_CLR_FD) = 0 [pid 5396] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5396] close(6) = 0 [ 110.248392][ T5395] ntfs: volume version 12.0. [pid 5396] close(5) = 0 [pid 5396] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5396] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5394] <... futex resumed>) = 0 [pid 5394] exit_group(0 [pid 5396] <... futex resumed>) = ? [pid 5395] <... futex resumed>) = ? [pid 5394] <... exit_group resumed>) = ? [pid 5396] +++ exited with 0 +++ [pid 5395] +++ exited with 0 +++ [pid 5394] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5394, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=31 /* 0.31 s */} --- umount2("./118", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./118", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./118/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./118/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./118/binderfs") = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./118/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./118/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./118/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./118") = 0 mkdir("./119", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5397 ./strace-static-x86_64: Process 5397 attached [pid 5397] set_robust_list(0x555555f176a0, 24) = 0 [pid 5397] chdir("./119") = 0 [pid 5397] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5397] setpgid(0, 0) = 0 [pid 5397] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5397] write(3, "1000", 4) = 4 [pid 5397] close(3) = 0 [pid 5397] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5397] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5397] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5397] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5397] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5397] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5397] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5397] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5398]}, 88) = 5398 [pid 5397] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5397] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5397] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5397] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5397] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 ./strace-static-x86_64: Process 5398 attached [pid 5398] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5397] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5398] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5397] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5398] rt_sigprocmask(SIG_SETMASK, [], [pid 5397] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5398] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5399 attached [pid 5399] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5399] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5399] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5398] memfd_create("syzkaller", 0 [pid 5397] <... clone3 resumed> => {parent_tid=[5399]}, 88) = 5399 [pid 5399] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5398] <... memfd_create resumed>) = 3 [pid 5397] rt_sigprocmask(SIG_SETMASK, [], [pid 5398] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5397] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5397] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5399] <... futex resumed>) = 0 [pid 5399] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5398] munmap(0x7f793ef10000, 138412032 [pid 5397] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5399] <... openat resumed>) = 4 [pid 5399] write(4, "85", 2) = 2 [pid 5399] memfd_create("syzkaller", 0) = 5 [pid 5399] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5398] <... munmap resumed>) = 0 [pid 5398] close(3) = 0 [pid 5398] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 110.400039][ T5399] FAULT_INJECTION: forcing a failure. [ 110.400039][ T5399] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 110.413308][ T5399] CPU: 0 PID: 5399 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 110.423732][ T5399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 110.433782][ T5399] Call Trace: [ 110.437064][ T5399] [ 110.439997][ T5399] dump_stack_lvl+0x1e7/0x2d0 [ 110.444668][ T5399] ? nf_tcp_handle_invalid+0x650/0x650 [ 110.450119][ T5399] ? panic+0x770/0x770 [ 110.454240][ T5399] should_fail_ex+0x3aa/0x4e0 [ 110.458913][ T5399] prepare_alloc_pages+0x1d9/0x5b0 [ 110.464020][ T5399] __alloc_pages+0x165/0x670 [ 110.468617][ T5399] ? zone_statistics+0x170/0x170 [ 110.473546][ T5399] ? verify_lock_unused+0x140/0x140 [ 110.478741][ T5399] ? handle_mm_fault+0x11d/0x62b0 [ 110.483779][ T5399] ? __lock_acquire+0x7f70/0x7f70 [ 110.488802][ T5399] ? pte_offset_map_nolock+0x137/0x1e0 [ 110.494270][ T5399] __folio_alloc+0x13/0x30 [ 110.498693][ T5399] vma_alloc_folio+0x48a/0x9a0 [ 110.503455][ T5399] handle_mm_fault+0x2376/0x62b0 [ 110.508423][ T5399] ? handle_mm_fault+0x11d/0x62b0 [ 110.513448][ T5399] ? numa_migrate_prep+0x380/0x380 [ 110.518556][ T5399] ? mtree_range_walk+0x6a0/0x7e0 [ 110.523581][ T5399] ? lock_vma_under_rcu+0x187/0x6f0 [ 110.528789][ T5399] ? __lock_acquire+0x7f70/0x7f70 [ 110.533800][ T5399] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 110.539014][ T5399] ? lock_vma_under_rcu+0x5df/0x6f0 [ 110.544220][ T5399] ? lock_vma_under_rcu+0x187/0x6f0 [ 110.549416][ T5399] ? exc_page_fault+0x10f/0x860 [ 110.554269][ T5399] exc_page_fault+0x455/0x860 [ 110.558958][ T5399] asm_exc_page_fault+0x26/0x30 [ 110.563797][ T5399] RIP: 0033:0x7f794735bc53 [ 110.568207][ T5399] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 110.587836][ T5399] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5398] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5399] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5399] munmap(0x7f7936b10000, 2097152) = 0 [pid 5399] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 110.593915][ T5399] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 110.601876][ T5399] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 110.609837][ T5399] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 110.617803][ T5399] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 110.625777][ T5399] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 110.633768][ T5399] [pid 5399] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5399] close(5) = 0 [pid 5399] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5399] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 110.666906][ T5399] loop0: detected capacity change from 0 to 4096 [ 110.683220][ T5399] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 110.690292][ T5399] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5399] ioctl(3, LOOP_CLR_FD) = 0 [pid 5399] close(3) = 0 [pid 5399] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5399] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5397] <... futex resumed>) = 0 [pid 5397] exit_group(0 [pid 5398] <... futex resumed>) = ? [pid 5397] <... exit_group resumed>) = ? [pid 5399] <... futex resumed>) = ? [pid 5399] +++ exited with 0 +++ [pid 5398] +++ exited with 0 +++ [pid 5397] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5397, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./119", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./119", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./119/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./119/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./119/binderfs") = 0 umount2("\x2e\x2f\x31\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./119") = 0 mkdir("./120", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5400 attached [pid 5400] set_robust_list(0x555555f176a0, 24) = 0 [pid 5400] chdir("./120") = 0 [pid 5400] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5400] setpgid(0, 0) = 0 [pid 5400] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5400] write(3, "1000", 4) = 4 [pid 5400] close(3) = 0 [pid 5400] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5400] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5400] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5400] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5400] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5400] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5400] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5400] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5401]}, 88) = 5401 ./strace-static-x86_64: Process 5401 attached [pid 5400] rt_sigprocmask(SIG_SETMASK, [], [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5400 [pid 5401] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5400] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5401] <... rseq resumed>) = 0 [pid 5400] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5401] set_robust_list(0x7f79473519a0, 24 [pid 5400] <... futex resumed>) = 0 [pid 5401] <... set_robust_list resumed>) = 0 [pid 5400] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5401] rt_sigprocmask(SIG_SETMASK, [], [pid 5400] <... futex resumed>) = 0 [pid 5401] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5400] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5400] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5401] memfd_create("syzkaller", 0) = 3 [pid 5400] <... mprotect resumed>) = 0 [pid 5401] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5400] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5401] <... mmap resumed>) = 0x7f793ef10000 [pid 5400] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5402]}, 88) = 5402 [pid 5400] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5400] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5400] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5402 attached [pid 5402] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5402] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5402] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5402] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5401] munmap(0x7f793ef10000, 138412032 [pid 5402] <... openat resumed>) = 4 [pid 5402] write(4, "85", 2) = 2 [pid 5402] memfd_create("syzkaller", 0 [pid 5401] <... munmap resumed>) = 0 [pid 5401] close(3 [pid 5402] <... memfd_create resumed>) = 5 [pid 5402] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5401] <... close resumed>) = 0 [pid 5401] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 110.849023][ T5402] FAULT_INJECTION: forcing a failure. [ 110.849023][ T5402] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 110.862328][ T5402] CPU: 1 PID: 5402 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 110.872753][ T5402] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 110.882798][ T5402] Call Trace: [ 110.886176][ T5402] [ 110.889151][ T5402] dump_stack_lvl+0x1e7/0x2d0 [ 110.893845][ T5402] ? nf_tcp_handle_invalid+0x650/0x650 [ 110.899315][ T5402] ? panic+0x770/0x770 [ 110.903412][ T5402] should_fail_ex+0x3aa/0x4e0 [ 110.908104][ T5402] prepare_alloc_pages+0x1d9/0x5b0 [ 110.913244][ T5402] __alloc_pages+0x165/0x670 [ 110.917854][ T5402] ? zone_statistics+0x170/0x170 [ 110.922800][ T5402] ? verify_lock_unused+0x140/0x140 [ 110.927999][ T5402] ? handle_mm_fault+0x11d/0x62b0 [ 110.933030][ T5402] ? __lock_acquire+0x7f70/0x7f70 [ 110.938050][ T5402] ? pte_offset_map_nolock+0x137/0x1e0 [ 110.943507][ T5402] __folio_alloc+0x13/0x30 [ 110.947926][ T5402] vma_alloc_folio+0x48a/0x9a0 [ 110.952713][ T5402] handle_mm_fault+0x2376/0x62b0 [ 110.957671][ T5402] ? handle_mm_fault+0x11d/0x62b0 [ 110.962710][ T5402] ? numa_migrate_prep+0x380/0x380 [ 110.967853][ T5402] ? mtree_range_walk+0x6a0/0x7e0 [ 110.972900][ T5402] ? lock_vma_under_rcu+0x187/0x6f0 [ 110.978121][ T5402] ? __lock_acquire+0x7f70/0x7f70 [ 110.983164][ T5402] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 110.988395][ T5402] ? lock_vma_under_rcu+0x5df/0x6f0 [ 110.993602][ T5402] ? lock_vma_under_rcu+0x187/0x6f0 [ 110.998815][ T5402] ? exc_page_fault+0x10f/0x860 [ 111.003669][ T5402] exc_page_fault+0x455/0x860 [ 111.008352][ T5402] asm_exc_page_fault+0x26/0x30 [ 111.013201][ T5402] RIP: 0033:0x7f794735bd00 [ 111.017609][ T5402] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 111.037209][ T5402] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 111.043268][ T5402] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 111.051232][ T5402] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 111.059195][ T5402] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 111.067161][ T5402] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 111.075236][ T5402] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 111.083255][ T5402] [ 111.087733][ T5402] pagefault_out_of_memory: 2 callbacks suppressed [pid 5401] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5402] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5402] munmap(0x7f793ef10000, 2097152) = 0 [pid 5402] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 111.087747][ T5402] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5402] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5402] close(5) = 0 [pid 5402] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5402] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5402] ioctl(3, LOOP_CLR_FD) = 0 [pid 5402] close(3) = 0 [pid 5402] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5400] <... futex resumed>) = 0 [pid 5400] exit_group(0) = ? [pid 5401] <... futex resumed>) = ? [pid 5401] +++ exited with 0 +++ [ 111.131828][ T5402] loop0: detected capacity change from 0 to 4096 [ 111.150222][ T5402] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 111.157423][ T5402] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5402] +++ exited with 0 +++ [pid 5400] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5400, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./120", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./120", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./120/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./120/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./120/binderfs") = 0 umount2("\x2e\x2f\x31\x32\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x32\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x32\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x32\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x32\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./120") = 0 mkdir("./121", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5403 attached , child_tidptr=0x555555f17690) = 5403 [pid 5403] set_robust_list(0x555555f176a0, 24) = 0 [pid 5403] chdir("./121") = 0 [pid 5403] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5403] setpgid(0, 0) = 0 [pid 5403] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5403] write(3, "1000", 4) = 4 [pid 5403] close(3) = 0 [pid 5403] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5403] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5403] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5403] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5403] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5403] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5403] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5403] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5404 attached [pid 5404] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5404] set_robust_list(0x7f79473519a0, 24 [pid 5403] <... clone3 resumed> => {parent_tid=[5404]}, 88) = 5404 [pid 5403] rt_sigprocmask(SIG_SETMASK, [], [pid 5404] <... set_robust_list resumed>) = 0 [pid 5403] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5403] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5403] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5403] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5404] rt_sigprocmask(SIG_SETMASK, [], [pid 5403] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5404] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5403] <... mprotect resumed>) = 0 [pid 5403] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5403] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5405 attached => {parent_tid=[5405]}, 88) = 5405 [pid 5405] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5403] rt_sigprocmask(SIG_SETMASK, [], [pid 5405] set_robust_list(0x7f79473309a0, 24 [pid 5403] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5405] <... set_robust_list resumed>) = 0 [pid 5404] memfd_create("syzkaller", 0 [pid 5403] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5405] rt_sigprocmask(SIG_SETMASK, [], [pid 5404] <... memfd_create resumed>) = 3 [pid 5403] <... futex resumed>) = 0 [pid 5405] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5405] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5404] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5403] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5404] <... mmap resumed>) = 0x7f793ef10000 [pid 5404] munmap(0x7f793ef10000, 138412032 [pid 5405] <... openat resumed>) = 4 [pid 5404] <... munmap resumed>) = 0 [pid 5404] close(3 [pid 5405] write(4, "85", 2) = 2 [pid 5404] <... close resumed>) = 0 [pid 5405] memfd_create("syzkaller", 0) = 3 [pid 5404] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5405] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5404] <... futex resumed>) = 0 [ 111.270640][ T5405] FAULT_INJECTION: forcing a failure. [ 111.270640][ T5405] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 111.284155][ T5405] CPU: 0 PID: 5405 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 111.294586][ T5405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 111.304633][ T5405] Call Trace: [ 111.307900][ T5405] [ 111.310817][ T5405] dump_stack_lvl+0x1e7/0x2d0 [ 111.315479][ T5405] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.320927][ T5405] ? panic+0x770/0x770 [ 111.325001][ T5405] should_fail_ex+0x3aa/0x4e0 [ 111.329681][ T5405] prepare_alloc_pages+0x1d9/0x5b0 [ 111.334812][ T5405] __alloc_pages+0x165/0x670 [ 111.339397][ T5405] ? zone_statistics+0x170/0x170 [ 111.344334][ T5405] ? verify_lock_unused+0x140/0x140 [ 111.349525][ T5405] ? handle_mm_fault+0x11d/0x62b0 [ 111.354545][ T5405] ? __lock_acquire+0x7f70/0x7f70 [ 111.359556][ T5405] ? pte_offset_map_nolock+0x137/0x1e0 [ 111.365012][ T5405] __folio_alloc+0x13/0x30 [ 111.369423][ T5405] vma_alloc_folio+0x48a/0x9a0 [ 111.374186][ T5405] handle_mm_fault+0x2376/0x62b0 [ 111.379303][ T5405] ? handle_mm_fault+0x11d/0x62b0 [ 111.384416][ T5405] ? numa_migrate_prep+0x380/0x380 [ 111.389566][ T5405] ? mtree_range_walk+0x6a0/0x7e0 [ 111.394596][ T5405] ? lock_vma_under_rcu+0x187/0x6f0 [ 111.399792][ T5405] ? __lock_acquire+0x7f70/0x7f70 [ 111.404806][ T5405] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 111.410186][ T5405] ? lock_vma_under_rcu+0x5df/0x6f0 [ 111.415379][ T5405] ? lock_vma_under_rcu+0x187/0x6f0 [ 111.420601][ T5405] ? exc_page_fault+0x10f/0x860 [ 111.425448][ T5405] exc_page_fault+0x455/0x860 [ 111.430131][ T5405] asm_exc_page_fault+0x26/0x30 [ 111.435071][ T5405] RIP: 0033:0x7f794735bd00 [ 111.439486][ T5405] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 111.459091][ T5405] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5404] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5405] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5405] munmap(0x7f793ef10000, 2097152) = 0 [pid 5405] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 111.465154][ T5405] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 111.473117][ T5405] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 111.481083][ T5405] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 111.489181][ T5405] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 111.497229][ T5405] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 111.505205][ T5405] [ 111.508458][ T5405] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5405] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5405] close(3) = 0 [pid 5405] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5405] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5405] ioctl(5, LOOP_CLR_FD) = 0 [ 111.549639][ T5405] loop0: detected capacity change from 0 to 4096 [ 111.566836][ T5405] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 111.573944][ T5405] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5405] close(5) = 0 [pid 5405] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5403] <... futex resumed>) = 0 [pid 5405] <... futex resumed>) = 1 [pid 5405] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5403] exit_group(0 [pid 5404] <... futex resumed>) = ? [pid 5404] +++ exited with 0 +++ [pid 5405] <... futex resumed>) = ? [pid 5403] <... exit_group resumed>) = ? [pid 5405] +++ exited with 0 +++ [pid 5403] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5403, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./121", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./121", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./121/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./121/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./121/binderfs") = 0 umount2("\x2e\x2f\x31\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x32\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./121") = 0 mkdir("./122", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5406 attached [pid 5406] set_robust_list(0x555555f176a0, 24) = 0 [pid 5406] chdir("./122") = 0 [pid 5406] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5406] setpgid(0, 0) = 0 [pid 5406] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5406] write(3, "1000", 4 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5406 [pid 5406] <... write resumed>) = 4 [pid 5406] close(3) = 0 [pid 5406] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5406] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5406] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5406] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5406] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5406] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5406] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5406] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5407 attached => {parent_tid=[5407]}, 88) = 5407 [pid 5406] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5406] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5407] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5406] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5406] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5407] <... rseq resumed>) = 0 [pid 5407] set_robust_list(0x7f79473519a0, 24 [pid 5406] <... mmap resumed>) = 0x7f7947310000 [pid 5406] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5407] <... set_robust_list resumed>) = 0 [pid 5406] <... mprotect resumed>) = 0 [pid 5407] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5406] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5406] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5408]}, 88) = 5408 [pid 5406] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5406] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5406] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5407] memfd_create("syzkaller", 0./strace-static-x86_64: Process 5408 attached [pid 5408] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5408] set_robust_list(0x7f79473309a0, 24 [pid 5407] <... memfd_create resumed>) = 3 [pid 5408] <... set_robust_list resumed>) = 0 [pid 5407] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5408] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5408] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5407] <... mmap resumed>) = 0x7f793ef10000 [pid 5407] munmap(0x7f793ef10000, 138412032) = 0 [pid 5407] close(3) = 0 [pid 5408] <... openat resumed>) = 4 [pid 5408] write(4, "85", 2) = 2 [pid 5407] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5408] memfd_create("syzkaller", 0) = 3 [pid 5407] <... futex resumed>) = 0 [pid 5408] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5407] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5408] <... mmap resumed>) = 0x7f793ef10000 [ 111.697941][ T5408] FAULT_INJECTION: forcing a failure. [ 111.697941][ T5408] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 111.711317][ T5408] CPU: 0 PID: 5408 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 111.721739][ T5408] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 111.731802][ T5408] Call Trace: [ 111.735076][ T5408] [ 111.738003][ T5408] dump_stack_lvl+0x1e7/0x2d0 [ 111.742679][ T5408] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.748151][ T5408] ? panic+0x770/0x770 [ 111.752226][ T5408] should_fail_ex+0x3aa/0x4e0 [ 111.756903][ T5408] prepare_alloc_pages+0x1d9/0x5b0 [ 111.762053][ T5408] __alloc_pages+0x165/0x670 [ 111.766639][ T5408] ? zone_statistics+0x170/0x170 [ 111.771574][ T5408] ? verify_lock_unused+0x140/0x140 [ 111.776767][ T5408] ? handle_mm_fault+0x11d/0x62b0 [ 111.781786][ T5408] ? __lock_acquire+0x7f70/0x7f70 [ 111.786806][ T5408] ? pte_offset_map_nolock+0x137/0x1e0 [ 111.792264][ T5408] __folio_alloc+0x13/0x30 [ 111.796672][ T5408] vma_alloc_folio+0x48a/0x9a0 [ 111.801437][ T5408] handle_mm_fault+0x2376/0x62b0 [ 111.806379][ T5408] ? handle_mm_fault+0x11d/0x62b0 [ 111.811411][ T5408] ? numa_migrate_prep+0x380/0x380 [ 111.816528][ T5408] ? mtree_range_walk+0x6a0/0x7e0 [ 111.821550][ T5408] ? lock_vma_under_rcu+0x187/0x6f0 [ 111.826743][ T5408] ? __lock_acquire+0x7f70/0x7f70 [ 111.831757][ T5408] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 111.836963][ T5408] ? lock_vma_under_rcu+0x5df/0x6f0 [ 111.842157][ T5408] ? lock_vma_under_rcu+0x187/0x6f0 [ 111.847362][ T5408] ? exc_page_fault+0x10f/0x860 [ 111.852210][ T5408] exc_page_fault+0x455/0x860 [ 111.856888][ T5408] asm_exc_page_fault+0x26/0x30 [ 111.861731][ T5408] RIP: 0033:0x7f794735bd00 [ 111.866140][ T5408] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 111.885746][ T5408] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5408] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5408] munmap(0x7f793ef10000, 2097152) = 0 [pid 5408] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 111.891815][ T5408] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 111.899778][ T5408] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 111.907745][ T5408] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 111.915710][ T5408] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 111.923673][ T5408] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 111.931655][ T5408] [ 111.934875][ T5408] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5408] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5408] close(3) = 0 [pid 5408] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5408] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5408] ioctl(5, LOOP_CLR_FD) = 0 [ 111.971424][ T5408] loop0: detected capacity change from 0 to 4096 [ 111.988218][ T5408] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 111.995203][ T5408] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5408] close(5) = 0 [pid 5408] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5406] <... futex resumed>) = 0 [pid 5408] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5406] exit_group(0 [pid 5408] <... futex resumed>) = ? [pid 5406] <... exit_group resumed>) = ? [pid 5408] +++ exited with 0 +++ [pid 5407] <... futex resumed>) = ? [pid 5407] +++ exited with 0 +++ [pid 5406] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5406, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=5 /* 0.05 s */} --- umount2("./122", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./122", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./122/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./122/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./122/binderfs") = 0 umount2("\x2e\x2f\x31\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./122") = 0 mkdir("./123", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5409 attached , child_tidptr=0x555555f17690) = 5409 [pid 5409] set_robust_list(0x555555f176a0, 24) = 0 [pid 5409] chdir("./123") = 0 [pid 5409] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5409] setpgid(0, 0) = 0 [pid 5409] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5409] write(3, "1000", 4) = 4 [pid 5409] close(3) = 0 [pid 5409] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5409] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5409] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5409] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5409] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5409] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5409] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5409] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5410]}, 88) = 5410 [pid 5409] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5409] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5409] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5410 attached [pid 5410] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5409] <... futex resumed>) = 0 [pid 5410] <... rseq resumed>) = 0 [pid 5409] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5410] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5409] <... mmap resumed>) = 0x7f7947310000 [pid 5410] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5409] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5409] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5410] memfd_create("syzkaller", 0 [pid 5409] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5409] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5410] <... memfd_create resumed>) = 3 ./strace-static-x86_64: Process 5411 attached [pid 5410] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5411] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5410] <... mmap resumed>) = 0x7f793ef10000 [pid 5411] <... rseq resumed>) = 0 [pid 5409] <... clone3 resumed> => {parent_tid=[5411]}, 88) = 5411 [pid 5411] set_robust_list(0x7f79473309a0, 24 [pid 5409] rt_sigprocmask(SIG_SETMASK, [], [pid 5411] <... set_robust_list resumed>) = 0 [pid 5409] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5411] rt_sigprocmask(SIG_SETMASK, [], [pid 5409] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5411] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5411] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5409] <... futex resumed>) = 0 [pid 5410] munmap(0x7f793ef10000, 138412032 [pid 5409] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5410] <... munmap resumed>) = 0 [pid 5410] close(3) = 0 [pid 5411] <... openat resumed>) = 4 [pid 5411] write(4, "85", 2) = 2 [pid 5411] memfd_create("syzkaller", 0 [pid 5410] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5411] <... memfd_create resumed>) = 3 [pid 5411] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5410] <... futex resumed>) = 0 [ 112.130086][ T5411] FAULT_INJECTION: forcing a failure. [ 112.130086][ T5411] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 112.144039][ T5411] CPU: 1 PID: 5411 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 112.154448][ T5411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 112.164512][ T5411] Call Trace: [ 112.167801][ T5411] [ 112.170722][ T5411] dump_stack_lvl+0x1e7/0x2d0 [ 112.175405][ T5411] ? nf_tcp_handle_invalid+0x650/0x650 [ 112.180869][ T5411] ? panic+0x770/0x770 [ 112.184946][ T5411] should_fail_ex+0x3aa/0x4e0 [ 112.189626][ T5411] prepare_alloc_pages+0x1d9/0x5b0 [ 112.194738][ T5411] __alloc_pages+0x165/0x670 [ 112.199337][ T5411] ? zone_statistics+0x170/0x170 [ 112.204319][ T5411] ? verify_lock_unused+0x140/0x140 [ 112.209518][ T5411] ? handle_mm_fault+0x11d/0x62b0 [ 112.214535][ T5411] ? __lock_acquire+0x7f70/0x7f70 [ 112.219558][ T5411] ? pte_offset_map_nolock+0x137/0x1e0 [ 112.225015][ T5411] __folio_alloc+0x13/0x30 [ 112.229425][ T5411] vma_alloc_folio+0x48a/0x9a0 [ 112.234192][ T5411] handle_mm_fault+0x2376/0x62b0 [ 112.239134][ T5411] ? handle_mm_fault+0x11d/0x62b0 [ 112.244159][ T5411] ? numa_migrate_prep+0x380/0x380 [ 112.249274][ T5411] ? mtree_range_walk+0x6a0/0x7e0 [ 112.254382][ T5411] ? lock_vma_under_rcu+0x187/0x6f0 [ 112.259576][ T5411] ? __lock_acquire+0x7f70/0x7f70 [ 112.264592][ T5411] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 112.269802][ T5411] ? lock_vma_under_rcu+0x5df/0x6f0 [ 112.274996][ T5411] ? lock_vma_under_rcu+0x187/0x6f0 [ 112.280202][ T5411] ? exc_page_fault+0x10f/0x860 [ 112.285135][ T5411] exc_page_fault+0x455/0x860 [ 112.289808][ T5411] asm_exc_page_fault+0x26/0x30 [ 112.294650][ T5411] RIP: 0033:0x7f794735bd00 [ 112.299060][ T5411] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 112.318664][ T5411] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5410] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5411] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5411] munmap(0x7f793ef10000, 2097152) = 0 [pid 5411] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 112.324725][ T5411] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 112.332688][ T5411] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 112.340659][ T5411] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 112.348624][ T5411] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 112.356762][ T5411] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 112.364737][ T5411] [ 112.368299][ T5411] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5411] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5411] close(3) = 0 [pid 5411] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5411] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5411] ioctl(5, LOOP_CLR_FD) = 0 [pid 5411] close(5) = 0 [pid 5411] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5409] <... futex resumed>) = 0 [ 112.405831][ T5411] loop0: detected capacity change from 0 to 4096 [ 112.424545][ T5411] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 112.431616][ T5411] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5411] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5409] exit_group(0 [pid 5410] <... futex resumed>) = ? [pid 5409] <... exit_group resumed>) = ? [pid 5411] <... futex resumed>) = ? [pid 5410] +++ exited with 0 +++ [pid 5411] +++ exited with 0 +++ [pid 5409] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5409, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./123", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./123", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./123/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./123/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./123/binderfs") = 0 umount2("\x2e\x2f\x31\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x32\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./123") = 0 mkdir("./124", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5412 attached [pid 5412] set_robust_list(0x555555f176a0, 24) = 0 [pid 5412] chdir("./124") = 0 [pid 5412] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5412] setpgid(0, 0) = 0 [pid 5412] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5412] write(3, "1000", 4) = 4 [pid 5412] close(3) = 0 [pid 5412] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5412] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5412] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5412] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5412] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5412] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5412 [pid 5412] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5412] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5413 attached => {parent_tid=[5413]}, 88) = 5413 [pid 5412] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5412] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5413] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5412] <... futex resumed>) = 0 [pid 5412] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5412] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5413] set_robust_list(0x7f79473519a0, 24 [pid 5412] <... mmap resumed>) = 0x7f7947310000 [pid 5413] <... set_robust_list resumed>) = 0 [pid 5413] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5412] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5412] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5412] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5414 attached [pid 5414] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5414] set_robust_list(0x7f79473309a0, 24 [pid 5412] <... clone3 resumed> => {parent_tid=[5414]}, 88) = 5414 [pid 5414] <... set_robust_list resumed>) = 0 [pid 5412] rt_sigprocmask(SIG_SETMASK, [], [pid 5414] rt_sigprocmask(SIG_SETMASK, [], [pid 5412] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5414] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5412] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5414] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5412] <... futex resumed>) = 0 [pid 5412] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5414] <... openat resumed>) = 3 [pid 5414] write(3, "85", 2) = 2 [pid 5414] memfd_create("syzkaller", 0) = 4 [pid 5414] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5413] memfd_create("syzkaller", 0) = 5 [pid 5413] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5413] munmap(0x7f7936b10000, 138412032) = 0 [pid 5413] close(5) = 0 [pid 5413] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 112.548669][ T5414] FAULT_INJECTION: forcing a failure. [ 112.548669][ T5414] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 112.562353][ T5414] CPU: 1 PID: 5414 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 112.572806][ T5414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 112.582888][ T5414] Call Trace: [ 112.586160][ T5414] [ 112.589110][ T5414] dump_stack_lvl+0x1e7/0x2d0 [ 112.593802][ T5414] ? nf_tcp_handle_invalid+0x650/0x650 [ 112.599287][ T5414] ? panic+0x770/0x770 [ 112.603387][ T5414] should_fail_ex+0x3aa/0x4e0 [ 112.608112][ T5414] prepare_alloc_pages+0x1d9/0x5b0 [ 112.613241][ T5414] __alloc_pages+0x165/0x670 [ 112.617826][ T5414] ? zone_statistics+0x170/0x170 [ 112.622763][ T5414] ? verify_lock_unused+0x140/0x140 [ 112.627954][ T5414] ? handle_mm_fault+0x11d/0x62b0 [ 112.632992][ T5414] ? __lock_acquire+0x7f70/0x7f70 [ 112.638016][ T5414] ? pte_offset_map_nolock+0x137/0x1e0 [ 112.643475][ T5414] __folio_alloc+0x13/0x30 [ 112.647887][ T5414] vma_alloc_folio+0x48a/0x9a0 [ 112.652651][ T5414] handle_mm_fault+0x2376/0x62b0 [ 112.657596][ T5414] ? handle_mm_fault+0x11d/0x62b0 [ 112.662624][ T5414] ? numa_migrate_prep+0x380/0x380 [ 112.667824][ T5414] ? mtree_range_walk+0x6a0/0x7e0 [ 112.672845][ T5414] ? lock_vma_under_rcu+0x187/0x6f0 [ 112.678039][ T5414] ? __lock_acquire+0x7f70/0x7f70 [ 112.683051][ T5414] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 112.688256][ T5414] ? lock_vma_under_rcu+0x5df/0x6f0 [ 112.693457][ T5414] ? lock_vma_under_rcu+0x187/0x6f0 [ 112.698658][ T5414] ? exc_page_fault+0x10f/0x860 [ 112.703510][ T5414] exc_page_fault+0x455/0x860 [ 112.708188][ T5414] asm_exc_page_fault+0x26/0x30 [ 112.713032][ T5414] RIP: 0033:0x7f794735bc53 [ 112.717438][ T5414] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 112.737040][ T5414] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5413] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5414] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5414] munmap(0x7f793ef10000, 2106600) = 0 [pid 5414] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 112.743114][ T5414] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 112.751082][ T5414] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 112.759048][ T5414] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 112.767040][ T5414] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 112.775177][ T5414] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 112.783153][ T5414] [ 112.786575][ T5414] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5414] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5414] close(4) = 0 [pid 5414] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5414] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 112.826159][ T5414] loop0: detected capacity change from 0 to 4114 [ 112.841580][ T5414] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5414] ioctl(5, LOOP_CLR_FD) = 0 [pid 5414] close(5) = 0 [pid 5414] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5414] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5412] <... futex resumed>) = 0 [pid 5412] exit_group(0) = ? [pid 5413] <... futex resumed>) = ? [pid 5413] +++ exited with 0 +++ [pid 5414] <... futex resumed>) = ? [pid 5414] +++ exited with 0 +++ [pid 5412] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5412, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./124", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./124", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./124/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./124/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./124/binderfs") = 0 umount2("\x2e\x2f\x31\x32\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x32\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x32\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x32\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x32\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./124") = 0 mkdir("./125", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5415 attached , child_tidptr=0x555555f17690) = 5415 [pid 5415] set_robust_list(0x555555f176a0, 24) = 0 [pid 5415] chdir("./125") = 0 [pid 5415] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5415] setpgid(0, 0) = 0 [pid 5415] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5415] write(3, "1000", 4) = 4 [pid 5415] close(3) = 0 [pid 5415] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5415] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5415] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5415] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5415] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5415] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5415] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5415] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5416 attached => {parent_tid=[5416]}, 88) = 5416 [pid 5416] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5415] rt_sigprocmask(SIG_SETMASK, [], [pid 5416] <... rseq resumed>) = 0 [pid 5415] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5416] set_robust_list(0x7f79473519a0, 24 [pid 5415] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5416] <... set_robust_list resumed>) = 0 [pid 5416] rt_sigprocmask(SIG_SETMASK, [], [pid 5415] <... futex resumed>) = 0 [pid 5416] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5415] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5416] memfd_create("syzkaller", 0 [pid 5415] <... futex resumed>) = 0 [pid 5415] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5415] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5415] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5415] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5417]}, 88) = 5417 [pid 5416] <... memfd_create resumed>) = 3 [pid 5415] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5416] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5415] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5416] <... mmap resumed>) = 0x7f793ef10000 [pid 5415] <... futex resumed>) = 0 [pid 5415] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5417 attached [pid 5417] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5416] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5417] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5417] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5416] <... write resumed>) = 2097152 [pid 5416] munmap(0x7f793ef10000, 2097152 [pid 5417] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5417] write(4, "85", 2) = 2 [pid 5417] memfd_create("syzkaller", 0) = 5 [pid 5417] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5416] <... munmap resumed>) = 0 [pid 5417] <... mmap resumed>) = 0x7f7936d10000 [pid 5416] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5416] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5416] close(3) = 0 [pid 5416] mkdir("./file0", 0777) = 0 [ 113.011070][ T5417] FAULT_INJECTION: forcing a failure. [ 113.011070][ T5417] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 113.016873][ T5416] loop0: detected capacity change from 0 to 4096 [ 113.030968][ T5417] CPU: 0 PID: 5417 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 113.041394][ T5417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 113.051453][ T5417] Call Trace: [ 113.054729][ T5417] [ 113.057653][ T5417] dump_stack_lvl+0x1e7/0x2d0 [ 113.062905][ T5417] ? nf_tcp_handle_invalid+0x650/0x650 [ 113.068374][ T5417] ? panic+0x770/0x770 [ 113.072450][ T5417] should_fail_ex+0x3aa/0x4e0 [ 113.077133][ T5417] prepare_alloc_pages+0x1d9/0x5b0 [ 113.082255][ T5417] __alloc_pages+0x165/0x670 [ 113.086935][ T5417] ? zone_statistics+0x170/0x170 [ 113.091911][ T5417] ? verify_lock_unused+0x140/0x140 [ 113.097212][ T5417] ? handle_mm_fault+0x11d/0x62b0 [ 113.102242][ T5417] ? __lock_acquire+0x7f70/0x7f70 [ 113.107276][ T5417] ? pte_offset_map_nolock+0x137/0x1e0 [ 113.112750][ T5417] __folio_alloc+0x13/0x30 [ 113.117172][ T5417] vma_alloc_folio+0x48a/0x9a0 [ 113.121979][ T5417] handle_mm_fault+0x2376/0x62b0 [ 113.127058][ T5417] ? handle_mm_fault+0x11d/0x62b0 [ 113.132197][ T5417] ? numa_migrate_prep+0x380/0x380 [ 113.137318][ T5417] ? mtree_range_walk+0x6a0/0x7e0 [ 113.142348][ T5417] ? lock_vma_under_rcu+0x187/0x6f0 [ 113.147544][ T5417] ? __lock_acquire+0x7f70/0x7f70 [ 113.152557][ T5417] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 113.157761][ T5417] ? lock_vma_under_rcu+0x5df/0x6f0 [ 113.162983][ T5417] ? lock_vma_under_rcu+0x187/0x6f0 [ 113.168210][ T5417] ? exc_page_fault+0x10f/0x860 [ 113.173071][ T5417] exc_page_fault+0x455/0x860 [ 113.177757][ T5417] asm_exc_page_fault+0x26/0x30 [ 113.182602][ T5417] RIP: 0033:0x7f794735bc53 [ 113.187066][ T5417] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 113.206755][ T5417] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 113.212817][ T5417] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936d10000 [ 113.220778][ T5417] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 113.228740][ T5417] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 113.236698][ T5417] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 113.244659][ T5417] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 113.252635][ T5417] [pid 5416] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5417] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5417] munmap(0x7f7936d10000, 2097152) = 0 [pid 5417] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5417] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 113.257104][ T5417] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 113.277776][ T5416] __ntfs_error: 55 callbacks suppressed [ 113.277792][ T5416] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 113.294224][ T5416] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5417] ioctl(3, LOOP_CLR_FD) = 0 [pid 5417] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5417] close(3) = 0 [pid 5417] close(5) = 0 [pid 5417] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5417] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5415] <... futex resumed>) = 0 [ 113.307592][ T5416] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 113.323760][ T5416] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 113.337347][ T5416] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 113.345343][ T5416] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 113.359552][ T5416] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 113.372729][ T5416] ntfs: volume version 12.0. [ 113.378435][ T5416] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 113.386937][ T5416] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [pid 5416] <... mount resumed>) = 0 [pid 5416] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5416] chdir("./file0") = 0 [pid 5416] ioctl(6, LOOP_CLR_FD) = 0 [pid 5416] close(6) = 0 [pid 5416] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5416] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5415] exit_group(0 [pid 5417] <... futex resumed>) = ? [pid 5416] <... futex resumed>) = ? [pid 5417] +++ exited with 0 +++ [pid 5416] +++ exited with 0 +++ [pid 5415] <... exit_group resumed>) = ? [pid 5415] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5415, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=43 /* 0.43 s */} --- umount2("./125", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./125", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./125/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./125/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./125/binderfs") = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./125/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./125/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 [ 113.400153][ T5416] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. rmdir("./125/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./125") = 0 mkdir("./126", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5418 attached , child_tidptr=0x555555f17690) = 5418 [pid 5418] set_robust_list(0x555555f176a0, 24) = 0 [pid 5418] chdir("./126") = 0 [pid 5418] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5418] setpgid(0, 0) = 0 [pid 5418] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5418] write(3, "1000", 4) = 4 [pid 5418] close(3) = 0 [pid 5418] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5418] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5418] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5418] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5418] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5418] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5418] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5418] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5419 attached [pid 5419] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5418] <... clone3 resumed> => {parent_tid=[5419]}, 88) = 5419 [pid 5419] <... rseq resumed>) = 0 [pid 5418] rt_sigprocmask(SIG_SETMASK, [], [pid 5419] set_robust_list(0x7f79473519a0, 24 [pid 5418] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5419] <... set_robust_list resumed>) = 0 [pid 5418] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5419] rt_sigprocmask(SIG_SETMASK, [], [pid 5418] <... futex resumed>) = 0 [pid 5419] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5418] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5419] memfd_create("syzkaller", 0 [pid 5418] <... futex resumed>) = 0 [pid 5418] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5418] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5418] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5418] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5420]}, 88) = 5420 [pid 5419] <... memfd_create resumed>) = 3 [pid 5418] rt_sigprocmask(SIG_SETMASK, [], [pid 5419] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5418] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5418] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5420 attached ) = 0 [pid 5420] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5420] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5418] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5420] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5420] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5420] write(4, "85", 2) = 2 [pid 5420] memfd_create("syzkaller", 0) = 5 [pid 5420] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5419] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2045581) = 2045581 [ 113.506350][ T5420] FAULT_INJECTION: forcing a failure. [ 113.506350][ T5420] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 113.519956][ T5420] CPU: 1 PID: 5420 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 113.530391][ T5420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 113.540438][ T5420] Call Trace: [ 113.543713][ T5420] [ 113.546687][ T5420] dump_stack_lvl+0x1e7/0x2d0 [ 113.551379][ T5420] ? nf_tcp_handle_invalid+0x650/0x650 [ 113.556853][ T5420] ? panic+0x770/0x770 [ 113.560986][ T5420] should_fail_ex+0x3aa/0x4e0 [ 113.565685][ T5420] prepare_alloc_pages+0x1d9/0x5b0 [ 113.570917][ T5420] __alloc_pages+0x165/0x670 [ 113.575521][ T5420] ? zone_statistics+0x170/0x170 [ 113.580467][ T5420] ? verify_lock_unused+0x140/0x140 [ 113.585672][ T5420] ? handle_mm_fault+0x11d/0x62b0 [ 113.590686][ T5420] ? __lock_acquire+0x7f70/0x7f70 [ 113.595708][ T5420] ? pte_offset_map_nolock+0x137/0x1e0 [ 113.601178][ T5420] __folio_alloc+0x13/0x30 [ 113.605599][ T5420] vma_alloc_folio+0x48a/0x9a0 [ 113.610378][ T5420] handle_mm_fault+0x2376/0x62b0 [ 113.615327][ T5420] ? handle_mm_fault+0x11d/0x62b0 [ 113.620369][ T5420] ? numa_migrate_prep+0x380/0x380 [ 113.625507][ T5420] ? mtree_range_walk+0x6a0/0x7e0 [ 113.630527][ T5420] ? lock_vma_under_rcu+0x187/0x6f0 [ 113.635833][ T5420] ? __lock_acquire+0x7f70/0x7f70 [ 113.640849][ T5420] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 113.646055][ T5420] ? lock_vma_under_rcu+0x5df/0x6f0 [ 113.651248][ T5420] ? lock_vma_under_rcu+0x187/0x6f0 [ 113.656449][ T5420] ? exc_page_fault+0x10f/0x860 [ 113.661294][ T5420] exc_page_fault+0x455/0x860 [ 113.665977][ T5420] asm_exc_page_fault+0x26/0x30 [ 113.670823][ T5420] RIP: 0033:0x7f794735bc53 [ 113.675230][ T5420] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 113.694829][ T5420] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 113.700889][ T5420] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 113.708863][ T5420] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 113.716824][ T5420] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 113.724782][ T5420] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 113.732764][ T5420] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 113.740828][ T5420] [ 113.744083][ T5420] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5419] munmap(0x7f793ef10000, 2045581) = 0 [pid 5419] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5419] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5419] close(3) = 0 [pid 5419] mkdir("./file0", 0777) = 0 [pid 5419] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5420] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5419] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5419] ioctl(6, LOOP_CLR_FD [pid 5420] <... write resumed>) = 2097152 [pid 5420] munmap(0x7f7936b10000, 2097152) = 0 [pid 5420] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5420] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5420] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5420] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5420] close(3) = 0 [pid 5420] close(5) = 0 [pid 5420] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5418] <... futex resumed>) = 0 [pid 5420] <... futex resumed>) = 1 [ 113.758513][ T5419] loop0: detected capacity change from 0 to 3995 [pid 5420] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5419] <... ioctl resumed>) = 0 [pid 5419] close(6) = 0 [pid 5419] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5418] exit_group(0 [pid 5420] <... futex resumed>) = ? [pid 5418] <... exit_group resumed>) = ? [pid 5420] +++ exited with 0 +++ [pid 5419] +++ exited with 0 +++ [pid 5418] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5418, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./126", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./126", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./126/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./126/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./126/binderfs") = 0 umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./126/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./126/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./126/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./126") = 0 mkdir("./127", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5421 attached , child_tidptr=0x555555f17690) = 5421 [pid 5421] set_robust_list(0x555555f176a0, 24) = 0 [pid 5421] chdir("./127") = 0 [pid 5421] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5421] setpgid(0, 0) = 0 [pid 5421] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5421] write(3, "1000", 4) = 4 [pid 5421] close(3) = 0 [pid 5421] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5421] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5421] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5421] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5421] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5421] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5421] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5421] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5422 attached => {parent_tid=[5422]}, 88) = 5422 [pid 5422] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5421] rt_sigprocmask(SIG_SETMASK, [], [pid 5422] <... rseq resumed>) = 0 [pid 5421] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5422] set_robust_list(0x7f79473519a0, 24 [pid 5421] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5422] <... set_robust_list resumed>) = 0 [pid 5421] <... futex resumed>) = 0 [pid 5422] rt_sigprocmask(SIG_SETMASK, [], [pid 5421] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5422] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5421] <... futex resumed>) = 0 [pid 5421] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5421] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5422] memfd_create("syzkaller", 0 [pid 5421] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5422] <... memfd_create resumed>) = 3 [ 113.827767][ T5238] I/O error, dev loop0, sector 3840 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5422] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5421] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5422] <... mmap resumed>) = 0x7f793ef10000 [pid 5421] <... clone3 resumed> => {parent_tid=[5423]}, 88) = 5423 [pid 5421] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5421] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5421] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5423 attached [pid 5423] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5423] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5423] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5423] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5423] write(4, "85", 2) = 2 [pid 5423] memfd_create("syzkaller", 0) = 5 [pid 5423] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5422] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 113.912842][ T5423] FAULT_INJECTION: forcing a failure. [ 113.912842][ T5423] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 113.926880][ T5423] CPU: 0 PID: 5423 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 113.937337][ T5423] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 113.947403][ T5423] Call Trace: [ 113.950672][ T5423] [ 113.953590][ T5423] dump_stack_lvl+0x1e7/0x2d0 [ 113.958272][ T5423] ? nf_tcp_handle_invalid+0x650/0x650 [ 113.963729][ T5423] ? panic+0x770/0x770 [ 113.967818][ T5423] should_fail_ex+0x3aa/0x4e0 [ 113.972587][ T5423] prepare_alloc_pages+0x1d9/0x5b0 [ 113.977781][ T5423] __alloc_pages+0x165/0x670 [ 113.982356][ T5423] ? zone_statistics+0x170/0x170 [ 113.987285][ T5423] ? verify_lock_unused+0x140/0x140 [ 113.992469][ T5423] ? handle_mm_fault+0x11d/0x62b0 [ 113.997517][ T5423] ? __lock_acquire+0x7f70/0x7f70 [ 114.002522][ T5423] ? pte_offset_map_nolock+0x137/0x1e0 [ 114.007969][ T5423] __folio_alloc+0x13/0x30 [ 114.012371][ T5423] vma_alloc_folio+0x48a/0x9a0 [ 114.017126][ T5423] handle_mm_fault+0x2376/0x62b0 [ 114.022245][ T5423] ? handle_mm_fault+0x11d/0x62b0 [ 114.027277][ T5423] ? numa_migrate_prep+0x380/0x380 [ 114.032392][ T5423] ? mtree_range_walk+0x6a0/0x7e0 [ 114.037409][ T5423] ? lock_vma_under_rcu+0x187/0x6f0 [ 114.042597][ T5423] ? __lock_acquire+0x7f70/0x7f70 [ 114.047609][ T5423] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 114.052802][ T5423] ? lock_vma_under_rcu+0x5df/0x6f0 [ 114.057992][ T5423] ? lock_vma_under_rcu+0x187/0x6f0 [ 114.063195][ T5423] ? exc_page_fault+0x10f/0x860 [ 114.068135][ T5423] exc_page_fault+0x455/0x860 [ 114.072800][ T5423] asm_exc_page_fault+0x26/0x30 [ 114.077635][ T5423] RIP: 0033:0x7f794735bc53 [ 114.082124][ T5423] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 114.101814][ T5423] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5422] munmap(0x7f793ef10000, 2097152) = 0 [pid 5422] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 114.107874][ T5423] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 114.115838][ T5423] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 114.123805][ T5423] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 114.131793][ T5423] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 114.139849][ T5423] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 114.147824][ T5423] [ 114.153818][ T5423] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5422] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5422] close(3) = 0 [pid 5422] mkdir("./file0", 0777) = 0 [pid 5422] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5423] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5422] <... mount resumed>) = 0 [pid 5422] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5422] chdir("./file0") = 0 [pid 5422] ioctl(6, LOOP_CLR_FD) = 0 [pid 5422] close(6) = 0 [pid 5422] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5422] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5423] <... write resumed>) = 2097152 [pid 5423] munmap(0x7f7936b10000, 2097152) = 0 [pid 5423] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5423] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5423] ioctl(6, LOOP_CLR_FD) = 0 [pid 5423] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5423] close(6) = 0 [ 114.167438][ T5422] loop0: detected capacity change from 0 to 4096 [ 114.184265][ T5422] ntfs: volume version 12.0. [pid 5423] close(5) = 0 [pid 5423] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5421] <... futex resumed>) = 0 [pid 5421] exit_group(0) = ? [pid 5422] <... futex resumed>) = ? [pid 5422] +++ exited with 0 +++ [pid 5423] +++ exited with 0 +++ [pid 5421] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5421, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=14 /* 0.14 s */} --- umount2("./127", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./127", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./127/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./127/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./127/binderfs") = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./127/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./127/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./127/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./127") = 0 mkdir("./128", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5424 attached , child_tidptr=0x555555f17690) = 5424 [pid 5424] set_robust_list(0x555555f176a0, 24) = 0 [pid 5424] chdir("./128") = 0 [pid 5424] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5424] setpgid(0, 0) = 0 [pid 5424] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5424] write(3, "1000", 4) = 4 [pid 5424] close(3) = 0 [pid 5424] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5424] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5424] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5424] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5424] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5424] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5424] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5425]}, 88) = 5425 [pid 5424] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5424] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5424] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5424] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5424] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5426 attached => {parent_tid=[5426]}, 88) = 5426 [pid 5426] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5424] rt_sigprocmask(SIG_SETMASK, [], [pid 5426] <... rseq resumed>) = 0 [pid 5424] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5426] set_robust_list(0x7f79473309a0, 24 [pid 5424] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5426] <... set_robust_list resumed>) = 0 [pid 5426] rt_sigprocmask(SIG_SETMASK, [], [pid 5424] <... futex resumed>) = 0 [pid 5426] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5424] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5425 attached [pid 5425] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5426] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5425] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5425] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5426] <... openat resumed>) = 3 [pid 5426] write(3, "85", 2) = 2 [pid 5426] memfd_create("syzkaller", 0 [pid 5425] memfd_create("syzkaller", 0 [pid 5426] <... memfd_create resumed>) = 4 [pid 5426] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5425] <... memfd_create resumed>) = 5 [pid 5425] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 114.316527][ T5426] FAULT_INJECTION: forcing a failure. [ 114.316527][ T5426] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 114.330459][ T5426] CPU: 1 PID: 5426 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 114.340989][ T5426] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 114.351049][ T5426] Call Trace: [ 114.354332][ T5426] [ 114.357260][ T5426] dump_stack_lvl+0x1e7/0x2d0 [ 114.361943][ T5426] ? nf_tcp_handle_invalid+0x650/0x650 [ 114.367478][ T5426] ? panic+0x770/0x770 [ 114.371559][ T5426] should_fail_ex+0x3aa/0x4e0 [ 114.376342][ T5426] prepare_alloc_pages+0x1d9/0x5b0 [ 114.381547][ T5426] __alloc_pages+0x165/0x670 [ 114.386328][ T5426] ? zone_statistics+0x170/0x170 [ 114.391498][ T5426] ? verify_lock_unused+0x140/0x140 [ 114.397071][ T5426] ? handle_mm_fault+0x11d/0x62b0 [ 114.402102][ T5426] ? __lock_acquire+0x7f70/0x7f70 [ 114.407126][ T5426] ? pte_offset_map_nolock+0x137/0x1e0 [ 114.412720][ T5426] __folio_alloc+0x13/0x30 [ 114.417187][ T5426] vma_alloc_folio+0x48a/0x9a0 [ 114.422241][ T5426] handle_mm_fault+0x2376/0x62b0 [ 114.427198][ T5426] ? handle_mm_fault+0x11d/0x62b0 [ 114.432326][ T5426] ? numa_migrate_prep+0x380/0x380 [ 114.437446][ T5426] ? mtree_range_walk+0x6a0/0x7e0 [ 114.442555][ T5426] ? lock_vma_under_rcu+0x187/0x6f0 [ 114.447748][ T5426] ? __lock_acquire+0x7f70/0x7f70 [ 114.452763][ T5426] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 114.457970][ T5426] ? lock_vma_under_rcu+0x5df/0x6f0 [ 114.463168][ T5426] ? lock_vma_under_rcu+0x187/0x6f0 [ 114.468371][ T5426] ? exc_page_fault+0x10f/0x860 [ 114.473224][ T5426] exc_page_fault+0x455/0x860 [ 114.477900][ T5426] asm_exc_page_fault+0x26/0x30 [ 114.482746][ T5426] RIP: 0033:0x7f794735bc53 [ 114.487241][ T5426] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 114.506845][ T5426] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5425] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5426] munmap(0x7f793ef10000, 138412032) = 0 [pid 5426] close(4) = 0 [pid 5425] <... write resumed>) = 2097152 [pid 5426] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5425] munmap(0x7f7936b10000, 2097152 [pid 5426] <... futex resumed>) = 1 [pid 5426] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5424] <... futex resumed>) = 0 [ 114.512912][ T5426] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 114.520876][ T5426] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 114.529625][ T5426] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 114.537586][ T5426] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 114.545839][ T5426] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 114.553818][ T5426] [ 114.557235][ T5426] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5425] <... munmap resumed>) = 0 [pid 5425] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5425] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5425] close(5) = 0 [pid 5425] mkdir("./file0", 0777) = 0 [pid 5425] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5425] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5425] chdir("./file0") = 0 [pid 5425] ioctl(4, LOOP_CLR_FD) = 0 [pid 5425] close(4) = 0 [pid 5425] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5425] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5424] exit_group(0 [pid 5426] <... futex resumed>) = ? [pid 5425] <... futex resumed>) = ? [pid 5424] <... exit_group resumed>) = ? [pid 5426] +++ exited with 0 +++ [pid 5425] +++ exited with 0 +++ [pid 5424] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5424, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./128", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./128", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./128/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./128/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./128/binderfs") = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./128/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./128/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./128/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./128") = 0 [ 114.601324][ T5425] loop0: detected capacity change from 0 to 4096 [ 114.613882][ T5425] ntfs: volume version 12.0. mkdir("./129", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5427 attached , child_tidptr=0x555555f17690) = 5427 [pid 5427] set_robust_list(0x555555f176a0, 24) = 0 [pid 5427] chdir("./129") = 0 [pid 5427] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5427] setpgid(0, 0) = 0 [pid 5427] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5427] write(3, "1000", 4) = 4 [pid 5427] close(3) = 0 [pid 5427] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5427] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5427] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5427] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5427] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5427] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5427] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5427] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5428]}, 88) = 5428 [pid 5427] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5427] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5427] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5428 attached ) = 0 [pid 5428] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5427] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5428] <... rseq resumed>) = 0 [pid 5427] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5427] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5427] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5428] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5428] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5429 attached [pid 5427] <... clone3 resumed> => {parent_tid=[5429]}, 88) = 5429 [pid 5429] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5427] rt_sigprocmask(SIG_SETMASK, [], [pid 5429] <... rseq resumed>) = 0 [pid 5427] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5429] set_robust_list(0x7f79473309a0, 24 [pid 5427] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5429] <... set_robust_list resumed>) = 0 [pid 5429] rt_sigprocmask(SIG_SETMASK, [], [pid 5427] <... futex resumed>) = 0 [pid 5428] memfd_create("syzkaller", 0 [pid 5429] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5427] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5428] <... memfd_create resumed>) = 3 [pid 5428] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5429] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5428] <... mmap resumed>) = 0x7f793ef10000 [pid 5428] munmap(0x7f793ef10000, 138412032) = 0 [pid 5428] close(3) = 0 [pid 5429] <... openat resumed>) = 4 [pid 5429] write(4, "85", 2) = 2 [pid 5429] memfd_create("syzkaller", 0) = 3 [pid 5429] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5428] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 114.697265][ T5429] FAULT_INJECTION: forcing a failure. [ 114.697265][ T5429] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 114.710797][ T5429] CPU: 0 PID: 5429 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 114.721201][ T5429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 114.731242][ T5429] Call Trace: [ 114.734504][ T5429] [ 114.737417][ T5429] dump_stack_lvl+0x1e7/0x2d0 [ 114.742089][ T5429] ? nf_tcp_handle_invalid+0x650/0x650 [ 114.747550][ T5429] ? panic+0x770/0x770 [ 114.751610][ T5429] should_fail_ex+0x3aa/0x4e0 [ 114.756276][ T5429] prepare_alloc_pages+0x1d9/0x5b0 [ 114.761380][ T5429] __alloc_pages+0x165/0x670 [ 114.765972][ T5429] ? zone_statistics+0x170/0x170 [ 114.770922][ T5429] ? verify_lock_unused+0x140/0x140 [ 114.776105][ T5429] ? handle_mm_fault+0x11d/0x62b0 [ 114.781114][ T5429] ? __lock_acquire+0x7f70/0x7f70 [ 114.786116][ T5429] ? pte_offset_map_nolock+0x137/0x1e0 [ 114.791572][ T5429] __folio_alloc+0x13/0x30 [ 114.795973][ T5429] vma_alloc_folio+0x48a/0x9a0 [ 114.800748][ T5429] handle_mm_fault+0x2376/0x62b0 [ 114.805684][ T5429] ? handle_mm_fault+0x11d/0x62b0 [ 114.810697][ T5429] ? numa_migrate_prep+0x380/0x380 [ 114.816150][ T5429] ? mtree_range_walk+0x6a0/0x7e0 [ 114.821163][ T5429] ? lock_vma_under_rcu+0x187/0x6f0 [ 114.826350][ T5429] ? __lock_acquire+0x7f70/0x7f70 [ 114.831530][ T5429] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 114.836736][ T5429] ? lock_vma_under_rcu+0x5df/0x6f0 [ 114.841914][ T5429] ? lock_vma_under_rcu+0x187/0x6f0 [ 114.847101][ T5429] ? exc_page_fault+0x10f/0x860 [ 114.851935][ T5429] exc_page_fault+0x455/0x860 [ 114.856601][ T5429] asm_exc_page_fault+0x26/0x30 [ 114.861431][ T5429] RIP: 0033:0x7f794735bd00 [ 114.865834][ T5429] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 114.885451][ T5429] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5428] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5429] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5429] munmap(0x7f793ef10000, 2097152) = 0 [pid 5429] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 114.891510][ T5429] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 114.899482][ T5429] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 114.907442][ T5429] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 114.915413][ T5429] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 114.923383][ T5429] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 114.931366][ T5429] [ 114.935185][ T5429] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5429] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5429] close(3) = 0 [pid 5429] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5429] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 114.972515][ T5429] loop0: detected capacity change from 0 to 4096 [ 114.991782][ T5429] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 114.998896][ T5429] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5429] ioctl(5, LOOP_CLR_FD) = 0 [pid 5429] close(5) = 0 [pid 5429] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5427] <... futex resumed>) = 0 [pid 5427] exit_group(0 [pid 5428] <... futex resumed>) = ? [pid 5427] <... exit_group resumed>) = ? [pid 5429] +++ exited with 0 +++ [pid 5428] +++ exited with 0 +++ [pid 5427] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5427, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./129", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./129", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./129/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./129/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./129/binderfs") = 0 umount2("\x2e\x2f\x31\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./129") = 0 mkdir("./130", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5430 ./strace-static-x86_64: Process 5430 attached [pid 5430] set_robust_list(0x555555f176a0, 24) = 0 [pid 5430] chdir("./130") = 0 [pid 5430] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5430] setpgid(0, 0) = 0 [pid 5430] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5430] write(3, "1000", 4) = 4 [pid 5430] close(3) = 0 [pid 5430] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5430] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5430] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5430] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5430] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5430] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5430] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5430] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5431 attached [pid 5431] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5431] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5431] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5431] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5430] <... clone3 resumed> => {parent_tid=[5431]}, 88) = 5431 [pid 5430] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5430] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5431] <... futex resumed>) = 0 [pid 5430] <... futex resumed>) = 1 [pid 5430] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5430] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5430] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5431] memfd_create("syzkaller", 0) = 3 [pid 5430] <... mprotect resumed>) = 0 [pid 5431] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5430] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5430] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5432]}, 88) = 5432 [pid 5430] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5430] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5430] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5432 attached [pid 5432] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5432] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5432] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5432] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5432] write(4, "85", 2) = 2 [pid 5432] memfd_create("syzkaller", 0) = 5 [pid 5432] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 115.154114][ T5432] FAULT_INJECTION: forcing a failure. [ 115.154114][ T5432] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 115.167759][ T5432] CPU: 0 PID: 5432 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 115.178204][ T5432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 115.188256][ T5432] Call Trace: [ 115.191527][ T5432] [ 115.194451][ T5432] dump_stack_lvl+0x1e7/0x2d0 [ 115.199126][ T5432] ? nf_tcp_handle_invalid+0x650/0x650 [ 115.204575][ T5432] ? panic+0x770/0x770 [ 115.208648][ T5432] should_fail_ex+0x3aa/0x4e0 [ 115.213327][ T5432] prepare_alloc_pages+0x1d9/0x5b0 [ 115.218446][ T5432] __alloc_pages+0x165/0x670 [ 115.223036][ T5432] ? zone_statistics+0x170/0x170 [ 115.227971][ T5432] ? verify_lock_unused+0x140/0x140 [ 115.233167][ T5432] ? handle_mm_fault+0x11d/0x62b0 [ 115.238188][ T5432] ? __lock_acquire+0x7f70/0x7f70 [ 115.243199][ T5432] ? pte_offset_map_nolock+0x137/0x1e0 [ 115.248651][ T5432] __folio_alloc+0x13/0x30 [ 115.253407][ T5432] vma_alloc_folio+0x48a/0x9a0 [ 115.258171][ T5432] handle_mm_fault+0x2376/0x62b0 [ 115.263110][ T5432] ? handle_mm_fault+0x11d/0x62b0 [ 115.268137][ T5432] ? numa_migrate_prep+0x380/0x380 [ 115.273258][ T5432] ? mtree_range_walk+0x6a0/0x7e0 [ 115.278279][ T5432] ? lock_vma_under_rcu+0x187/0x6f0 [ 115.283471][ T5432] ? __lock_acquire+0x7f70/0x7f70 [ 115.288486][ T5432] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 115.293690][ T5432] ? lock_vma_under_rcu+0x5df/0x6f0 [ 115.298884][ T5432] ? lock_vma_under_rcu+0x187/0x6f0 [ 115.304087][ T5432] ? exc_page_fault+0x10f/0x860 [ 115.308933][ T5432] exc_page_fault+0x455/0x860 [ 115.313609][ T5432] asm_exc_page_fault+0x26/0x30 [ 115.318449][ T5432] RIP: 0033:0x7f794735bc53 [ 115.322856][ T5432] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 115.342454][ T5432] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5431] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5431] munmap(0x7f793ef10000, 2097152) = 0 [pid 5431] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 115.348516][ T5432] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 115.356479][ T5432] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 115.364438][ T5432] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 115.372402][ T5432] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 115.380381][ T5432] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 115.388449][ T5432] [pid 5431] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5431] close(3) = 0 [pid 5431] mkdir("./file0", 0777) = 0 [pid 5431] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5431] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5431] chdir("./file0") = 0 [pid 5431] ioctl(6, LOOP_CLR_FD) = 0 [pid 5431] close(6) = 0 [pid 5431] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5431] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5432] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5432] munmap(0x7f7936b10000, 2097152) = 0 [pid 5432] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5432] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5432] ioctl(6, LOOP_CLR_FD) = 0 [pid 5432] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5432] close(6) = 0 [pid 5432] close(5) = 0 [pid 5432] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5432] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5430] <... futex resumed>) = 0 [pid 5430] exit_group(0 [pid 5432] <... futex resumed>) = ? [pid 5431] <... futex resumed>) = ? [pid 5430] <... exit_group resumed>) = ? [pid 5431] +++ exited with 0 +++ [pid 5432] +++ exited with 0 +++ [pid 5430] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5430, si_uid=0, si_status=0, si_utime=0, si_stime=12 /* 0.12 s */} --- [ 115.406582][ T5431] loop0: detected capacity change from 0 to 4096 [ 115.421402][ T5431] ntfs: volume version 12.0. umount2("./130", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./130", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./130/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./130/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./130/binderfs") = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./130/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./130/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./130/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./130") = 0 mkdir("./131", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5433 ./strace-static-x86_64: Process 5433 attached [pid 5433] set_robust_list(0x555555f176a0, 24) = 0 [pid 5433] chdir("./131") = 0 [pid 5433] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5433] setpgid(0, 0) = 0 [pid 5433] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5433] write(3, "1000", 4) = 4 [pid 5433] close(3) = 0 [pid 5433] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5433] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5433] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5433] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5433] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5433] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5433] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5433] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5434 attached => {parent_tid=[5434]}, 88) = 5434 [pid 5434] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5433] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5433] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5433] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5433] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5433] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5433] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5434] <... rseq resumed>) = 0 [pid 5434] set_robust_list(0x7f79473519a0, 24 [pid 5433] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5435 attached [pid 5435] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5433] <... clone3 resumed> => {parent_tid=[5435]}, 88) = 5435 [pid 5435] <... rseq resumed>) = 0 [pid 5433] rt_sigprocmask(SIG_SETMASK, [], [pid 5435] set_robust_list(0x7f79473309a0, 24 [pid 5433] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5435] <... set_robust_list resumed>) = 0 [pid 5433] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5435] rt_sigprocmask(SIG_SETMASK, [], [pid 5433] <... futex resumed>) = 0 [pid 5435] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5433] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5435] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5434] <... set_robust_list resumed>) = 0 [pid 5434] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5435] <... openat resumed>) = 3 [pid 5435] write(3, "85", 2) = 2 [pid 5435] memfd_create("syzkaller", 0 [pid 5434] memfd_create("syzkaller", 0 [pid 5435] <... memfd_create resumed>) = 4 [pid 5435] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5434] <... memfd_create resumed>) = 5 [pid 5434] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 115.520085][ T5435] FAULT_INJECTION: forcing a failure. [ 115.520085][ T5435] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 115.533879][ T5435] CPU: 1 PID: 5435 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 115.544491][ T5435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 115.554562][ T5435] Call Trace: [ 115.557855][ T5435] [ 115.560776][ T5435] dump_stack_lvl+0x1e7/0x2d0 [ 115.565452][ T5435] ? nf_tcp_handle_invalid+0x650/0x650 [ 115.570901][ T5435] ? panic+0x770/0x770 [ 115.574969][ T5435] should_fail_ex+0x3aa/0x4e0 [ 115.579643][ T5435] prepare_alloc_pages+0x1d9/0x5b0 [ 115.584758][ T5435] __alloc_pages+0x165/0x670 [ 115.589346][ T5435] ? zone_statistics+0x170/0x170 [ 115.594281][ T5435] ? verify_lock_unused+0x140/0x140 [ 115.599483][ T5435] ? handle_mm_fault+0x11d/0x62b0 [ 115.604956][ T5435] ? __lock_acquire+0x7f70/0x7f70 [ 115.610405][ T5435] ? pte_offset_map_nolock+0x137/0x1e0 [ 115.615861][ T5435] __folio_alloc+0x13/0x30 [ 115.620270][ T5435] vma_alloc_folio+0x48a/0x9a0 [ 115.625054][ T5435] handle_mm_fault+0x2376/0x62b0 [ 115.629994][ T5435] ? handle_mm_fault+0x11d/0x62b0 [ 115.635136][ T5435] ? numa_migrate_prep+0x380/0x380 [ 115.640264][ T5435] ? mtree_range_walk+0x6a0/0x7e0 [ 115.645293][ T5435] ? lock_vma_under_rcu+0x187/0x6f0 [ 115.650484][ T5435] ? __lock_acquire+0x7f70/0x7f70 [ 115.655525][ T5435] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 115.660730][ T5435] ? lock_vma_under_rcu+0x5df/0x6f0 [ 115.665923][ T5435] ? lock_vma_under_rcu+0x187/0x6f0 [ 115.671130][ T5435] ? exc_page_fault+0x10f/0x860 [ 115.675975][ T5435] exc_page_fault+0x455/0x860 [ 115.680650][ T5435] asm_exc_page_fault+0x26/0x30 [ 115.686016][ T5435] RIP: 0033:0x7f794735bc53 [ 115.690421][ T5435] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 115.710016][ T5435] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5434] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5435] munmap(0x7f793ef10000, 138412032) = 0 [pid 5435] close(4) = 0 [pid 5435] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5433] <... futex resumed>) = 0 [pid 5435] <... futex resumed>) = 1 [pid 5435] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5434] <... write resumed>) = 2097152 [pid 5434] munmap(0x7f7936b10000, 2097152) = 0 [pid 5434] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 115.716078][ T5435] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 115.724038][ T5435] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 115.732086][ T5435] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 115.740046][ T5435] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 115.748028][ T5435] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 115.756090][ T5435] [pid 5434] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5434] close(5) = 0 [pid 5434] mkdir("./file0", 0777) = 0 [pid 5434] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5434] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5434] chdir("./file0") = 0 [pid 5434] ioctl(4, LOOP_CLR_FD) = 0 [pid 5434] close(4) = 0 [pid 5434] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5433] exit_group(0 [pid 5435] <... futex resumed>) = ? [pid 5433] <... exit_group resumed>) = ? [pid 5435] +++ exited with 0 +++ [pid 5434] +++ exited with 0 +++ [pid 5433] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5433, si_uid=0, si_status=0, si_utime=0, si_stime=30 /* 0.30 s */} --- umount2("./131", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./131", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./131/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./131/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./131/binderfs") = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./131/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./131/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./131/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./131") = 0 mkdir("./132", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5436 attached , child_tidptr=0x555555f17690) = 5436 [pid 5436] set_robust_list(0x555555f176a0, 24) = 0 [pid 5436] chdir("./132") = 0 [pid 5436] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5436] setpgid(0, 0) = 0 [pid 5436] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [ 115.789025][ T5434] loop0: detected capacity change from 0 to 4096 [ 115.802225][ T5434] ntfs: volume version 12.0. [pid 5436] write(3, "1000", 4) = 4 [pid 5436] close(3) = 0 [pid 5436] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5436] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5436] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5436] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5436] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5436] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5436] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5437 attached => {parent_tid=[5437]}, 88) = 5437 [pid 5437] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5436] rt_sigprocmask(SIG_SETMASK, [], [pid 5437] set_robust_list(0x7f79473519a0, 24 [pid 5436] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5437] <... set_robust_list resumed>) = 0 [pid 5436] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5437] rt_sigprocmask(SIG_SETMASK, [], [pid 5436] <... futex resumed>) = 0 [pid 5437] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5436] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5436] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5436] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5437] memfd_create("syzkaller", 0 [pid 5436] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5436] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5438]}, 88) = 5438 [pid 5436] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5437] <... memfd_create resumed>) = 3 [pid 5436] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5437] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5436] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5438 attached [pid 5438] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5437] <... mmap resumed>) = 0x7f793ef10000 [pid 5438] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5438] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5438] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5438] write(4, "85", 2) = 2 [pid 5438] memfd_create("syzkaller", 0) = 5 [pid 5438] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 115.888297][ T5438] FAULT_INJECTION: forcing a failure. [ 115.888297][ T5438] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 115.901585][ T5438] CPU: 0 PID: 5438 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 115.912108][ T5438] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 115.922176][ T5438] Call Trace: [ 115.925451][ T5438] [ 115.928374][ T5438] dump_stack_lvl+0x1e7/0x2d0 [ 115.933051][ T5438] ? nf_tcp_handle_invalid+0x650/0x650 [ 115.938510][ T5438] ? panic+0x770/0x770 [ 115.942607][ T5438] should_fail_ex+0x3aa/0x4e0 [ 115.947302][ T5438] prepare_alloc_pages+0x1d9/0x5b0 [ 115.952435][ T5438] __alloc_pages+0x165/0x670 [ 115.957032][ T5438] ? zone_statistics+0x170/0x170 [ 115.962097][ T5438] ? verify_lock_unused+0x140/0x140 [ 115.967321][ T5438] ? handle_mm_fault+0x11d/0x62b0 [ 115.972382][ T5438] ? __lock_acquire+0x7f70/0x7f70 [ 115.977428][ T5438] ? pte_offset_map_nolock+0x137/0x1e0 [ 115.982913][ T5438] __folio_alloc+0x13/0x30 [pid 5437] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 115.987350][ T5438] vma_alloc_folio+0x48a/0x9a0 [ 115.992148][ T5438] handle_mm_fault+0x2376/0x62b0 [ 115.997099][ T5438] ? handle_mm_fault+0x11d/0x62b0 [ 116.002142][ T5438] ? numa_migrate_prep+0x380/0x380 [ 116.007257][ T5438] ? mtree_range_walk+0x6a0/0x7e0 [ 116.012282][ T5438] ? lock_vma_under_rcu+0x187/0x6f0 [ 116.017482][ T5438] ? __lock_acquire+0x7f70/0x7f70 [ 116.022503][ T5438] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 116.027768][ T5438] ? lock_vma_under_rcu+0x5df/0x6f0 [ 116.032963][ T5438] ? lock_vma_under_rcu+0x187/0x6f0 [ 116.038349][ T5438] ? exc_page_fault+0x10f/0x860 [ 116.043235][ T5438] exc_page_fault+0x455/0x860 [ 116.047912][ T5438] asm_exc_page_fault+0x26/0x30 [ 116.052755][ T5438] RIP: 0033:0x7f794735bc53 [ 116.057164][ T5438] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 116.076793][ T5438] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 116.082862][ T5438] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 116.090829][ T5438] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 116.098811][ T5438] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 116.106776][ T5438] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 116.114737][ T5438] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 116.122733][ T5438] [ 116.129120][ T5438] pagefault_out_of_memory: 2 callbacks suppressed [pid 5437] munmap(0x7f793ef10000, 2097152) = 0 [pid 5438] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5437] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5437] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5437] close(3) = 0 [pid 5437] mkdir("./file0", 0777) = 0 [pid 5437] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5438] <... write resumed>) = 2097152 [pid 5438] munmap(0x7f7936b10000, 2097152 [pid 5437] <... mount resumed>) = 0 [pid 5437] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5437] chdir("./file0") = 0 [pid 5437] ioctl(6, LOOP_CLR_FD) = 0 [pid 5437] close(6 [pid 5438] <... munmap resumed>) = 0 [pid 5437] <... close resumed>) = 0 [pid 5438] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5437] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5438] <... openat resumed>) = 6 [pid 5437] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5438] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5438] ioctl(6, LOOP_CLR_FD) = 0 [pid 5438] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5438] close(6) = 0 [pid 5438] close(5) = 0 [pid 5438] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5438] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5436] <... futex resumed>) = 0 [pid 5436] exit_group(0) = ? [pid 5437] <... futex resumed>) = ? [pid 5438] <... futex resumed>) = ? [pid 5437] +++ exited with 0 +++ [ 116.129133][ T5438] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 116.155362][ T5437] loop0: detected capacity change from 0 to 4096 [ 116.172891][ T5437] ntfs: volume version 12.0. [pid 5438] +++ exited with 0 +++ [pid 5436] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5436, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./132", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./132", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./132/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./132/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./132/binderfs") = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./132/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./132/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./132/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./132") = 0 mkdir("./133", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5439 ./strace-static-x86_64: Process 5439 attached [pid 5439] set_robust_list(0x555555f176a0, 24) = 0 [pid 5439] chdir("./133") = 0 [pid 5439] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5439] setpgid(0, 0) = 0 [pid 5439] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5439] write(3, "1000", 4) = 4 [pid 5439] close(3) = 0 [pid 5439] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5439] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5439] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5439] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5439] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5439] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5439] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5439] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5440 attached [pid 5440] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5439] <... clone3 resumed> => {parent_tid=[5440]}, 88) = 5440 [pid 5440] <... rseq resumed>) = 0 [pid 5439] rt_sigprocmask(SIG_SETMASK, [], [pid 5440] set_robust_list(0x7f79473519a0, 24 [pid 5439] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5440] <... set_robust_list resumed>) = 0 [pid 5439] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5440] rt_sigprocmask(SIG_SETMASK, [], [pid 5439] <... futex resumed>) = 0 [pid 5440] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5439] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5439] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5439] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5440] memfd_create("syzkaller", 0 [pid 5439] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5440] <... memfd_create resumed>) = 3 [pid 5439] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5439] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5441 attached [pid 5440] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5441] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5439] <... clone3 resumed> => {parent_tid=[5441]}, 88) = 5441 [pid 5439] rt_sigprocmask(SIG_SETMASK, [], [pid 5441] <... rseq resumed>) = 0 [pid 5439] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5439] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5439] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5441] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5441] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5441] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5441] write(4, "85", 2) = 2 [pid 5441] memfd_create("syzkaller", 0) = 5 [pid 5441] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5440] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 116.313376][ T5441] FAULT_INJECTION: forcing a failure. [ 116.313376][ T5441] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 116.327074][ T5441] CPU: 0 PID: 5441 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 116.337521][ T5441] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 116.347588][ T5441] Call Trace: [ 116.350866][ T5441] [ 116.353791][ T5441] dump_stack_lvl+0x1e7/0x2d0 [ 116.358557][ T5441] ? nf_tcp_handle_invalid+0x650/0x650 [ 116.364008][ T5441] ? panic+0x770/0x770 [ 116.368082][ T5441] should_fail_ex+0x3aa/0x4e0 [ 116.372761][ T5441] prepare_alloc_pages+0x1d9/0x5b0 [ 116.377879][ T5441] __alloc_pages+0x165/0x670 [ 116.382467][ T5441] ? zone_statistics+0x170/0x170 [ 116.387403][ T5441] ? verify_lock_unused+0x140/0x140 [ 116.392595][ T5441] ? handle_mm_fault+0x11d/0x62b0 [ 116.397620][ T5441] ? __lock_acquire+0x7f70/0x7f70 [ 116.402638][ T5441] ? pte_offset_map_nolock+0x137/0x1e0 [ 116.408096][ T5441] __folio_alloc+0x13/0x30 [ 116.412505][ T5441] vma_alloc_folio+0x48a/0x9a0 [ 116.417270][ T5441] handle_mm_fault+0x2376/0x62b0 [ 116.422276][ T5441] ? handle_mm_fault+0x11d/0x62b0 [ 116.427307][ T5441] ? numa_migrate_prep+0x380/0x380 [ 116.432428][ T5441] ? mtree_range_walk+0x6a0/0x7e0 [ 116.437538][ T5441] ? lock_vma_under_rcu+0x187/0x6f0 [ 116.442730][ T5441] ? __lock_acquire+0x7f70/0x7f70 [ 116.447747][ T5441] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 116.452952][ T5441] ? lock_vma_under_rcu+0x5df/0x6f0 [ 116.458150][ T5441] ? lock_vma_under_rcu+0x187/0x6f0 [ 116.463354][ T5441] ? exc_page_fault+0x10f/0x860 [ 116.468203][ T5441] exc_page_fault+0x455/0x860 [ 116.472884][ T5441] asm_exc_page_fault+0x26/0x30 [ 116.477729][ T5441] RIP: 0033:0x7f794735bc53 [ 116.482141][ T5441] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 116.501828][ T5441] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5440] munmap(0x7f793ef10000, 2097152) = 0 [pid 5440] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 116.507889][ T5441] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 116.515853][ T5441] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 116.523814][ T5441] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 116.531778][ T5441] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 116.539741][ T5441] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 116.547716][ T5441] [ 116.554133][ T5441] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5440] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5440] close(3 [pid 5441] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5440] <... close resumed>) = 0 [pid 5440] mkdir("./file0", 0777) = 0 [pid 5440] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5440] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5440] chdir("./file0") = 0 [pid 5440] ioctl(6, LOOP_CLR_FD) = 0 [pid 5440] close(6 [pid 5441] <... write resumed>) = 2097152 [pid 5440] <... close resumed>) = 0 [pid 5441] munmap(0x7f7936b10000, 2097152 [pid 5440] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5441] <... munmap resumed>) = 0 [pid 5440] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5441] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5441] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5441] ioctl(6, LOOP_CLR_FD) = 0 [pid 5441] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5441] close(6) = 0 [pid 5441] close(5) = 0 [pid 5441] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5439] <... futex resumed>) = 0 [pid 5439] exit_group(0) = ? [pid 5440] <... futex resumed>) = ? [pid 5440] +++ exited with 0 +++ [pid 5441] +++ exited with 0 +++ [pid 5439] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5439, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=16 /* 0.16 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./133", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 116.567287][ T5440] loop0: detected capacity change from 0 to 4096 [ 116.592531][ T5440] ntfs: volume version 12.0. openat(AT_FDCWD, "./133", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./133/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./133/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./133/binderfs") = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./133/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./133/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./133/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./133") = 0 mkdir("./134", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5442 attached , child_tidptr=0x555555f17690) = 5442 [pid 5442] set_robust_list(0x555555f176a0, 24) = 0 [pid 5442] chdir("./134") = 0 [pid 5442] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5442] setpgid(0, 0) = 0 [pid 5442] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5442] write(3, "1000", 4) = 4 [pid 5442] close(3) = 0 [pid 5442] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5442] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5442] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5442] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5442] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5442] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5442] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5442] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5443 attached [pid 5443] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5443] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5443] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5443] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5442] <... clone3 resumed> => {parent_tid=[5443]}, 88) = 5443 [pid 5442] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5442] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5443] <... futex resumed>) = 0 [pid 5442] <... futex resumed>) = 1 [pid 5442] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5443] memfd_create("syzkaller", 0 [pid 5442] <... futex resumed>) = 0 [pid 5443] <... memfd_create resumed>) = 3 [pid 5443] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5442] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5442] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5443] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5442] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5442] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5444 attached => {parent_tid=[5444]}, 88) = 5444 [pid 5442] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5442] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5442] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5444] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5444] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5444] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5444] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5444] write(4, "85", 2) = 2 [pid 5443] <... write resumed>) = 2097152 [pid 5444] memfd_create("syzkaller", 0 [pid 5443] munmap(0x7f793ef31000, 2097152 [pid 5444] <... memfd_create resumed>) = 5 [pid 5444] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5443] <... munmap resumed>) = 0 [pid 5443] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 116.766120][ T5444] FAULT_INJECTION: forcing a failure. [ 116.766120][ T5444] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 116.779682][ T5444] CPU: 0 PID: 5444 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 116.780134][ T5443] loop0: detected capacity change from 0 to 4096 [ 116.790094][ T5444] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 116.790108][ T5444] Call Trace: [ 116.790115][ T5444] [ 116.790122][ T5444] dump_stack_lvl+0x1e7/0x2d0 [ 116.790149][ T5444] ? nf_tcp_handle_invalid+0x650/0x650 [ 116.790167][ T5444] ? panic+0x770/0x770 [ 116.790201][ T5444] should_fail_ex+0x3aa/0x4e0 [ 116.831548][ T5444] prepare_alloc_pages+0x1d9/0x5b0 [ 116.836774][ T5444] __alloc_pages+0x165/0x670 [ 116.841394][ T5444] ? zone_statistics+0x170/0x170 [ 116.846355][ T5444] ? verify_lock_unused+0x140/0x140 [ 116.851557][ T5444] ? handle_mm_fault+0x11d/0x62b0 [ 116.856577][ T5444] ? __lock_acquire+0x7f70/0x7f70 [ 116.861597][ T5444] ? pte_offset_map_nolock+0x137/0x1e0 [ 116.867074][ T5444] __folio_alloc+0x13/0x30 [ 116.871484][ T5444] vma_alloc_folio+0x48a/0x9a0 [ 116.876245][ T5444] handle_mm_fault+0x2376/0x62b0 [ 116.881187][ T5444] ? handle_mm_fault+0x11d/0x62b0 [ 116.886216][ T5444] ? numa_migrate_prep+0x380/0x380 [ 116.891336][ T5444] ? mtree_range_walk+0x6a0/0x7e0 [ 116.896363][ T5444] ? lock_vma_under_rcu+0x187/0x6f0 [ 116.901582][ T5444] ? __lock_acquire+0x7f70/0x7f70 [ 116.906616][ T5444] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 116.911830][ T5444] ? lock_vma_under_rcu+0x5df/0x6f0 [ 116.917032][ T5444] ? lock_vma_under_rcu+0x187/0x6f0 [ 116.922243][ T5444] ? exc_page_fault+0x10f/0x860 [ 116.927094][ T5444] exc_page_fault+0x455/0x860 [ 116.931779][ T5444] asm_exc_page_fault+0x26/0x30 [ 116.936628][ T5444] RIP: 0033:0x7f794735bc53 [ 116.941037][ T5444] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 116.960633][ T5444] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5443] ioctl(6, LOOP_SET_FD, 3) = 0 [ 116.966698][ T5444] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 116.974666][ T5444] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 116.982631][ T5444] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 116.990598][ T5444] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 116.998565][ T5444] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 117.006543][ T5444] [ 117.009882][ T5444] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5443] close(3) = 0 [pid 5443] mkdir("./file0", 0777) = 0 [pid 5443] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5443] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5443] chdir("./file0") = 0 [pid 5443] ioctl(6, LOOP_CLR_FD) = 0 [pid 5443] close(6) = 0 [pid 5443] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5443] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5444] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 117.026307][ T5443] ntfs: volume version 12.0. [pid 5444] munmap(0x7f7936b10000, 2097152) = 0 [pid 5444] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5444] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5444] ioctl(6, LOOP_CLR_FD) = 0 [pid 5444] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5444] close(6) = 0 [pid 5444] close(5) = 0 [pid 5444] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5444] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5442] <... futex resumed>) = 0 [pid 5442] exit_group(0 [pid 5444] <... futex resumed>) = ? [pid 5442] <... exit_group resumed>) = ? [pid 5444] +++ exited with 0 +++ [pid 5443] <... futex resumed>) = ? [pid 5443] +++ exited with 0 +++ [pid 5442] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5442, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./134", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./134", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./134/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./134/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./134/binderfs") = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./134/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./134/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./134/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./134") = 0 mkdir("./135", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5445 attached , child_tidptr=0x555555f17690) = 5445 [pid 5445] set_robust_list(0x555555f176a0, 24) = 0 [pid 5445] chdir("./135") = 0 [pid 5445] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5445] setpgid(0, 0) = 0 [pid 5445] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5445] write(3, "1000", 4) = 4 [pid 5445] close(3) = 0 [pid 5445] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5445] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5445] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5445] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5445] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5445] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5445] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5445] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5446]}, 88) = 5446 [pid 5445] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5445] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5445] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5445] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5445] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5445] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5445] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5446 attached ./strace-static-x86_64: Process 5447 attached => {parent_tid=[5447]}, 88) = 5447 [pid 5447] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5445] rt_sigprocmask(SIG_SETMASK, [], [pid 5447] set_robust_list(0x7f79473309a0, 24 [pid 5445] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5447] <... set_robust_list resumed>) = 0 [pid 5447] rt_sigprocmask(SIG_SETMASK, [], [pid 5445] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5447] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5445] <... futex resumed>) = 0 [pid 5447] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5445] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5447] <... openat resumed>) = 3 [pid 5447] write(3, "85", 2 [pid 5446] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5447] <... write resumed>) = 2 [pid 5447] memfd_create("syzkaller", 0) = 4 [pid 5447] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5446] <... rseq resumed>) = 0 [pid 5446] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5446] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5446] memfd_create("syzkaller", 0) = 5 [pid 5446] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 117.157964][ T5447] FAULT_INJECTION: forcing a failure. [ 117.157964][ T5447] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 117.171706][ T5447] CPU: 1 PID: 5447 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 117.182145][ T5447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 117.192195][ T5447] Call Trace: [ 117.195472][ T5447] [ 117.198400][ T5447] dump_stack_lvl+0x1e7/0x2d0 [ 117.203077][ T5447] ? nf_tcp_handle_invalid+0x650/0x650 [ 117.208540][ T5447] ? panic+0x770/0x770 [ 117.212614][ T5447] should_fail_ex+0x3aa/0x4e0 [ 117.217300][ T5447] prepare_alloc_pages+0x1d9/0x5b0 [ 117.222413][ T5447] __alloc_pages+0x165/0x670 [ 117.227004][ T5447] ? zone_statistics+0x170/0x170 [ 117.231940][ T5447] ? verify_lock_unused+0x140/0x140 [ 117.237133][ T5447] ? handle_mm_fault+0x11d/0x62b0 [ 117.242154][ T5447] ? __lock_acquire+0x7f70/0x7f70 [ 117.247273][ T5447] ? pte_offset_map_nolock+0x137/0x1e0 [ 117.252748][ T5447] __folio_alloc+0x13/0x30 [ 117.257168][ T5447] vma_alloc_folio+0x48a/0x9a0 [ 117.261944][ T5447] handle_mm_fault+0x2376/0x62b0 [ 117.266898][ T5447] ? handle_mm_fault+0x11d/0x62b0 [ 117.271929][ T5447] ? numa_migrate_prep+0x380/0x380 [ 117.277046][ T5447] ? mtree_range_walk+0x6a0/0x7e0 [ 117.282068][ T5447] ? lock_vma_under_rcu+0x187/0x6f0 [ 117.287265][ T5447] ? __lock_acquire+0x7f70/0x7f70 [ 117.292281][ T5447] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 117.297502][ T5447] ? lock_vma_under_rcu+0x5df/0x6f0 [ 117.302702][ T5447] ? lock_vma_under_rcu+0x187/0x6f0 [ 117.307902][ T5447] ? exc_page_fault+0x10f/0x860 [ 117.312755][ T5447] exc_page_fault+0x455/0x860 [ 117.317431][ T5447] asm_exc_page_fault+0x26/0x30 [ 117.322275][ T5447] RIP: 0033:0x7f794735bc53 [ 117.326686][ T5447] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 117.346285][ T5447] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5446] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5447] munmap(0x7f793ef10000, 138412032) = 0 [pid 5446] <... write resumed>) = 2097152 [pid 5447] close(4 [pid 5446] munmap(0x7f7936b10000, 2097152 [pid 5447] <... close resumed>) = 0 [pid 5447] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5445] <... futex resumed>) = 0 [pid 5447] <... futex resumed>) = 1 [pid 5447] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5446] <... munmap resumed>) = 0 [pid 5446] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 117.352363][ T5447] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 117.360411][ T5447] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 117.368377][ T5447] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 117.376366][ T5447] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 117.384325][ T5447] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 117.392299][ T5447] [ 117.396372][ T5447] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5446] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5446] close(5) = 0 [pid 5446] mkdir("./file0", 0777) = 0 [pid 5446] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5446] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5446] chdir("./file0") = 0 [pid 5446] ioctl(4, LOOP_CLR_FD) = 0 [pid 5446] close(4) = 0 [pid 5446] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5446] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5445] exit_group(0 [pid 5447] <... futex resumed>) = ? [pid 5447] +++ exited with 0 +++ [pid 5446] <... futex resumed>) = ? [pid 5445] <... exit_group resumed>) = ? [pid 5446] +++ exited with 0 +++ [pid 5445] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5445, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- umount2("./135", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./135", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./135/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./135/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./135/binderfs") = 0 [ 117.429053][ T5446] loop0: detected capacity change from 0 to 4096 [ 117.441965][ T5446] ntfs: volume version 12.0. umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./135/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./135/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./135/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./135") = 0 mkdir("./136", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5448 attached , child_tidptr=0x555555f17690) = 5448 [pid 5448] set_robust_list(0x555555f176a0, 24) = 0 [pid 5448] chdir("./136") = 0 [pid 5448] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5448] setpgid(0, 0) = 0 [pid 5448] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5448] write(3, "1000", 4) = 4 [pid 5448] close(3) = 0 [pid 5448] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5448] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5448] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5448] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5448] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5448] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5448] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5449 attached [pid 5449] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5448] <... clone3 resumed> => {parent_tid=[5449]}, 88) = 5449 [pid 5449] set_robust_list(0x7f79473519a0, 24 [pid 5448] rt_sigprocmask(SIG_SETMASK, [], [pid 5449] <... set_robust_list resumed>) = 0 [pid 5448] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5449] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5448] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5449] memfd_create("syzkaller", 0 [pid 5448] <... futex resumed>) = 0 [pid 5448] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5448] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5448] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5449] <... memfd_create resumed>) = 3 [pid 5448] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5448] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5449] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5450 attached [pid 5450] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5448] <... clone3 resumed> => {parent_tid=[5450]}, 88) = 5450 [pid 5450] set_robust_list(0x7f79473309a0, 24 [pid 5448] rt_sigprocmask(SIG_SETMASK, [], [pid 5450] <... set_robust_list resumed>) = 0 [pid 5448] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5450] rt_sigprocmask(SIG_SETMASK, [], [pid 5448] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5450] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5448] <... futex resumed>) = 0 [pid 5450] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5448] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5450] <... openat resumed>) = 4 [pid 5450] write(4, "85", 2) = 2 [pid 5450] memfd_create("syzkaller", 0) = 5 [pid 5450] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 117.544278][ T5450] FAULT_INJECTION: forcing a failure. [ 117.544278][ T5450] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 117.557866][ T5450] CPU: 0 PID: 5450 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 117.568384][ T5450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 117.578438][ T5450] Call Trace: [ 117.581713][ T5450] [ 117.584639][ T5450] dump_stack_lvl+0x1e7/0x2d0 [ 117.589327][ T5450] ? nf_tcp_handle_invalid+0x650/0x650 [ 117.594780][ T5450] ? panic+0x770/0x770 [ 117.598851][ T5450] should_fail_ex+0x3aa/0x4e0 [ 117.603527][ T5450] prepare_alloc_pages+0x1d9/0x5b0 [ 117.608677][ T5450] __alloc_pages+0x165/0x670 [ 117.613289][ T5450] ? zone_statistics+0x170/0x170 [ 117.618227][ T5450] ? verify_lock_unused+0x140/0x140 [ 117.623422][ T5450] ? handle_mm_fault+0x11d/0x62b0 [ 117.628468][ T5450] ? __lock_acquire+0x7f70/0x7f70 [ 117.633573][ T5450] ? pte_offset_map_nolock+0x137/0x1e0 [ 117.639034][ T5450] __folio_alloc+0x13/0x30 [ 117.643449][ T5450] vma_alloc_folio+0x48a/0x9a0 [ 117.648215][ T5450] handle_mm_fault+0x2376/0x62b0 [ 117.653171][ T5450] ? handle_mm_fault+0x11d/0x62b0 [ 117.658372][ T5450] ? numa_migrate_prep+0x380/0x380 [ 117.663487][ T5450] ? mtree_range_walk+0x6a0/0x7e0 [ 117.668509][ T5450] ? lock_vma_under_rcu+0x187/0x6f0 [ 117.673709][ T5450] ? __lock_acquire+0x7f70/0x7f70 [ 117.678861][ T5450] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 117.684091][ T5450] ? lock_vma_under_rcu+0x5df/0x6f0 [ 117.689644][ T5450] ? lock_vma_under_rcu+0x187/0x6f0 [ 117.694847][ T5450] ? exc_page_fault+0x10f/0x860 [ 117.699785][ T5450] exc_page_fault+0x455/0x860 [ 117.704463][ T5450] asm_exc_page_fault+0x26/0x30 [ 117.709485][ T5450] RIP: 0033:0x7f794735bc53 [ 117.713896][ T5450] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 117.733517][ T5450] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5449] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777 [ 117.739614][ T5450] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 117.748041][ T5450] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 117.756554][ T5450] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 117.764554][ T5450] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 117.772640][ T5450] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 117.780647][ T5450] [ 117.784388][ T5450] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5450] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5449] <... write resumed>) = 2028777 [pid 5450] <... write resumed>) = 2097152 [pid 5449] munmap(0x7f793ef10000, 2028777 [pid 5450] munmap(0x7f7936b10000, 2097152 [pid 5449] <... munmap resumed>) = 0 [pid 5449] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5449] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5449] close(3) = 0 [pid 5449] mkdir("./file0", 0777) = 0 [pid 5449] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5450] <... munmap resumed>) = 0 [pid 5450] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5450] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5450] ioctl(3, LOOP_CLR_FD) = 0 [pid 5449] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5449] ioctl(6, LOOP_CLR_FD) = 0 [pid 5449] close(6 [pid 5450] ioctl(3, LOOP_SET_FD, 5 [pid 5449] <... close resumed>) = 0 [pid 5450] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5450] close(3 [pid 5449] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5449] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5450] <... close resumed>) = 0 [pid 5450] close(5) = 0 [pid 5450] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5448] <... futex resumed>) = 0 [pid 5450] <... futex resumed>) = 1 [pid 5448] exit_group(0 [pid 5450] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5449] <... futex resumed>) = ? [pid 5450] <... futex resumed>) = ? [pid 5448] <... exit_group resumed>) = ? [pid 5450] +++ exited with 0 +++ [pid 5449] +++ exited with 0 +++ [pid 5448] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5448, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./136", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./136", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./136/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./136/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./136/binderfs") = 0 umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./136/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./136/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [ 117.841500][ T5449] loop0: detected capacity change from 0 to 3962 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./136/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./136") = 0 mkdir("./137", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5451 attached , child_tidptr=0x555555f17690) = 5451 [pid 5451] set_robust_list(0x555555f176a0, 24) = 0 [pid 5451] chdir("./137") = 0 [pid 5451] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5451] setpgid(0, 0) = 0 [pid 5451] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5451] write(3, "1000", 4) = 4 [pid 5451] close(3) = 0 [pid 5451] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5451] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5451] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5451] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5451] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5451] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5451] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5451] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5452 attached => {parent_tid=[5452]}, 88) = 5452 [pid 5452] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5451] rt_sigprocmask(SIG_SETMASK, [], [pid 5452] <... rseq resumed>) = 0 [pid 5452] set_robust_list(0x7f79473519a0, 24 [pid 5451] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5452] <... set_robust_list resumed>) = 0 [pid 5451] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5452] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5451] <... futex resumed>) = 0 [pid 5452] memfd_create("syzkaller", 0 [pid 5451] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5451] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5452] <... memfd_create resumed>) = 3 [pid 5451] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5452] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5451] <... mprotect resumed>) = 0 [pid 5451] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5451] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5453 attached => {parent_tid=[5453]}, 88) = 5453 [pid 5453] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5451] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5453] <... rseq resumed>) = 0 [pid 5451] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5453] set_robust_list(0x7f79473309a0, 24 [pid 5451] <... futex resumed>) = 0 [pid 5453] <... set_robust_list resumed>) = 0 [pid 5451] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5453] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5453] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5453] write(4, "85", 2) = 2 [pid 5453] memfd_create("syzkaller", 0) = 5 [pid 5453] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5452] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 117.964898][ T5453] FAULT_INJECTION: forcing a failure. [ 117.964898][ T5453] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 117.978240][ T5453] CPU: 1 PID: 5453 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 117.988683][ T5453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 117.998759][ T5453] Call Trace: [ 118.002052][ T5453] [ 118.004987][ T5453] dump_stack_lvl+0x1e7/0x2d0 [ 118.009758][ T5453] ? nf_tcp_handle_invalid+0x650/0x650 [ 118.015235][ T5453] ? panic+0x770/0x770 [ 118.019325][ T5453] should_fail_ex+0x3aa/0x4e0 [ 118.024016][ T5453] prepare_alloc_pages+0x1d9/0x5b0 [ 118.029165][ T5453] __alloc_pages+0x165/0x670 [ 118.033767][ T5453] ? zone_statistics+0x170/0x170 [ 118.038727][ T5453] ? verify_lock_unused+0x140/0x140 [ 118.043928][ T5453] ? handle_mm_fault+0x11d/0x62b0 [ 118.049236][ T5453] ? __lock_acquire+0x7f70/0x7f70 [ 118.054256][ T5453] ? pte_offset_map_nolock+0x137/0x1e0 [ 118.060344][ T5453] __folio_alloc+0x13/0x30 [ 118.064841][ T5453] vma_alloc_folio+0x48a/0x9a0 [ 118.069734][ T5453] handle_mm_fault+0x2376/0x62b0 [ 118.074696][ T5453] ? handle_mm_fault+0x11d/0x62b0 [ 118.079749][ T5453] ? numa_migrate_prep+0x380/0x380 [ 118.084933][ T5453] ? mtree_range_walk+0x6a0/0x7e0 [ 118.089965][ T5453] ? lock_vma_under_rcu+0x187/0x6f0 [ 118.095164][ T5453] ? __lock_acquire+0x7f70/0x7f70 [ 118.100191][ T5453] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 118.105419][ T5453] ? lock_vma_under_rcu+0x5df/0x6f0 [ 118.110617][ T5453] ? lock_vma_under_rcu+0x187/0x6f0 [ 118.115835][ T5453] ? exc_page_fault+0x10f/0x860 [ 118.121510][ T5453] exc_page_fault+0x455/0x860 [ 118.126239][ T5453] asm_exc_page_fault+0x26/0x30 [ 118.131180][ T5453] RIP: 0033:0x7f794735bc53 [ 118.135597][ T5453] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 118.155231][ T5453] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5452] munmap(0x7f793ef10000, 2097152) = 0 [pid 5452] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 118.161305][ T5453] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 118.169294][ T5453] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 118.177283][ T5453] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 118.185272][ T5453] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 118.193238][ T5453] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 118.201238][ T5453] [ 118.205790][ T5453] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5452] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5452] close(3) = 0 [pid 5452] mkdir("./file0", 0777) = 0 [pid 5452] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5453] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5452] <... mount resumed>) = 0 [pid 5452] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5452] chdir("./file0") = 0 [pid 5452] ioctl(6, LOOP_CLR_FD) = 0 [pid 5452] close(6) = 0 [pid 5452] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5453] <... write resumed>) = 2097152 [pid 5452] <... futex resumed>) = 0 [pid 5452] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5453] munmap(0x7f7936b10000, 2097152) = 0 [pid 5453] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5453] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5453] ioctl(6, LOOP_CLR_FD) = 0 [ 118.217158][ T5452] loop0: detected capacity change from 0 to 4096 [ 118.237141][ T5452] ntfs: volume version 12.0. [pid 5453] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5453] close(6) = 0 [pid 5453] close(5) = 0 [pid 5453] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5453] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5451] <... futex resumed>) = 0 [pid 5451] exit_group(0 [pid 5452] <... futex resumed>) = ? [pid 5452] +++ exited with 0 +++ [pid 5453] <... futex resumed>) = ? [pid 5453] +++ exited with 0 +++ [pid 5451] <... exit_group resumed>) = ? [pid 5451] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5451, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./137", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./137", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./137/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./137/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./137/binderfs") = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./137/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./137/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./137/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./137") = 0 mkdir("./138", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5454 attached , child_tidptr=0x555555f17690) = 5454 [pid 5454] set_robust_list(0x555555f176a0, 24) = 0 [pid 5454] chdir("./138") = 0 [pid 5454] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5454] setpgid(0, 0) = 0 [pid 5454] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5454] write(3, "1000", 4) = 4 [pid 5454] close(3) = 0 [pid 5454] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5454] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5454] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5454] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5454] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5454] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5454] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5454] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5455]}, 88) = 5455 [pid 5454] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5454] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5454] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5454] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5454] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5454] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5454] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5456 attached => {parent_tid=[5456]}, 88) = 5456 [pid 5456] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5454] rt_sigprocmask(SIG_SETMASK, [], [pid 5456] <... rseq resumed>) = 0 [pid 5454] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5456] set_robust_list(0x7f79473309a0, 24 [pid 5454] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5456] <... set_robust_list resumed>) = 0 [pid 5454] <... futex resumed>) = 0 [pid 5456] rt_sigprocmask(SIG_SETMASK, [], [pid 5454] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5456] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5455 attached [pid 5455] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5455] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5455] rt_sigprocmask(SIG_SETMASK, [], [pid 5456] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5455] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5456] <... openat resumed>) = 3 [pid 5455] memfd_create("syzkaller", 0 [pid 5456] write(3, "85", 2) = 2 [pid 5456] memfd_create("syzkaller", 0) = 4 [pid 5455] <... memfd_create resumed>) = 5 [pid 5456] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5455] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 118.359597][ T5456] FAULT_INJECTION: forcing a failure. [ 118.359597][ T5456] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 118.373686][ T5456] CPU: 0 PID: 5456 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 118.384137][ T5456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 118.394201][ T5456] Call Trace: [ 118.397481][ T5456] [ 118.400404][ T5456] dump_stack_lvl+0x1e7/0x2d0 [ 118.405079][ T5456] ? nf_tcp_handle_invalid+0x650/0x650 [ 118.410529][ T5456] ? panic+0x770/0x770 [ 118.414599][ T5456] should_fail_ex+0x3aa/0x4e0 [ 118.419275][ T5456] prepare_alloc_pages+0x1d9/0x5b0 [ 118.424392][ T5456] __alloc_pages+0x165/0x670 [ 118.428991][ T5456] ? zone_statistics+0x170/0x170 [ 118.433952][ T5456] ? verify_lock_unused+0x140/0x140 [ 118.439169][ T5456] ? handle_mm_fault+0x11d/0x62b0 [ 118.444208][ T5456] ? __lock_acquire+0x7f70/0x7f70 [ 118.449228][ T5456] ? pte_offset_map_nolock+0x137/0x1e0 [ 118.454685][ T5456] __folio_alloc+0x13/0x30 [ 118.459130][ T5456] vma_alloc_folio+0x48a/0x9a0 [ 118.463910][ T5456] handle_mm_fault+0x2376/0x62b0 [ 118.468862][ T5456] ? handle_mm_fault+0x11d/0x62b0 [ 118.473899][ T5456] ? numa_migrate_prep+0x380/0x380 [ 118.479014][ T5456] ? mtree_range_walk+0x6a0/0x7e0 [ 118.484039][ T5456] ? lock_vma_under_rcu+0x187/0x6f0 [ 118.489238][ T5456] ? __lock_acquire+0x7f70/0x7f70 [ 118.494264][ T5456] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 118.499469][ T5456] ? lock_vma_under_rcu+0x5df/0x6f0 [ 118.504669][ T5456] ? lock_vma_under_rcu+0x187/0x6f0 [ 118.509871][ T5456] ? exc_page_fault+0x10f/0x860 [ 118.514718][ T5456] exc_page_fault+0x455/0x860 [ 118.519391][ T5456] asm_exc_page_fault+0x26/0x30 [ 118.524233][ T5456] RIP: 0033:0x7f794735bc53 [ 118.528643][ T5456] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 118.548246][ T5456] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5455] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5455] munmap(0x7f7936b10000, 2097152) = 0 [pid 5455] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 118.554309][ T5456] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 118.562275][ T5456] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 118.570241][ T5456] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 118.578206][ T5456] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 118.586170][ T5456] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 118.594150][ T5456] [ 118.600232][ T5456] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5455] ioctl(6, LOOP_SET_FD, 5 [pid 5456] munmap(0x7f793ef10000, 138412032 [pid 5455] <... ioctl resumed>) = 0 [pid 5455] close(5) = 0 [pid 5455] mkdir("./file0", 0777) = 0 [pid 5455] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5456] <... munmap resumed>) = 0 [pid 5456] close(4) = 0 [pid 5456] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5454] <... futex resumed>) = 0 [ 118.625500][ T5455] loop0: detected capacity change from 0 to 4096 [ 118.639949][ T5455] __ntfs_error: 204 callbacks suppressed [ 118.639961][ T5455] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 118.657781][ T5455] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 118.670855][ T5455] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 118.685716][ T5455] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 118.695506][ T5455] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 118.703618][ T5455] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5456] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5455] <... mount resumed>) = 0 [pid 5455] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5455] chdir("./file0") = 0 [pid 5455] ioctl(6, LOOP_CLR_FD) = 0 [pid 5455] close(6) = 0 [pid 5455] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5454] exit_group(0 [pid 5456] <... futex resumed>) = ? [pid 5455] <... futex resumed>) = ? [pid 5454] <... exit_group resumed>) = ? [pid 5456] +++ exited with 0 +++ [pid 5455] +++ exited with 0 +++ [pid 5454] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5454, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=41 /* 0.41 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./138", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./138", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./138/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./138/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./138/binderfs") = 0 umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./138/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 118.716720][ T5455] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 118.729051][ T5455] ntfs: volume version 12.0. [ 118.733683][ T5455] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 118.742172][ T5455] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 118.755170][ T5455] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./138/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./138/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./138") = 0 mkdir("./139", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5457 attached , child_tidptr=0x555555f17690) = 5457 [pid 5457] set_robust_list(0x555555f176a0, 24) = 0 [pid 5457] chdir("./139") = 0 [pid 5457] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5457] setpgid(0, 0) = 0 [pid 5457] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5457] write(3, "1000", 4) = 4 [pid 5457] close(3) = 0 [pid 5457] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5457] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5457] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5457] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5457] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5457] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5457] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5457] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5458]}, 88) = 5458 [pid 5457] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5457] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5458 attached [pid 5458] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5457] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5458] <... rseq resumed>) = 0 [pid 5457] <... futex resumed>) = 0 [pid 5458] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5457] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5457] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5458] rt_sigprocmask(SIG_SETMASK, [], [pid 5457] <... mprotect resumed>) = 0 [pid 5458] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5457] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5457] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5459 attached [pid 5458] memfd_create("syzkaller", 0 [pid 5457] <... clone3 resumed> => {parent_tid=[5459]}, 88) = 5459 [pid 5459] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5458] <... memfd_create resumed>) = 3 [pid 5457] rt_sigprocmask(SIG_SETMASK, [], [pid 5459] <... rseq resumed>) = 0 [pid 5458] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5457] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5459] set_robust_list(0x7f79473309a0, 24 [pid 5458] <... mmap resumed>) = 0x7f793ef10000 [pid 5457] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5459] <... set_robust_list resumed>) = 0 [pid 5457] <... futex resumed>) = 0 [pid 5457] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5459] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5459] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5459] write(4, "85", 2) = 2 [pid 5459] memfd_create("syzkaller", 0) = 5 [pid 5459] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5458] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 118.878454][ T5459] FAULT_INJECTION: forcing a failure. [ 118.878454][ T5459] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 118.891769][ T5459] CPU: 0 PID: 5459 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 118.902469][ T5459] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 118.912537][ T5459] Call Trace: [ 118.915812][ T5459] [ 118.918744][ T5459] dump_stack_lvl+0x1e7/0x2d0 [ 118.923429][ T5459] ? nf_tcp_handle_invalid+0x650/0x650 [ 118.928890][ T5459] ? panic+0x770/0x770 [ 118.932971][ T5459] should_fail_ex+0x3aa/0x4e0 [ 118.937645][ T5459] prepare_alloc_pages+0x1d9/0x5b0 [ 118.942840][ T5459] __alloc_pages+0x165/0x670 [ 118.947427][ T5459] ? zone_statistics+0x170/0x170 [ 118.952375][ T5459] ? verify_lock_unused+0x140/0x140 [ 118.957570][ T5459] ? handle_mm_fault+0x11d/0x62b0 [ 118.962609][ T5459] ? __lock_acquire+0x7f70/0x7f70 [ 118.967635][ T5459] ? pte_offset_map_nolock+0x137/0x1e0 [ 118.973107][ T5459] __folio_alloc+0x13/0x30 [ 118.977533][ T5459] vma_alloc_folio+0x48a/0x9a0 [ 118.982288][ T5459] handle_mm_fault+0x2376/0x62b0 [ 118.987224][ T5459] ? handle_mm_fault+0x11d/0x62b0 [ 118.992246][ T5459] ? numa_migrate_prep+0x380/0x380 [ 118.997355][ T5459] ? mtree_range_walk+0x6a0/0x7e0 [ 119.002391][ T5459] ? lock_vma_under_rcu+0x187/0x6f0 [ 119.007625][ T5459] ? __lock_acquire+0x7f70/0x7f70 [ 119.012814][ T5459] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 119.018014][ T5459] ? lock_vma_under_rcu+0x5df/0x6f0 [ 119.023308][ T5459] ? lock_vma_under_rcu+0x187/0x6f0 [ 119.028558][ T5459] ? exc_page_fault+0x10f/0x860 [ 119.033464][ T5459] exc_page_fault+0x455/0x860 [ 119.038138][ T5459] asm_exc_page_fault+0x26/0x30 [ 119.043326][ T5459] RIP: 0033:0x7f794735bc53 [ 119.047739][ T5459] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 119.067341][ T5459] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5458] munmap(0x7f793ef10000, 2097152) = 0 [pid 5458] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 119.073404][ T5459] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 119.081464][ T5459] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 119.089440][ T5459] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 119.097414][ T5459] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 119.105513][ T5459] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 119.113505][ T5459] [ 119.117449][ T5459] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5458] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5458] close(3) = 0 [pid 5458] mkdir("./file0", 0777) = 0 [pid 5458] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5459] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5458] <... mount resumed>) = 0 [pid 5458] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5458] chdir("./file0") = 0 [pid 5458] ioctl(6, LOOP_CLR_FD) = 0 [pid 5458] close(6) = 0 [pid 5458] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5459] <... write resumed>) = 2097152 [pid 5458] <... futex resumed>) = 0 [pid 5459] munmap(0x7f7936b10000, 2097152 [pid 5458] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5459] <... munmap resumed>) = 0 [pid 5459] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5459] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5459] ioctl(6, LOOP_CLR_FD) = 0 [ 119.135302][ T5458] loop0: detected capacity change from 0 to 4096 [ 119.153341][ T5458] ntfs: volume version 12.0. [pid 5459] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5459] close(6) = 0 [pid 5459] close(5) = 0 [pid 5459] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5459] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5457] <... futex resumed>) = 0 [pid 5457] exit_group(0 [pid 5459] <... futex resumed>) = ? [pid 5458] <... futex resumed>) = ? [pid 5457] <... exit_group resumed>) = ? [pid 5459] +++ exited with 0 +++ [pid 5458] +++ exited with 0 +++ [pid 5457] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5457, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=16 /* 0.16 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./139", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./139", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./139/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./139/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./139/binderfs") = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./139/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./139/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./139/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./139") = 0 mkdir("./140", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5460 ./strace-static-x86_64: Process 5460 attached [pid 5460] set_robust_list(0x555555f176a0, 24) = 0 [pid 5460] chdir("./140") = 0 [pid 5460] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5460] setpgid(0, 0) = 0 [pid 5460] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5460] write(3, "1000", 4) = 4 [pid 5460] close(3) = 0 [pid 5460] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5460] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5460] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5460] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5460] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5460] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5460] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5461 attached => {parent_tid=[5461]}, 88) = 5461 [pid 5461] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5461] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5461] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5461] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5460] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5460] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5461] <... futex resumed>) = 0 [pid 5461] memfd_create("syzkaller", 0 [pid 5460] <... futex resumed>) = 1 [pid 5460] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5460] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5460] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5461] <... memfd_create resumed>) = 3 [pid 5461] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5460] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5461] <... mmap resumed>) = 0x7f793ef10000 [pid 5460] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5462 attached => {parent_tid=[5462]}, 88) = 5462 [pid 5462] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5460] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5460] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5462] <... rseq resumed>) = 0 [pid 5462] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5462] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5462] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5462] write(4, "85", 2) = 2 [pid 5462] memfd_create("syzkaller", 0) = 5 [pid 5462] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5461] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 119.289324][ T5462] FAULT_INJECTION: forcing a failure. [ 119.289324][ T5462] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 119.304110][ T5462] CPU: 0 PID: 5462 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 119.314564][ T5462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 119.324649][ T5462] Call Trace: [ 119.328014][ T5462] [ 119.330952][ T5462] dump_stack_lvl+0x1e7/0x2d0 [ 119.335744][ T5462] ? nf_tcp_handle_invalid+0x650/0x650 [ 119.341208][ T5462] ? panic+0x770/0x770 [ 119.345275][ T5462] should_fail_ex+0x3aa/0x4e0 [ 119.349997][ T5462] prepare_alloc_pages+0x1d9/0x5b0 [ 119.355117][ T5462] __alloc_pages+0x165/0x670 [ 119.359973][ T5462] ? zone_statistics+0x170/0x170 [ 119.364920][ T5462] ? verify_lock_unused+0x140/0x140 [ 119.370112][ T5462] ? handle_mm_fault+0x11d/0x62b0 [ 119.375133][ T5462] ? __lock_acquire+0x7f70/0x7f70 [ 119.380146][ T5462] ? pte_offset_map_nolock+0x137/0x1e0 [ 119.385615][ T5462] __folio_alloc+0x13/0x30 [ 119.390114][ T5462] vma_alloc_folio+0x48a/0x9a0 [ 119.394880][ T5462] handle_mm_fault+0x2376/0x62b0 [ 119.399823][ T5462] ? handle_mm_fault+0x11d/0x62b0 [ 119.404858][ T5462] ? numa_migrate_prep+0x380/0x380 [ 119.409979][ T5462] ? mtree_range_walk+0x6a0/0x7e0 [ 119.415011][ T5462] ? lock_vma_under_rcu+0x187/0x6f0 [ 119.420213][ T5462] ? __lock_acquire+0x7f70/0x7f70 [ 119.425231][ T5462] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 119.430434][ T5462] ? lock_vma_under_rcu+0x5df/0x6f0 [ 119.435634][ T5462] ? lock_vma_under_rcu+0x187/0x6f0 [ 119.440838][ T5462] ? exc_page_fault+0x10f/0x860 [ 119.445683][ T5462] exc_page_fault+0x455/0x860 [ 119.450356][ T5462] asm_exc_page_fault+0x26/0x30 [ 119.455200][ T5462] RIP: 0033:0x7f794735bc53 [ 119.459609][ T5462] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 119.479211][ T5462] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5461] munmap(0x7f793ef10000, 2097152) = 0 [pid 5461] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 119.485274][ T5462] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 119.493246][ T5462] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 119.501208][ T5462] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 119.509347][ T5462] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 119.517337][ T5462] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 119.525578][ T5462] [ 119.529448][ T5462] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5461] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5461] close(3) = 0 [pid 5461] mkdir("./file0", 0777) = 0 [pid 5461] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5462] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5461] <... mount resumed>) = 0 [pid 5461] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5461] chdir("./file0") = 0 [pid 5461] ioctl(6, LOOP_CLR_FD) = 0 [pid 5461] close(6) = 0 [pid 5461] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5461] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5462] <... write resumed>) = 2097152 [pid 5462] munmap(0x7f7936b10000, 2097152) = 0 [pid 5462] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5462] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5462] ioctl(6, LOOP_CLR_FD) = 0 [pid 5462] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5462] close(6) = 0 [ 119.547435][ T5461] loop0: detected capacity change from 0 to 4096 [ 119.563160][ T5461] ntfs: volume version 12.0. [pid 5462] close(5) = 0 [pid 5462] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5460] <... futex resumed>) = 0 [pid 5462] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5460] exit_group(0) = ? [pid 5461] <... futex resumed>) = ? [pid 5462] <... futex resumed>) = ? [pid 5461] +++ exited with 0 +++ [pid 5462] +++ exited with 0 +++ [pid 5460] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5460, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./140", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./140", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./140/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./140/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./140/binderfs") = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./140/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./140/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./140/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./140") = 0 mkdir("./141", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5463 attached , child_tidptr=0x555555f17690) = 5463 [pid 5463] set_robust_list(0x555555f176a0, 24) = 0 [pid 5463] chdir("./141") = 0 [pid 5463] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5463] setpgid(0, 0) = 0 [pid 5463] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5463] write(3, "1000", 4) = 4 [pid 5463] close(3) = 0 [pid 5463] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5463] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5463] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5463] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5463] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5463] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5463] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5463] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5464 attached => {parent_tid=[5464]}, 88) = 5464 [pid 5464] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5463] rt_sigprocmask(SIG_SETMASK, [], [pid 5464] <... rseq resumed>) = 0 [pid 5464] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5463] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5464] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5463] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5463] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] memfd_create("syzkaller", 0 [pid 5463] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5464] <... memfd_create resumed>) = 3 [pid 5464] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5463] <... mmap resumed>) = 0x7f7947310000 [pid 5464] <... mmap resumed>) = 0x7f793ef10000 [pid 5463] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5463] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5463] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5465]}, 88) = 5465 ./strace-static-x86_64: Process 5465 attached [pid 5463] rt_sigprocmask(SIG_SETMASK, [], [pid 5465] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5465] set_robust_list(0x7f79473309a0, 24 [pid 5463] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5465] <... set_robust_list resumed>) = 0 [pid 5465] rt_sigprocmask(SIG_SETMASK, [], [pid 5463] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5465] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5463] <... futex resumed>) = 0 [pid 5463] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5465] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5465] write(4, "85", 2) = 2 [pid 5465] memfd_create("syzkaller", 0) = 5 [pid 5465] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 119.712581][ T5465] FAULT_INJECTION: forcing a failure. [ 119.712581][ T5465] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 119.726752][ T5465] CPU: 0 PID: 5465 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 119.737213][ T5465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 119.747276][ T5465] Call Trace: [ 119.750563][ T5465] [ 119.753488][ T5465] dump_stack_lvl+0x1e7/0x2d0 [pid 5464] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 119.758159][ T5465] ? nf_tcp_handle_invalid+0x650/0x650 [ 119.763613][ T5465] ? panic+0x770/0x770 [ 119.767689][ T5465] should_fail_ex+0x3aa/0x4e0 [ 119.772360][ T5465] prepare_alloc_pages+0x1d9/0x5b0 [ 119.777462][ T5465] __alloc_pages+0x165/0x670 [ 119.782059][ T5465] ? zone_statistics+0x170/0x170 [ 119.787081][ T5465] ? verify_lock_unused+0x140/0x140 [ 119.792270][ T5465] ? handle_mm_fault+0x11d/0x62b0 [ 119.797282][ T5465] ? __lock_acquire+0x7f70/0x7f70 [ 119.802288][ T5465] ? pte_offset_map_nolock+0x137/0x1e0 [ 119.807739][ T5465] __folio_alloc+0x13/0x30 [ 119.812317][ T5465] vma_alloc_folio+0x48a/0x9a0 [ 119.817246][ T5465] handle_mm_fault+0x2376/0x62b0 [ 119.822174][ T5465] ? handle_mm_fault+0x11d/0x62b0 [ 119.827190][ T5465] ? numa_migrate_prep+0x380/0x380 [ 119.832291][ T5465] ? mtree_range_walk+0x6a0/0x7e0 [ 119.837316][ T5465] ? lock_vma_under_rcu+0x187/0x6f0 [ 119.842553][ T5465] ? __lock_acquire+0x7f70/0x7f70 [ 119.847569][ T5465] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 119.852762][ T5465] ? lock_vma_under_rcu+0x5df/0x6f0 [ 119.857965][ T5465] ? lock_vma_under_rcu+0x187/0x6f0 [ 119.863244][ T5465] ? exc_page_fault+0x10f/0x860 [ 119.868095][ T5465] exc_page_fault+0x455/0x860 [ 119.872758][ T5465] asm_exc_page_fault+0x26/0x30 [ 119.877592][ T5465] RIP: 0033:0x7f794735bc53 [ 119.881988][ T5465] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 119.901754][ T5465] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5464] munmap(0x7f793ef10000, 2097152) = 0 [pid 5464] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 119.907812][ T5465] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 119.915854][ T5465] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 119.923808][ T5465] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 119.931763][ T5465] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 119.939722][ T5465] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 119.947687][ T5465] [ 119.951850][ T5465] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5464] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5464] close(3) = 0 [pid 5464] mkdir("./file0", 0777) = 0 [pid 5464] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5465] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5464] <... mount resumed>) = 0 [pid 5464] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5464] chdir("./file0") = 0 [pid 5464] ioctl(6, LOOP_CLR_FD) = 0 [pid 5464] close(6) = 0 [pid 5464] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5465] <... write resumed>) = 2097152 [pid 5465] munmap(0x7f7936b10000, 2097152) = 0 [pid 5465] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5465] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5465] ioctl(6, LOOP_CLR_FD) = 0 [pid 5465] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5465] close(6) = 0 [ 119.968671][ T5464] loop0: detected capacity change from 0 to 4096 [ 119.983802][ T5464] ntfs: volume version 12.0. [pid 5465] close(5) = 0 [pid 5465] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5463] <... futex resumed>) = 0 [pid 5465] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5463] exit_group(0 [pid 5464] <... futex resumed>) = ? [pid 5463] <... exit_group resumed>) = ? [pid 5465] <... futex resumed>) = ? [pid 5465] +++ exited with 0 +++ [pid 5464] +++ exited with 0 +++ [pid 5463] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5463, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=17 /* 0.17 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./141", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./141", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./141/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./141/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./141/binderfs") = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./141/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./141/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./141/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./141") = 0 mkdir("./142", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5466 attached [pid 5466] set_robust_list(0x555555f176a0, 24) = 0 [pid 5466] chdir("./142") = 0 [pid 5466] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5466 [pid 5466] setpgid(0, 0) = 0 [pid 5466] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5466] write(3, "1000", 4) = 4 [pid 5466] close(3) = 0 [pid 5466] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5466] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5466] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5466] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5466] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5466] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5466] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5466] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5467 attached [pid 5467] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5466] <... clone3 resumed> => {parent_tid=[5467]}, 88) = 5467 [pid 5467] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5466] rt_sigprocmask(SIG_SETMASK, [], [pid 5467] rt_sigprocmask(SIG_SETMASK, [], [pid 5466] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5467] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5466] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5467] memfd_create("syzkaller", 0 [pid 5466] <... futex resumed>) = 0 [pid 5466] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5466] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5466] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5467] <... memfd_create resumed>) = 3 [pid 5466] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5467] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5466] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5466] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5468 attached [pid 5468] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5466] <... clone3 resumed> => {parent_tid=[5468]}, 88) = 5468 [pid 5468] <... rseq resumed>) = 0 [pid 5466] rt_sigprocmask(SIG_SETMASK, [], [pid 5468] set_robust_list(0x7f79473309a0, 24 [pid 5466] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5468] <... set_robust_list resumed>) = 0 [pid 5466] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5468] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5466] <... futex resumed>) = 0 [pid 5468] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5466] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5468] <... openat resumed>) = 4 [pid 5468] write(4, "85", 2) = 2 [pid 5468] memfd_create("syzkaller", 0) = 5 [pid 5468] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5467] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 120.119349][ T5468] FAULT_INJECTION: forcing a failure. [ 120.119349][ T5468] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 120.133293][ T5468] CPU: 0 PID: 5468 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 120.143730][ T5468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 120.153789][ T5468] Call Trace: [ 120.157068][ T5468] [ 120.160097][ T5468] dump_stack_lvl+0x1e7/0x2d0 [ 120.164803][ T5468] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.170275][ T5468] ? panic+0x770/0x770 [ 120.174396][ T5468] should_fail_ex+0x3aa/0x4e0 [ 120.179092][ T5468] prepare_alloc_pages+0x1d9/0x5b0 [ 120.184219][ T5468] __alloc_pages+0x165/0x670 [ 120.188840][ T5468] ? zone_statistics+0x170/0x170 [ 120.193791][ T5468] ? verify_lock_unused+0x140/0x140 [ 120.198981][ T5468] ? handle_mm_fault+0x11d/0x62b0 [ 120.204004][ T5468] ? __lock_acquire+0x7f70/0x7f70 [ 120.209031][ T5468] ? pte_offset_map_nolock+0x137/0x1e0 [ 120.214482][ T5468] __folio_alloc+0x13/0x30 [ 120.218890][ T5468] vma_alloc_folio+0x48a/0x9a0 [ 120.223661][ T5468] handle_mm_fault+0x2376/0x62b0 [ 120.228616][ T5468] ? handle_mm_fault+0x11d/0x62b0 [ 120.233636][ T5468] ? numa_migrate_prep+0x380/0x380 [ 120.238760][ T5468] ? mtree_range_walk+0x6a0/0x7e0 [ 120.243794][ T5468] ? lock_vma_under_rcu+0x187/0x6f0 [ 120.248982][ T5468] ? __lock_acquire+0x7f70/0x7f70 [ 120.254002][ T5468] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 120.259215][ T5468] ? lock_vma_under_rcu+0x5df/0x6f0 [ 120.264412][ T5468] ? lock_vma_under_rcu+0x187/0x6f0 [ 120.269609][ T5468] ? exc_page_fault+0x10f/0x860 [ 120.274471][ T5468] exc_page_fault+0x455/0x860 [ 120.279154][ T5468] asm_exc_page_fault+0x26/0x30 [ 120.284007][ T5468] RIP: 0033:0x7f794735bc53 [ 120.288421][ T5468] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 120.308021][ T5468] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5467] munmap(0x7f793ef10000, 2097152) = 0 [pid 5468] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5467] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 120.314080][ T5468] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 120.322055][ T5468] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 120.330033][ T5468] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 120.337996][ T5468] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 120.345976][ T5468] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 120.353974][ T5468] [pid 5467] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5467] close(3) = 0 [pid 5467] mkdir("./file0", 0777) = 0 [pid 5467] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5468] <... write resumed>) = 2097152 [pid 5468] munmap(0x7f7936b10000, 2097152 [pid 5467] <... mount resumed>) = 0 [pid 5467] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5467] chdir("./file0") = 0 [pid 5467] ioctl(6, LOOP_CLR_FD) = 0 [pid 5467] close(6) = 0 [pid 5467] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5467] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5468] <... munmap resumed>) = 0 [pid 5468] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5468] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5468] ioctl(6, LOOP_CLR_FD) = 0 [pid 5468] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5468] close(6) = 0 [pid 5468] close(5) = 0 [pid 5468] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5468] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5466] <... futex resumed>) = 0 [pid 5466] exit_group(0 [pid 5468] <... futex resumed>) = ? [pid 5467] <... futex resumed>) = ? [pid 5466] <... exit_group resumed>) = ? [pid 5468] +++ exited with 0 +++ [pid 5467] +++ exited with 0 +++ [pid 5466] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5466, si_uid=0, si_status=0, si_utime=0, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./142", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./142", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./142/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 120.374544][ T5467] loop0: detected capacity change from 0 to 4096 [ 120.391747][ T5467] ntfs: volume version 12.0. newfstatat(AT_FDCWD, "./142/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./142/binderfs") = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./142/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./142/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./142/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./142") = 0 mkdir("./143", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5469 attached , child_tidptr=0x555555f17690) = 5469 [pid 5469] set_robust_list(0x555555f176a0, 24) = 0 [pid 5469] chdir("./143") = 0 [pid 5469] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5469] setpgid(0, 0) = 0 [pid 5469] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5469] write(3, "1000", 4) = 4 [pid 5469] close(3) = 0 [pid 5469] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5469] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5469] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5469] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5469] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5469] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5469] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5469] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5470 attached [pid 5470] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5469] <... clone3 resumed> => {parent_tid=[5470]}, 88) = 5470 [pid 5470] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5469] rt_sigprocmask(SIG_SETMASK, [], [pid 5470] rt_sigprocmask(SIG_SETMASK, [], [pid 5469] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5470] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5469] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5470] memfd_create("syzkaller", 0 [pid 5469] <... futex resumed>) = 0 [pid 5469] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5469] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5469] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5469] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5470] <... memfd_create resumed>) = 3 [pid 5469] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5469] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5470] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5471 attached ) = 0x7f793ef10000 [pid 5471] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5469] <... clone3 resumed> => {parent_tid=[5471]}, 88) = 5471 [pid 5469] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5469] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5469] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5471] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5471] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5471] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5471] write(4, "85", 2) = 2 [pid 5471] memfd_create("syzkaller", 0) = 5 [pid 5471] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 120.495165][ T5471] FAULT_INJECTION: forcing a failure. [ 120.495165][ T5471] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 120.519056][ T5471] CPU: 0 PID: 5471 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 120.529522][ T5471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 120.539602][ T5471] Call Trace: [pid 5470] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 120.542901][ T5471] [ 120.545847][ T5471] dump_stack_lvl+0x1e7/0x2d0 [ 120.550551][ T5471] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.556119][ T5471] ? panic+0x770/0x770 [ 120.560227][ T5471] should_fail_ex+0x3aa/0x4e0 [ 120.564974][ T5471] prepare_alloc_pages+0x1d9/0x5b0 [ 120.570219][ T5471] __alloc_pages+0x165/0x670 [ 120.574837][ T5471] ? zone_statistics+0x170/0x170 [ 120.579792][ T5471] ? verify_lock_unused+0x140/0x140 [ 120.584986][ T5471] ? handle_mm_fault+0x11d/0x62b0 [ 120.590009][ T5471] ? __lock_acquire+0x7f70/0x7f70 [ 120.595172][ T5471] ? pte_offset_map_nolock+0x137/0x1e0 [ 120.600630][ T5471] __folio_alloc+0x13/0x30 [ 120.605748][ T5471] vma_alloc_folio+0x48a/0x9a0 [ 120.610701][ T5471] handle_mm_fault+0x2376/0x62b0 [ 120.615986][ T5471] ? handle_mm_fault+0x11d/0x62b0 [ 120.621120][ T5471] ? numa_migrate_prep+0x380/0x380 [ 120.626499][ T5471] ? mtree_range_walk+0x6a0/0x7e0 [ 120.631536][ T5471] ? lock_vma_under_rcu+0x187/0x6f0 [ 120.636762][ T5471] ? __lock_acquire+0x7f70/0x7f70 [ 120.641969][ T5471] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 120.647188][ T5471] ? lock_vma_under_rcu+0x5df/0x6f0 [ 120.652414][ T5471] ? lock_vma_under_rcu+0x187/0x6f0 [ 120.657622][ T5471] ? exc_page_fault+0x10f/0x860 [ 120.662555][ T5471] exc_page_fault+0x455/0x860 [ 120.667230][ T5471] asm_exc_page_fault+0x26/0x30 [ 120.672070][ T5471] RIP: 0033:0x7f794735bc53 [ 120.676475][ T5471] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [pid 5470] munmap(0x7f793ef10000, 2097152) = 0 [pid 5470] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 120.696080][ T5471] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 120.702155][ T5471] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 120.710127][ T5471] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 120.718105][ T5471] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 120.726097][ T5471] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 120.734058][ T5471] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 120.742562][ T5471] [pid 5470] ioctl(6, LOOP_SET_FD, 3 [pid 5471] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5470] <... ioctl resumed>) = 0 [pid 5470] close(3) = 0 [pid 5470] mkdir("./file0", 0777) = 0 [pid 5470] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5471] <... write resumed>) = 2097152 [pid 5471] munmap(0x7f7936b10000, 2097152 [pid 5470] <... mount resumed>) = 0 [pid 5470] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5470] chdir("./file0") = 0 [pid 5470] ioctl(6, LOOP_CLR_FD [pid 5471] <... munmap resumed>) = 0 [pid 5470] <... ioctl resumed>) = 0 [pid 5470] close(6) = 0 [pid 5470] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5471] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5470] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5471] <... openat resumed>) = 6 [pid 5471] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5471] ioctl(6, LOOP_CLR_FD) = 0 [pid 5471] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5471] close(6) = 0 [pid 5471] close(5) = 0 [pid 5471] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5469] <... futex resumed>) = 0 [pid 5471] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5469] exit_group(0) = ? [pid 5471] <... futex resumed>) = ? [pid 5470] <... futex resumed>) = ? [pid 5471] +++ exited with 0 +++ [pid 5470] +++ exited with 0 +++ [pid 5469] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5469, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=12 /* 0.12 s */} --- umount2("./143", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./143", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./143/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./143/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./143/binderfs") = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./143/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./143/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 [ 120.759689][ T5470] loop0: detected capacity change from 0 to 4096 [ 120.781609][ T5470] ntfs: volume version 12.0. close(4) = 0 rmdir("./143/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./143") = 0 mkdir("./144", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5472 ./strace-static-x86_64: Process 5472 attached [pid 5472] set_robust_list(0x555555f176a0, 24) = 0 [pid 5472] chdir("./144") = 0 [pid 5472] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5472] setpgid(0, 0) = 0 [pid 5472] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5472] write(3, "1000", 4) = 4 [pid 5472] close(3) = 0 [pid 5472] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5472] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5472] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5472] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5472] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5472] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5472] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5472] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5473 attached [pid 5473] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5473] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5473] rt_sigprocmask(SIG_SETMASK, [], [pid 5472] <... clone3 resumed> => {parent_tid=[5473]}, 88) = 5473 [pid 5473] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5472] rt_sigprocmask(SIG_SETMASK, [], [pid 5473] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5472] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5472] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5473] <... futex resumed>) = 0 [pid 5472] <... futex resumed>) = 1 [pid 5472] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5473] memfd_create("syzkaller", 0) = 3 [pid 5473] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5472] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5472] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5472] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5472] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5474 attached => {parent_tid=[5474]}, 88) = 5474 [pid 5474] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5472] rt_sigprocmask(SIG_SETMASK, [], [pid 5474] set_robust_list(0x7f793ef309a0, 24 [pid 5472] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5474] <... set_robust_list resumed>) = 0 [pid 5472] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5474] rt_sigprocmask(SIG_SETMASK, [], [pid 5472] <... futex resumed>) = 0 [pid 5474] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5472] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5474] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5474] write(4, "85", 2) = 2 [pid 5474] memfd_create("syzkaller", 0) = 5 [pid 5474] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 120.890347][ T5474] FAULT_INJECTION: forcing a failure. [ 120.890347][ T5474] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 120.903809][ T5474] CPU: 0 PID: 5474 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 120.914234][ T5474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 120.924300][ T5474] Call Trace: [ 120.927573][ T5474] [ 120.930498][ T5474] dump_stack_lvl+0x1e7/0x2d0 [ 120.935199][ T5474] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.940668][ T5474] ? panic+0x770/0x770 [ 120.944745][ T5474] should_fail_ex+0x3aa/0x4e0 [ 120.949464][ T5474] prepare_alloc_pages+0x1d9/0x5b0 [ 120.954597][ T5474] __alloc_pages+0x165/0x670 [ 120.959387][ T5474] ? zone_statistics+0x170/0x170 [ 120.964331][ T5474] ? verify_lock_unused+0x140/0x140 [ 120.969532][ T5474] ? handle_mm_fault+0x11d/0x62b0 [ 120.974560][ T5474] ? __lock_acquire+0x7f70/0x7f70 [ 120.979576][ T5474] ? pte_offset_map_nolock+0x137/0x1e0 [ 120.985057][ T5474] __folio_alloc+0x13/0x30 [ 120.989556][ T5474] vma_alloc_folio+0x48a/0x9a0 [ 120.994319][ T5474] handle_mm_fault+0x2376/0x62b0 [ 120.999267][ T5474] ? handle_mm_fault+0x11d/0x62b0 [ 121.004297][ T5474] ? numa_migrate_prep+0x380/0x380 [ 121.009434][ T5474] ? mtree_range_walk+0x6a0/0x7e0 [ 121.014455][ T5474] ? lock_vma_under_rcu+0x187/0x6f0 [ 121.019671][ T5474] ? __lock_acquire+0x7f70/0x7f70 [ 121.024685][ T5474] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 121.029891][ T5474] ? lock_vma_under_rcu+0x5df/0x6f0 [ 121.035093][ T5474] ? lock_vma_under_rcu+0x187/0x6f0 [ 121.040409][ T5474] ? exc_page_fault+0x10f/0x860 [ 121.045256][ T5474] exc_page_fault+0x455/0x860 [ 121.050018][ T5474] asm_exc_page_fault+0x26/0x30 [ 121.054871][ T5474] RIP: 0033:0x7f794735bc53 [ 121.059294][ T5474] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 121.079008][ T5474] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5473] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2262174 [pid 5474] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5473] <... write resumed>) = 2262174 [pid 5473] munmap(0x7f793ef31000, 2262174) = 0 [ 121.085088][ T5474] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 121.093054][ T5474] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 121.101039][ T5474] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 121.109023][ T5474] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 121.116997][ T5474] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 121.124994][ T5474] [pid 5473] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5473] ioctl(6, LOOP_SET_FD, 3 [pid 5474] <... write resumed>) = 2097152 [pid 5473] <... ioctl resumed>) = 0 [pid 5474] munmap(0x7f7936b10000, 2097152 [pid 5473] close(3) = 0 [pid 5473] mkdir("./file0", 0777) = 0 [pid 5473] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5474] <... munmap resumed>) = 0 [pid 5474] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5473] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5474] <... openat resumed>) = 3 [pid 5473] ioctl(6, LOOP_CLR_FD [pid 5474] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5474] ioctl(3, LOOP_CLR_FD) = 0 [pid 5473] <... ioctl resumed>) = 0 [pid 5473] close(6) = 0 [pid 5474] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5474] close(3 [pid 5473] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5473] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5474] <... close resumed>) = 0 [pid 5474] close(5) = 0 [pid 5474] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5472] <... futex resumed>) = 0 [pid 5472] exit_group(0 [pid 5473] <... futex resumed>) = ? [pid 5472] <... exit_group resumed>) = ? [pid 5473] +++ exited with 0 +++ [pid 5474] <... futex resumed>) = ? [ 121.173686][ T5473] loop0: detected capacity change from 0 to 4418 [pid 5474] +++ exited with 0 +++ [pid 5472] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5472, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./144", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./144", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./144/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./144/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./144/binderfs") = 0 umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./144/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./144/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./144/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./144") = 0 mkdir("./145", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5475 attached , child_tidptr=0x555555f17690) = 5475 [pid 5475] set_robust_list(0x555555f176a0, 24) = 0 [pid 5475] chdir("./145") = 0 [pid 5475] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5475] setpgid(0, 0) = 0 [pid 5475] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5475] write(3, "1000", 4) = 4 [pid 5475] close(3) = 0 [pid 5475] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5475] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5475] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5475] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5475] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5475] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5475] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5475] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5476 attached [pid 5476] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5475] <... clone3 resumed> => {parent_tid=[5476]}, 88) = 5476 [pid 5476] <... rseq resumed>) = 0 [pid 5475] rt_sigprocmask(SIG_SETMASK, [], [pid 5476] set_robust_list(0x7f79473519a0, 24 [pid 5475] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5476] <... set_robust_list resumed>) = 0 [pid 5475] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5476] rt_sigprocmask(SIG_SETMASK, [], [pid 5475] <... futex resumed>) = 0 [pid 5476] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5475] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5476] memfd_create("syzkaller", 0 [pid 5475] <... futex resumed>) = 0 [pid 5475] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5475] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5475] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5475] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5476] <... memfd_create resumed>) = 3 ./strace-static-x86_64: Process 5477 attached [pid 5475] <... clone3 resumed> => {parent_tid=[5477]}, 88) = 5477 [pid 5476] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5475] rt_sigprocmask(SIG_SETMASK, [], [pid 5477] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5476] <... mmap resumed>) = 0x7f793ef10000 [pid 5475] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5477] <... rseq resumed>) = 0 [pid 5477] set_robust_list(0x7f79473309a0, 24 [pid 5475] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5477] <... set_robust_list resumed>) = 0 [pid 5477] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5475] <... futex resumed>) = 0 [pid 5475] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5477] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5476] munmap(0x7f793ef10000, 138412032 [pid 5477] <... openat resumed>) = 4 [pid 5477] write(4, "85", 2) = 2 [pid 5477] memfd_create("syzkaller", 0) = 5 [pid 5477] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5476] <... munmap resumed>) = 0 [pid 5477] <... mmap resumed>) = 0x7f793ef10000 [pid 5476] close(3) = 0 [pid 5476] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 121.284476][ T5477] FAULT_INJECTION: forcing a failure. [ 121.284476][ T5477] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 121.297915][ T5477] CPU: 1 PID: 5477 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 121.308320][ T5477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 121.318377][ T5477] Call Trace: [ 121.321661][ T5477] [ 121.324583][ T5477] dump_stack_lvl+0x1e7/0x2d0 [ 121.329267][ T5477] ? nf_tcp_handle_invalid+0x650/0x650 [ 121.334772][ T5477] ? panic+0x770/0x770 [ 121.338847][ T5477] should_fail_ex+0x3aa/0x4e0 [ 121.343628][ T5477] prepare_alloc_pages+0x1d9/0x5b0 [ 121.348772][ T5477] __alloc_pages+0x165/0x670 [ 121.353429][ T5477] ? zone_statistics+0x170/0x170 [ 121.358390][ T5477] ? verify_lock_unused+0x140/0x140 [ 121.363594][ T5477] ? handle_mm_fault+0x11d/0x62b0 [ 121.368625][ T5477] ? __lock_acquire+0x7f70/0x7f70 [ 121.373648][ T5477] ? pte_offset_map_nolock+0x137/0x1e0 [ 121.379157][ T5477] __folio_alloc+0x13/0x30 [ 121.383587][ T5477] vma_alloc_folio+0x48a/0x9a0 [ 121.388366][ T5477] handle_mm_fault+0x2376/0x62b0 [ 121.393340][ T5477] ? handle_mm_fault+0x11d/0x62b0 [ 121.398455][ T5477] ? numa_migrate_prep+0x380/0x380 [ 121.403573][ T5477] ? mtree_range_walk+0x6a0/0x7e0 [ 121.408800][ T5477] ? lock_vma_under_rcu+0x187/0x6f0 [ 121.414034][ T5477] ? __lock_acquire+0x7f70/0x7f70 [ 121.419080][ T5477] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 121.424297][ T5477] ? lock_vma_under_rcu+0x5df/0x6f0 [ 121.429499][ T5477] ? lock_vma_under_rcu+0x187/0x6f0 [ 121.434716][ T5477] ? exc_page_fault+0x10f/0x860 [ 121.439653][ T5477] exc_page_fault+0x455/0x860 [ 121.444332][ T5477] asm_exc_page_fault+0x26/0x30 [ 121.449175][ T5477] RIP: 0033:0x7f794735bd00 [ 121.453591][ T5477] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 121.473185][ T5477] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 121.479253][ T5477] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 121.487218][ T5477] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 121.495790][ T5477] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 121.503752][ T5477] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 121.511721][ T5477] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 121.519696][ T5477] [ 121.523695][ T5477] pagefault_out_of_memory: 3 callbacks suppressed [pid 5476] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5477] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5477] munmap(0x7f793ef10000, 2097152) = 0 [pid 5477] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 121.523708][ T5477] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5477] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5477] close(5) = 0 [pid 5477] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5477] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 121.566914][ T5477] loop0: detected capacity change from 0 to 4096 [ 121.584750][ T5477] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 121.591876][ T5477] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5477] ioctl(3, LOOP_CLR_FD) = 0 [pid 5477] close(3) = 0 [pid 5477] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5475] <... futex resumed>) = 0 [pid 5475] exit_group(0) = ? [pid 5476] <... futex resumed>) = ? [pid 5476] +++ exited with 0 +++ [pid 5477] <... futex resumed>) = ? [pid 5477] +++ exited with 0 +++ [pid 5475] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5475, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- umount2("./145", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./145", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./145/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./145/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./145/binderfs") = 0 umount2("\x2e\x2f\x31\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x34\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./145") = 0 mkdir("./146", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5478 attached [pid 5478] set_robust_list(0x555555f176a0, 24) = 0 [pid 5478] chdir("./146") = 0 [pid 5478] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5478] setpgid(0, 0) = 0 [pid 5478] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5478] write(3, "1000", 4) = 4 [pid 5478] close(3) = 0 [pid 5478] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5478] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5478] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5478] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5478] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5478] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5478] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5478] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5479 attached [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5478 [pid 5479] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5478] <... clone3 resumed> => {parent_tid=[5479]}, 88) = 5479 [pid 5479] <... rseq resumed>) = 0 [pid 5478] rt_sigprocmask(SIG_SETMASK, [], [pid 5479] set_robust_list(0x7f79473519a0, 24 [pid 5478] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5479] <... set_robust_list resumed>) = 0 [pid 5478] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5479] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5478] <... futex resumed>) = 0 [pid 5479] memfd_create("syzkaller", 0 [pid 5478] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5478] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5478] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5478] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5479] <... memfd_create resumed>) = 3 [pid 5478] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5478] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5479] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5478] <... clone3 resumed> => {parent_tid=[5480]}, 88) = 5480 [pid 5478] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5480 attached NULL, 8) = 0 [pid 5478] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5480] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5478] <... futex resumed>) = 0 [pid 5480] <... rseq resumed>) = 0 [pid 5480] set_robust_list(0x7f79473309a0, 24 [pid 5478] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5480] <... set_robust_list resumed>) = 0 [pid 5480] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5480] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5480] write(4, "85", 2) = 2 [pid 5480] memfd_create("syzkaller", 0) = 5 [pid 5480] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 121.720424][ T5480] FAULT_INJECTION: forcing a failure. [ 121.720424][ T5480] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 121.734299][ T5480] CPU: 0 PID: 5480 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 121.744739][ T5480] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 121.754792][ T5480] Call Trace: [ 121.758068][ T5480] [ 121.760992][ T5480] dump_stack_lvl+0x1e7/0x2d0 [ 121.765671][ T5480] ? nf_tcp_handle_invalid+0x650/0x650 [ 121.771120][ T5480] ? panic+0x770/0x770 [ 121.775192][ T5480] should_fail_ex+0x3aa/0x4e0 [ 121.779872][ T5480] prepare_alloc_pages+0x1d9/0x5b0 [ 121.785014][ T5480] __alloc_pages+0x165/0x670 [ 121.789618][ T5480] ? zone_statistics+0x170/0x170 [ 121.794565][ T5480] ? verify_lock_unused+0x140/0x140 [ 121.799765][ T5480] ? handle_mm_fault+0x11d/0x62b0 [ 121.804847][ T5480] ? __lock_acquire+0x7f70/0x7f70 [ 121.809894][ T5480] ? pte_offset_map_nolock+0x137/0x1e0 [ 121.815357][ T5480] __folio_alloc+0x13/0x30 [ 121.819810][ T5480] vma_alloc_folio+0x48a/0x9a0 [ 121.824575][ T5480] handle_mm_fault+0x2376/0x62b0 [ 121.829606][ T5480] ? handle_mm_fault+0x11d/0x62b0 [ 121.834633][ T5480] ? numa_migrate_prep+0x380/0x380 [ 121.839751][ T5480] ? mtree_range_walk+0x6a0/0x7e0 [ 121.844775][ T5480] ? lock_vma_under_rcu+0x187/0x6f0 [ 121.849971][ T5480] ? __lock_acquire+0x7f70/0x7f70 [ 121.854988][ T5480] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 121.860190][ T5480] ? lock_vma_under_rcu+0x5df/0x6f0 [ 121.865388][ T5480] ? lock_vma_under_rcu+0x187/0x6f0 [ 121.870609][ T5480] ? exc_page_fault+0x10f/0x860 [ 121.875454][ T5480] exc_page_fault+0x455/0x860 [ 121.880131][ T5480] asm_exc_page_fault+0x26/0x30 [ 121.884972][ T5480] RIP: 0033:0x7f794735bc53 [ 121.889472][ T5480] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 121.909092][ T5480] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5479] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5479] munmap(0x7f793ef10000, 2097152 [pid 5480] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5479] <... munmap resumed>) = 0 [pid 5479] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 121.915186][ T5480] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 121.923150][ T5480] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 121.931116][ T5480] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 121.939081][ T5480] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 121.947083][ T5480] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 121.955089][ T5480] [ 121.958303][ T5480] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5479] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5479] close(3) = 0 [pid 5479] mkdir("./file0", 0777) = 0 [pid 5479] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5480] <... write resumed>) = 2097152 [pid 5480] munmap(0x7f7936b10000, 2097152 [pid 5479] <... mount resumed>) = 0 [pid 5479] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5479] chdir("./file0") = 0 [pid 5479] ioctl(6, LOOP_CLR_FD) = 0 [pid 5479] close(6 [pid 5480] <... munmap resumed>) = 0 [pid 5479] <... close resumed>) = 0 [pid 5480] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5479] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5480] <... openat resumed>) = 6 [pid 5479] <... futex resumed>) = 0 [pid 5479] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5480] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5480] ioctl(6, LOOP_CLR_FD) = 0 [pid 5480] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5480] close(6) = 0 [pid 5480] close(5) = 0 [pid 5480] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5478] <... futex resumed>) = 0 [pid 5478] exit_group(0) = ? [pid 5479] <... futex resumed>) = ? [pid 5479] +++ exited with 0 +++ [pid 5480] <... futex resumed>) = ? [pid 5480] +++ exited with 0 +++ [pid 5478] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5478, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./146", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./146", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./146/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./146/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./146/binderfs") = 0 [ 121.992609][ T5479] loop0: detected capacity change from 0 to 4096 [ 122.008125][ T5479] ntfs: volume version 12.0. umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./146/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./146/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./146/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./146") = 0 mkdir("./147", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5481 ./strace-static-x86_64: Process 5481 attached [pid 5481] set_robust_list(0x555555f176a0, 24) = 0 [pid 5481] chdir("./147") = 0 [pid 5481] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5481] setpgid(0, 0) = 0 [pid 5481] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5481] write(3, "1000", 4) = 4 [pid 5481] close(3) = 0 [pid 5481] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5481] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5481] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5481] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5481] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5481] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5481] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5481] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5482 attached => {parent_tid=[5482]}, 88) = 5482 [pid 5481] rt_sigprocmask(SIG_SETMASK, [], [pid 5482] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5481] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5482] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5481] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5482] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5481] <... futex resumed>) = 0 [pid 5482] memfd_create("syzkaller", 0) = 3 [pid 5482] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5481] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5481] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5481] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5481] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5481] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5483 attached [pid 5483] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5481] <... clone3 resumed> => {parent_tid=[5483]}, 88) = 5483 [pid 5483] set_robust_list(0x7f793ef309a0, 24 [pid 5481] rt_sigprocmask(SIG_SETMASK, [], [pid 5483] <... set_robust_list resumed>) = 0 [pid 5481] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5483] rt_sigprocmask(SIG_SETMASK, [], [pid 5481] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5483] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5481] <... futex resumed>) = 0 [pid 5481] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5483] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5483] write(4, "85", 2) = 2 [pid 5483] memfd_create("syzkaller", 0) = 5 [pid 5483] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5482] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 122.130515][ T5483] FAULT_INJECTION: forcing a failure. [ 122.130515][ T5483] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 122.144430][ T5483] CPU: 1 PID: 5483 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 122.154893][ T5483] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 122.164947][ T5483] Call Trace: [ 122.168222][ T5483] [ 122.171147][ T5483] dump_stack_lvl+0x1e7/0x2d0 [ 122.175826][ T5483] ? nf_tcp_handle_invalid+0x650/0x650 [ 122.181363][ T5483] ? panic+0x770/0x770 [ 122.185436][ T5483] should_fail_ex+0x3aa/0x4e0 [ 122.190116][ T5483] prepare_alloc_pages+0x1d9/0x5b0 [ 122.195229][ T5483] __alloc_pages+0x165/0x670 [ 122.199992][ T5483] ? zone_statistics+0x170/0x170 [ 122.204931][ T5483] ? verify_lock_unused+0x140/0x140 [ 122.210122][ T5483] ? handle_mm_fault+0x11d/0x62b0 [ 122.215173][ T5483] ? __lock_acquire+0x7f70/0x7f70 [ 122.220189][ T5483] ? pte_offset_map_nolock+0x137/0x1e0 [ 122.225649][ T5483] __folio_alloc+0x13/0x30 [ 122.230063][ T5483] vma_alloc_folio+0x48a/0x9a0 [ 122.234863][ T5483] handle_mm_fault+0x2376/0x62b0 [ 122.239804][ T5483] ? handle_mm_fault+0x11d/0x62b0 [ 122.248839][ T5483] ? numa_migrate_prep+0x380/0x380 [ 122.253962][ T5483] ? mtree_range_walk+0x6a0/0x7e0 [ 122.258986][ T5483] ? lock_vma_under_rcu+0x187/0x6f0 [ 122.264619][ T5483] ? __lock_acquire+0x7f70/0x7f70 [ 122.269636][ T5483] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 122.274851][ T5483] ? lock_vma_under_rcu+0x5df/0x6f0 [ 122.280045][ T5483] ? lock_vma_under_rcu+0x187/0x6f0 [ 122.285248][ T5483] ? exc_page_fault+0x10f/0x860 [ 122.290104][ T5483] exc_page_fault+0x455/0x860 [ 122.294787][ T5483] asm_exc_page_fault+0x26/0x30 [ 122.299633][ T5483] RIP: 0033:0x7f794735bc53 [ 122.304038][ T5483] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 122.323636][ T5483] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5482] munmap(0x7f793ef31000, 2097152) = 0 [pid 5482] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 122.329805][ T5483] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 122.337775][ T5483] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 122.345751][ T5483] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 122.353713][ T5483] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 122.361866][ T5483] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 122.369844][ T5483] [pid 5482] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5482] close(3) = 0 [pid 5482] mkdir("./file0", 0777) = 0 [pid 5482] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5482] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5483] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5482] chdir("./file0") = 0 [pid 5482] ioctl(6, LOOP_CLR_FD) = 0 [pid 5482] close(6) = 0 [pid 5482] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5482] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5483] <... write resumed>) = 2097152 [pid 5483] munmap(0x7f7936b10000, 2097152) = 0 [pid 5483] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5483] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5483] ioctl(6, LOOP_CLR_FD) = 0 [pid 5483] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5483] close(6) = 0 [pid 5483] close(5) = 0 [pid 5483] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5481] <... futex resumed>) = 0 [pid 5483] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5481] exit_group(0 [pid 5482] <... futex resumed>) = ? [pid 5481] <... exit_group resumed>) = ? [pid 5482] +++ exited with 0 +++ [pid 5483] <... futex resumed>) = ? [pid 5483] +++ exited with 0 +++ [pid 5481] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5481, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=36 /* 0.36 s */} --- umount2("./147", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./147", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./147/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./147/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./147/binderfs") = 0 umount2("./147/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./147/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./147/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 122.378352][ T5483] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 122.379433][ T5482] loop0: detected capacity change from 0 to 4096 [ 122.402784][ T5482] ntfs: volume version 12.0. umount2("./147/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./147/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./147/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./147") = 0 mkdir("./148", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5484 attached , child_tidptr=0x555555f17690) = 5484 [pid 5484] set_robust_list(0x555555f176a0, 24) = 0 [pid 5484] chdir("./148") = 0 [pid 5484] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5484] setpgid(0, 0) = 0 [pid 5484] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5484] write(3, "1000", 4) = 4 [pid 5484] close(3) = 0 [pid 5484] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5484] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5484] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5484] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5484] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5484] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5484] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5485 attached [pid 5485] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5484] <... clone3 resumed> => {parent_tid=[5485]}, 88) = 5485 [pid 5485] <... rseq resumed>) = 0 [pid 5484] rt_sigprocmask(SIG_SETMASK, [], [pid 5485] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5484] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5485] rt_sigprocmask(SIG_SETMASK, [], [pid 5484] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5485] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5484] <... futex resumed>) = 0 [pid 5485] memfd_create("syzkaller", 0 [pid 5484] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5484] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5484] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5484] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5485] <... memfd_create resumed>) = 3 [pid 5485] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5484] <... clone3 resumed> => {parent_tid=[5486]}, 88) = 5486 [pid 5484] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5484] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5486 attached [pid 5486] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5486] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5486] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5486] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5486] write(4, "85", 2) = 2 [pid 5486] memfd_create("syzkaller", 0) = 5 [pid 5486] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5485] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777) = 2028777 [ 122.534966][ T5486] FAULT_INJECTION: forcing a failure. [ 122.534966][ T5486] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 122.567605][ T5486] CPU: 1 PID: 5486 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 122.578151][ T5486] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 122.588201][ T5486] Call Trace: [ 122.591474][ T5486] [ 122.594565][ T5486] dump_stack_lvl+0x1e7/0x2d0 [ 122.599241][ T5486] ? nf_tcp_handle_invalid+0x650/0x650 [ 122.604797][ T5486] ? panic+0x770/0x770 [ 122.608945][ T5486] should_fail_ex+0x3aa/0x4e0 [ 122.614409][ T5486] prepare_alloc_pages+0x1d9/0x5b0 [ 122.619528][ T5486] __alloc_pages+0x165/0x670 [ 122.624302][ T5486] ? zone_statistics+0x170/0x170 [ 122.629253][ T5486] ? verify_lock_unused+0x140/0x140 [ 122.634714][ T5486] ? handle_mm_fault+0x11d/0x62b0 [ 122.639730][ T5486] ? __lock_acquire+0x7f70/0x7f70 [ 122.644824][ T5486] ? pte_offset_map_nolock+0x137/0x1e0 [ 122.650311][ T5486] __folio_alloc+0x13/0x30 [ 122.654725][ T5486] vma_alloc_folio+0x48a/0x9a0 [ 122.659488][ T5486] handle_mm_fault+0x2376/0x62b0 [ 122.664520][ T5486] ? handle_mm_fault+0x11d/0x62b0 [ 122.670082][ T5486] ? numa_migrate_prep+0x380/0x380 [ 122.675208][ T5486] ? mtree_range_walk+0x6a0/0x7e0 [ 122.680229][ T5486] ? lock_vma_under_rcu+0x187/0x6f0 [ 122.685421][ T5486] ? __lock_acquire+0x7f70/0x7f70 [ 122.690455][ T5486] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 122.695838][ T5486] ? lock_vma_under_rcu+0x5df/0x6f0 [ 122.701062][ T5486] ? lock_vma_under_rcu+0x187/0x6f0 [ 122.706265][ T5486] ? exc_page_fault+0x10f/0x860 [ 122.711110][ T5486] exc_page_fault+0x455/0x860 [ 122.715957][ T5486] asm_exc_page_fault+0x26/0x30 [ 122.720797][ T5486] RIP: 0033:0x7f794735bc53 [ 122.725292][ T5486] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 122.744889][ T5486] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 122.750965][ T5486] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 122.758923][ T5486] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 122.766961][ T5486] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 122.775107][ T5486] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [pid 5485] munmap(0x7f793ef10000, 2028777) = 0 [pid 5485] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5485] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5485] close(3) = 0 [pid 5485] mkdir("./file0", 0777) = 0 [pid 5485] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5485] ioctl(6, LOOP_CLR_FD [pid 5486] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5486] munmap(0x7f7936b10000, 2097152) = 0 [pid 5486] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5486] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5486] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5486] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5486] close(3) = 0 [ 122.783163][ T5486] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 122.791152][ T5486] [ 122.794635][ T5486] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 122.809193][ T5485] loop0: detected capacity change from 0 to 3962 [pid 5486] close(5) = 0 [pid 5486] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5484] <... futex resumed>) = 0 [pid 5486] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5485] <... ioctl resumed>) = 0 [pid 5485] close(6) = 0 [pid 5485] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5485] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5484] exit_group(0 [pid 5486] <... futex resumed>) = ? [pid 5486] +++ exited with 0 +++ [pid 5485] <... futex resumed>) = ? [pid 5485] +++ exited with 0 +++ [pid 5484] <... exit_group resumed>) = ? [pid 5484] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5484, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=12 /* 0.12 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./148", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./148", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./148/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./148/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./148/binderfs") = 0 umount2("./148/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./148/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./148/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./148/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./148/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./148") = 0 mkdir("./149", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [ 122.876346][ T5238] I/O error, dev loop0, sector 3712 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5487 attached , child_tidptr=0x555555f17690) = 5487 [pid 5487] set_robust_list(0x555555f176a0, 24) = 0 [pid 5487] chdir("./149") = 0 [pid 5487] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5487] setpgid(0, 0) = 0 [pid 5487] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5487] write(3, "1000", 4) = 4 [pid 5487] close(3) = 0 [pid 5487] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5487] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5487] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5487] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5487] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5487] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5487] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5487] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5488 attached [pid 5488] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5487] <... clone3 resumed> => {parent_tid=[5488]}, 88) = 5488 [pid 5488] set_robust_list(0x7f79473519a0, 24 [pid 5487] rt_sigprocmask(SIG_SETMASK, [], [pid 5488] <... set_robust_list resumed>) = 0 [pid 5487] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5488] rt_sigprocmask(SIG_SETMASK, [], [pid 5487] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5488] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5487] <... futex resumed>) = 0 [pid 5487] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5488] memfd_create("syzkaller", 0 [pid 5487] <... futex resumed>) = 0 [pid 5487] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5487] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5488] <... memfd_create resumed>) = 3 [pid 5487] <... mprotect resumed>) = 0 [pid 5488] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5487] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5488] <... mmap resumed>) = 0x7f793ef10000 [pid 5487] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5489 attached [pid 5489] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5487] <... clone3 resumed> => {parent_tid=[5489]}, 88) = 5489 [pid 5489] <... rseq resumed>) = 0 [pid 5487] rt_sigprocmask(SIG_SETMASK, [], [pid 5489] set_robust_list(0x7f79473309a0, 24 [pid 5487] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5489] <... set_robust_list resumed>) = 0 [pid 5487] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5489] rt_sigprocmask(SIG_SETMASK, [], [pid 5487] <... futex resumed>) = 0 [pid 5489] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5487] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5489] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5489] write(4, "85", 2) = 2 [pid 5489] memfd_create("syzkaller", 0) = 5 [pid 5489] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5488] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 122.980314][ T5489] FAULT_INJECTION: forcing a failure. [ 122.980314][ T5489] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 122.994094][ T5489] CPU: 1 PID: 5489 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 123.004635][ T5489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 123.015325][ T5489] Call Trace: [ 123.018606][ T5489] [ 123.021541][ T5489] dump_stack_lvl+0x1e7/0x2d0 [ 123.026221][ T5489] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.031679][ T5489] ? panic+0x770/0x770 [ 123.035763][ T5489] should_fail_ex+0x3aa/0x4e0 [ 123.040537][ T5489] prepare_alloc_pages+0x1d9/0x5b0 [ 123.045654][ T5489] __alloc_pages+0x165/0x670 [ 123.050256][ T5489] ? zone_statistics+0x170/0x170 [ 123.055206][ T5489] ? verify_lock_unused+0x140/0x140 [ 123.060401][ T5489] ? handle_mm_fault+0x11d/0x62b0 [ 123.065421][ T5489] ? __lock_acquire+0x7f70/0x7f70 [ 123.070436][ T5489] ? pte_offset_map_nolock+0x137/0x1e0 [ 123.075893][ T5489] __folio_alloc+0x13/0x30 [ 123.080311][ T5489] vma_alloc_folio+0x48a/0x9a0 [ 123.085071][ T5489] handle_mm_fault+0x2376/0x62b0 [ 123.090013][ T5489] ? handle_mm_fault+0x11d/0x62b0 [ 123.095041][ T5489] ? numa_migrate_prep+0x380/0x380 [ 123.100154][ T5489] ? mtree_range_walk+0x6a0/0x7e0 [ 123.105186][ T5489] ? lock_vma_under_rcu+0x187/0x6f0 [ 123.110407][ T5489] ? __lock_acquire+0x7f70/0x7f70 [ 123.115449][ T5489] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 123.120665][ T5489] ? lock_vma_under_rcu+0x5df/0x6f0 [ 123.125868][ T5489] ? lock_vma_under_rcu+0x187/0x6f0 [ 123.131081][ T5489] ? exc_page_fault+0x10f/0x860 [ 123.135934][ T5489] exc_page_fault+0x455/0x860 [ 123.140617][ T5489] asm_exc_page_fault+0x26/0x30 [ 123.145486][ T5489] RIP: 0033:0x7f794735bc53 [ 123.150417][ T5489] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 123.170016][ T5489] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 123.176079][ T5489] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 123.184046][ T5489] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 123.192009][ T5489] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 123.199978][ T5489] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 123.207942][ T5489] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 123.215934][ T5489] [ 123.219501][ T5489] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5488] munmap(0x7f793ef10000, 2097152) = 0 [pid 5488] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5488] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5488] close(3) = 0 [pid 5488] mkdir("./file0", 0777) = 0 [pid 5488] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5488] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5488] chdir("./file0" [pid 5489] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5488] <... chdir resumed>) = 0 [pid 5488] ioctl(6, LOOP_CLR_FD) = 0 [pid 5488] close(6) = 0 [pid 5488] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5489] <... write resumed>) = 2097152 [ 123.229951][ T5488] loop0: detected capacity change from 0 to 4096 [ 123.245278][ T5488] ntfs: volume version 12.0. [pid 5489] munmap(0x7f7936b10000, 2097152) = 0 [pid 5489] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5489] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5489] ioctl(6, LOOP_CLR_FD) = 0 [pid 5489] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5489] close(6) = 0 [pid 5489] close(5) = 0 [pid 5489] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5487] <... futex resumed>) = 0 [pid 5489] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5487] exit_group(0) = ? [pid 5489] <... futex resumed>) = ? [pid 5488] <... futex resumed>) = ? [pid 5489] +++ exited with 0 +++ [pid 5488] +++ exited with 0 +++ [pid 5487] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5487, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=14 /* 0.14 s */} --- umount2("./149", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./149", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./149/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./149/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./149/binderfs") = 0 umount2("./149/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./149/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./149/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./149/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./149/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./149/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./149") = 0 mkdir("./150", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5490 attached , child_tidptr=0x555555f17690) = 5490 [pid 5490] set_robust_list(0x555555f176a0, 24) = 0 [pid 5490] chdir("./150") = 0 [pid 5490] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5490] setpgid(0, 0) = 0 [pid 5490] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5490] write(3, "1000", 4) = 4 [pid 5490] close(3) = 0 [pid 5490] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5490] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5490] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5490] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5490] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5490] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5490] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5490] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5491 attached => {parent_tid=[5491]}, 88) = 5491 [pid 5490] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5490] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5490] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5490] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5491] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5490] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5491] <... rseq resumed>) = 0 [pid 5491] set_robust_list(0x7f79473519a0, 24 [pid 5490] <... mprotect resumed>) = 0 [pid 5491] <... set_robust_list resumed>) = 0 [pid 5491] rt_sigprocmask(SIG_SETMASK, [], [pid 5490] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5491] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5490] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5491] memfd_create("syzkaller", 0 [pid 5490] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5492 attached [pid 5491] <... memfd_create resumed>) = 3 [pid 5492] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5491] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5490] <... clone3 resumed> => {parent_tid=[5492]}, 88) = 5492 [pid 5492] set_robust_list(0x7f79473309a0, 24 [pid 5491] <... mmap resumed>) = 0x7f793ef10000 [pid 5490] rt_sigprocmask(SIG_SETMASK, [], [pid 5492] <... set_robust_list resumed>) = 0 [pid 5492] rt_sigprocmask(SIG_SETMASK, [], [pid 5490] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5492] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5490] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5492] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5491] munmap(0x7f793ef10000, 138412032 [pid 5490] <... futex resumed>) = 0 [pid 5490] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5492] <... openat resumed>) = 4 [pid 5492] write(4, "85", 2) = 2 [pid 5492] memfd_create("syzkaller", 0) = 5 [pid 5492] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5491] <... munmap resumed>) = 0 [pid 5491] close(3) = 0 [pid 5491] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 123.397020][ T5492] FAULT_INJECTION: forcing a failure. [ 123.397020][ T5492] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 123.411076][ T5492] CPU: 0 PID: 5492 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 123.421479][ T5492] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 123.431544][ T5492] Call Trace: [ 123.434828][ T5492] [ 123.437750][ T5492] dump_stack_lvl+0x1e7/0x2d0 [ 123.442420][ T5492] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.447878][ T5492] ? panic+0x770/0x770 [ 123.451946][ T5492] should_fail_ex+0x3aa/0x4e0 [ 123.456632][ T5492] prepare_alloc_pages+0x1d9/0x5b0 [ 123.461762][ T5492] __alloc_pages+0x165/0x670 [ 123.466358][ T5492] ? zone_statistics+0x170/0x170 [ 123.471388][ T5492] ? verify_lock_unused+0x140/0x140 [ 123.476595][ T5492] ? handle_mm_fault+0x11d/0x62b0 [ 123.481692][ T5492] ? __lock_acquire+0x7f70/0x7f70 [ 123.486707][ T5492] ? pte_offset_map_nolock+0x137/0x1e0 [ 123.492166][ T5492] __folio_alloc+0x13/0x30 [ 123.496575][ T5492] vma_alloc_folio+0x48a/0x9a0 [ 123.501337][ T5492] handle_mm_fault+0x2376/0x62b0 [ 123.506279][ T5492] ? handle_mm_fault+0x11d/0x62b0 [ 123.511923][ T5492] ? numa_migrate_prep+0x380/0x380 [ 123.517038][ T5492] ? mtree_range_walk+0x6a0/0x7e0 [ 123.522077][ T5492] ? lock_vma_under_rcu+0x187/0x6f0 [ 123.527289][ T5492] ? __lock_acquire+0x7f70/0x7f70 [ 123.532318][ T5492] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 123.537624][ T5492] ? lock_vma_under_rcu+0x5df/0x6f0 [ 123.542827][ T5492] ? lock_vma_under_rcu+0x187/0x6f0 [ 123.548030][ T5492] ? exc_page_fault+0x10f/0x860 [ 123.552876][ T5492] exc_page_fault+0x455/0x860 [ 123.557555][ T5492] asm_exc_page_fault+0x26/0x30 [ 123.562399][ T5492] RIP: 0033:0x7f794735bc53 [ 123.566899][ T5492] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 123.586498][ T5492] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5491] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5492] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5492] munmap(0x7f7936b10000, 2097152) = 0 [pid 5492] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 123.592567][ T5492] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 123.600552][ T5492] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 123.608537][ T5492] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 123.616511][ T5492] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 123.624479][ T5492] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 123.632457][ T5492] [ 123.635950][ T5492] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5492] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5492] close(5) = 0 [pid 5492] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5492] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5492] ioctl(3, LOOP_CLR_FD) = 0 [ 123.672378][ T5492] loop0: detected capacity change from 0 to 4096 [ 123.691032][ T5492] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 123.698158][ T5492] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5492] close(3) = 0 [pid 5492] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5490] <... futex resumed>) = 0 [pid 5492] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5490] exit_group(0) = ? [pid 5491] <... futex resumed>) = ? [pid 5492] <... futex resumed>) = ? [pid 5491] +++ exited with 0 +++ [pid 5492] +++ exited with 0 +++ [pid 5490] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5490, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=8 /* 0.08 s */} --- umount2("./150", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./150", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./150/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./150/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./150/binderfs") = 0 umount2("\x2e\x2f\x31\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./150") = 0 mkdir("./151", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5493 attached , child_tidptr=0x555555f17690) = 5493 [pid 5493] set_robust_list(0x555555f176a0, 24) = 0 [pid 5493] chdir("./151") = 0 [pid 5493] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5493] setpgid(0, 0) = 0 [pid 5493] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5493] write(3, "1000", 4) = 4 [pid 5493] close(3) = 0 [pid 5493] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5493] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5493] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5493] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5493] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5493] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5493] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5493] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5494 attached [pid 5494] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5494] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5494] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5494] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5493] <... clone3 resumed> => {parent_tid=[5494]}, 88) = 5494 [pid 5493] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5493] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5494] <... futex resumed>) = 0 [pid 5493] <... futex resumed>) = 1 [pid 5494] memfd_create("syzkaller", 0 [pid 5493] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5494] <... memfd_create resumed>) = 3 [pid 5494] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5493] <... futex resumed>) = 0 [pid 5493] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5493] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5493] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5493] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5495 attached => {parent_tid=[5495]}, 88) = 5495 [pid 5495] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5495] set_robust_list(0x7f793ef309a0, 24 [pid 5493] rt_sigprocmask(SIG_SETMASK, [], [pid 5495] <... set_robust_list resumed>) = 0 [pid 5493] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5495] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5493] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5495] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5493] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5495] <... openat resumed>) = 4 [pid 5495] write(4, "85", 2) = 2 [pid 5495] memfd_create("syzkaller", 0) = 5 [pid 5495] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5494] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 123.859108][ T5495] FAULT_INJECTION: forcing a failure. [ 123.859108][ T5495] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 123.883957][ T5495] CPU: 0 PID: 5495 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 123.894423][ T5495] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 123.904477][ T5495] Call Trace: [ 123.907755][ T5495] [ 123.910685][ T5495] dump_stack_lvl+0x1e7/0x2d0 [ 123.915363][ T5495] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.920816][ T5495] ? panic+0x770/0x770 [ 123.924888][ T5495] should_fail_ex+0x3aa/0x4e0 [ 123.929565][ T5495] prepare_alloc_pages+0x1d9/0x5b0 [ 123.934681][ T5495] __alloc_pages+0x165/0x670 [ 123.939289][ T5495] ? zone_statistics+0x170/0x170 [ 123.944226][ T5495] ? verify_lock_unused+0x140/0x140 [ 123.949419][ T5495] ? handle_mm_fault+0x11d/0x62b0 [ 123.954442][ T5495] ? __lock_acquire+0x7f70/0x7f70 [ 123.959455][ T5495] ? pte_offset_map_nolock+0x137/0x1e0 [ 123.964912][ T5495] __folio_alloc+0x13/0x30 [ 123.969330][ T5495] vma_alloc_folio+0x48a/0x9a0 [ 123.974092][ T5495] handle_mm_fault+0x2376/0x62b0 [ 123.979034][ T5495] ? handle_mm_fault+0x11d/0x62b0 [ 123.984063][ T5495] ? numa_migrate_prep+0x380/0x380 [ 123.989192][ T5495] ? mtree_range_walk+0x6a0/0x7e0 [ 123.994214][ T5495] ? lock_vma_under_rcu+0x187/0x6f0 [ 123.999413][ T5495] ? __lock_acquire+0x7f70/0x7f70 [ 124.004434][ T5495] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 124.009638][ T5495] ? lock_vma_under_rcu+0x5df/0x6f0 [ 124.014836][ T5495] ? lock_vma_under_rcu+0x187/0x6f0 [ 124.020163][ T5495] ? exc_page_fault+0x10f/0x860 [ 124.025019][ T5495] exc_page_fault+0x455/0x860 [ 124.029694][ T5495] asm_exc_page_fault+0x26/0x30 [ 124.034536][ T5495] RIP: 0033:0x7f794735bc53 [ 124.038945][ T5495] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 124.058544][ T5495] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [ 124.064608][ T5495] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 124.072683][ T5495] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 124.080669][ T5495] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 124.088645][ T5495] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 124.096708][ T5495] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 124.104808][ T5495] [pid 5494] munmap(0x7f793ef31000, 2097152 [pid 5495] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5494] <... munmap resumed>) = 0 [pid 5495] <... write resumed>) = 2097152 [pid 5494] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5495] munmap(0x7f7936b10000, 2097152 [ 124.108061][ T5495] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5494] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5494] close(3) = 0 [pid 5494] mkdir("./file0", 0777 [pid 5495] <... munmap resumed>) = 0 [pid 5494] <... mkdir resumed>) = 0 [pid 5494] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5495] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5495] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5495] ioctl(3, LOOP_CLR_FD) = 0 [pid 5495] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5495] close(3) = 0 [ 124.157316][ T5494] loop0: detected capacity change from 0 to 4096 [ 124.170861][ T5494] __ntfs_error: 183 callbacks suppressed [ 124.170873][ T5494] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 124.188629][ T5494] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5495] close(5) = 0 [pid 5495] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5495] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5493] <... futex resumed>) = 0 [ 124.203566][ T5494] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 124.218654][ T5494] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 124.229105][ T5494] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 124.238185][ T5494] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5494] <... mount resumed>) = 0 [pid 5494] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5494] chdir("./file0") = 0 [pid 5494] ioctl(6, LOOP_CLR_FD) = 0 [pid 5494] close(6) = 0 [pid 5494] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5494] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5493] exit_group(0 [pid 5495] <... futex resumed>) = ? [pid 5494] <... futex resumed>) = ? [pid 5493] <... exit_group resumed>) = ? [pid 5494] +++ exited with 0 +++ [pid 5495] +++ exited with 0 +++ [pid 5493] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5493, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=44 /* 0.44 s */} --- umount2("./151", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./151", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./151/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./151/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./151/binderfs") = 0 umount2("./151/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 [ 124.252061][ T5494] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 124.265363][ T5494] ntfs: volume version 12.0. [ 124.270627][ T5494] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 124.279412][ T5494] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 124.292736][ T5494] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./151/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./151/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./151/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./151/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./151/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./151") = 0 mkdir("./152", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5496 attached , child_tidptr=0x555555f17690) = 5496 [pid 5496] set_robust_list(0x555555f176a0, 24) = 0 [pid 5496] chdir("./152") = 0 [pid 5496] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5496] setpgid(0, 0) = 0 [pid 5496] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5496] write(3, "1000", 4) = 4 [pid 5496] close(3) = 0 [pid 5496] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5496] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5496] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5496] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5496] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5496] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5496] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5497 attached => {parent_tid=[5497]}, 88) = 5497 [pid 5497] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5496] rt_sigprocmask(SIG_SETMASK, [], [pid 5497] set_robust_list(0x7f79473519a0, 24 [pid 5496] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5497] <... set_robust_list resumed>) = 0 [pid 5496] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5497] rt_sigprocmask(SIG_SETMASK, [], [pid 5496] <... futex resumed>) = 0 [pid 5497] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5496] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5496] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5497] memfd_create("syzkaller", 0 [pid 5496] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5497] <... memfd_create resumed>) = 3 [pid 5496] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5497] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5498 attached [pid 5498] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5498] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5498] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5498] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5496] <... clone3 resumed> => {parent_tid=[5498]}, 88) = 5498 [pid 5496] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5496] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5498] <... futex resumed>) = 0 [pid 5496] <... futex resumed>) = 1 [pid 5496] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5498] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5498] write(4, "85", 2) = 2 [pid 5498] memfd_create("syzkaller", 0) = 5 [pid 5498] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5497] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 124.412561][ T5498] FAULT_INJECTION: forcing a failure. [ 124.412561][ T5498] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 124.426009][ T5498] CPU: 1 PID: 5498 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 124.436448][ T5498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 124.446517][ T5498] Call Trace: [ 124.449786][ T5498] [ 124.452720][ T5498] dump_stack_lvl+0x1e7/0x2d0 [ 124.457391][ T5498] ? nf_tcp_handle_invalid+0x650/0x650 [ 124.462842][ T5498] ? panic+0x770/0x770 [ 124.466925][ T5498] should_fail_ex+0x3aa/0x4e0 [ 124.471608][ T5498] prepare_alloc_pages+0x1d9/0x5b0 [ 124.476799][ T5498] __alloc_pages+0x165/0x670 [ 124.481379][ T5498] ? zone_statistics+0x170/0x170 [ 124.486305][ T5498] ? verify_lock_unused+0x140/0x140 [ 124.491493][ T5498] ? handle_mm_fault+0x11d/0x62b0 [ 124.496529][ T5498] ? __lock_acquire+0x7f70/0x7f70 [ 124.501538][ T5498] ? pte_offset_map_nolock+0x137/0x1e0 [ 124.507109][ T5498] __folio_alloc+0x13/0x30 [ 124.511513][ T5498] vma_alloc_folio+0x48a/0x9a0 [ 124.516267][ T5498] handle_mm_fault+0x2376/0x62b0 [ 124.521195][ T5498] ? handle_mm_fault+0x11d/0x62b0 [ 124.526386][ T5498] ? numa_migrate_prep+0x380/0x380 [ 124.531504][ T5498] ? mtree_range_walk+0x6a0/0x7e0 [ 124.536529][ T5498] ? lock_vma_under_rcu+0x187/0x6f0 [ 124.541719][ T5498] ? __lock_acquire+0x7f70/0x7f70 [ 124.546729][ T5498] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 124.551933][ T5498] ? lock_vma_under_rcu+0x5df/0x6f0 [ 124.557207][ T5498] ? lock_vma_under_rcu+0x187/0x6f0 [ 124.562409][ T5498] ? exc_page_fault+0x10f/0x860 [ 124.567245][ T5498] exc_page_fault+0x455/0x860 [ 124.571913][ T5498] asm_exc_page_fault+0x26/0x30 [ 124.576747][ T5498] RIP: 0033:0x7f794735bc53 [ 124.581148][ T5498] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 124.601273][ T5498] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5497] munmap(0x7f793ef10000, 2097152) = 0 [pid 5497] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 124.607335][ T5498] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 124.615292][ T5498] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 124.623245][ T5498] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 124.631199][ T5498] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 124.639157][ T5498] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 124.647117][ T5498] [ 124.652437][ T5498] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5497] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5497] close(3) = 0 [pid 5497] mkdir("./file0", 0777) = 0 [pid 5497] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5498] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5497] <... mount resumed>) = 0 [pid 5497] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5497] chdir("./file0") = 0 [pid 5497] ioctl(6, LOOP_CLR_FD [pid 5498] <... write resumed>) = 2097152 [pid 5497] <... ioctl resumed>) = 0 [pid 5497] close(6) = 0 [pid 5498] munmap(0x7f7936b10000, 2097152 [pid 5497] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5497] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5498] <... munmap resumed>) = 0 [pid 5498] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5498] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5498] ioctl(6, LOOP_CLR_FD) = 0 [pid 5498] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5498] close(6) = 0 [pid 5498] close(5) = 0 [pid 5498] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5496] <... futex resumed>) = 0 [ 124.666121][ T5497] loop0: detected capacity change from 0 to 4096 [ 124.696566][ T5497] ntfs: volume version 12.0. [pid 5496] exit_group(0 [pid 5497] <... futex resumed>) = ? [pid 5496] <... exit_group resumed>) = ? [pid 5497] +++ exited with 0 +++ [pid 5498] +++ exited with 0 +++ [pid 5496] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5496, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./152", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./152", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./152/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./152/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./152/binderfs") = 0 umount2("./152/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./152/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./152/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./152/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./152/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./152/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./152") = 0 mkdir("./153", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5499 ./strace-static-x86_64: Process 5499 attached [pid 5499] set_robust_list(0x555555f176a0, 24) = 0 [pid 5499] chdir("./153") = 0 [pid 5499] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5499] setpgid(0, 0) = 0 [pid 5499] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5499] write(3, "1000", 4) = 4 [pid 5499] close(3) = 0 [pid 5499] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5499] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5499] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5499] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5499] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5499] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5499] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5499] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5500]}, 88) = 5500 [pid 5499] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5499] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5499] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5499] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5499] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5499] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5499] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5501 attached [pid 5501] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5499] <... clone3 resumed> => {parent_tid=[5501]}, 88) = 5501 [pid 5501] set_robust_list(0x7f79473309a0, 24 [pid 5499] rt_sigprocmask(SIG_SETMASK, [], [pid 5501] <... set_robust_list resumed>) = 0 [pid 5499] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5501] rt_sigprocmask(SIG_SETMASK, [], [pid 5499] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5501] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5500 attached [pid 5501] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5499] <... futex resumed>) = 0 [pid 5499] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5501] <... openat resumed>) = 3 [pid 5500] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5501] write(3, "85", 2 [pid 5500] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5501] <... write resumed>) = 2 [pid 5500] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5501] memfd_create("syzkaller", 0) = 4 [pid 5501] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5500] memfd_create("syzkaller", 0 [pid 5501] <... mmap resumed>) = 0x7f793ef10000 [pid 5500] <... memfd_create resumed>) = 5 [pid 5500] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 124.821980][ T5501] FAULT_INJECTION: forcing a failure. [ 124.821980][ T5501] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 124.835633][ T5501] CPU: 1 PID: 5501 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 124.846087][ T5501] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 124.856158][ T5501] Call Trace: [ 124.859448][ T5501] [ 124.862373][ T5501] dump_stack_lvl+0x1e7/0x2d0 [ 124.867062][ T5501] ? nf_tcp_handle_invalid+0x650/0x650 [ 124.872513][ T5501] ? panic+0x770/0x770 [ 124.876591][ T5501] should_fail_ex+0x3aa/0x4e0 [ 124.881269][ T5501] prepare_alloc_pages+0x1d9/0x5b0 [ 124.886389][ T5501] __alloc_pages+0x165/0x670 [ 124.890976][ T5501] ? zone_statistics+0x170/0x170 [ 124.896173][ T5501] ? verify_lock_unused+0x140/0x140 [ 124.901388][ T5501] ? handle_mm_fault+0x11d/0x62b0 [ 124.906420][ T5501] ? __lock_acquire+0x7f70/0x7f70 [ 124.911448][ T5501] ? pte_offset_map_nolock+0x137/0x1e0 [ 124.916909][ T5501] __folio_alloc+0x13/0x30 [ 124.921347][ T5501] vma_alloc_folio+0x48a/0x9a0 [ 124.926132][ T5501] handle_mm_fault+0x2376/0x62b0 [ 124.931099][ T5501] ? handle_mm_fault+0x11d/0x62b0 [ 124.936145][ T5501] ? numa_migrate_prep+0x380/0x380 [ 124.941266][ T5501] ? mtree_range_walk+0x6a0/0x7e0 [ 124.946295][ T5501] ? lock_vma_under_rcu+0x187/0x6f0 [ 124.951491][ T5501] ? __lock_acquire+0x7f70/0x7f70 [ 124.956510][ T5501] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 124.961719][ T5501] ? lock_vma_under_rcu+0x5df/0x6f0 [ 124.966916][ T5501] ? lock_vma_under_rcu+0x187/0x6f0 [ 124.972151][ T5501] ? exc_page_fault+0x10f/0x860 [ 124.977436][ T5501] exc_page_fault+0x455/0x860 [ 124.982116][ T5501] asm_exc_page_fault+0x26/0x30 [ 124.987138][ T5501] RIP: 0033:0x7f794735bc53 [ 124.991555][ T5501] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 125.011254][ T5501] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5500] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5501] munmap(0x7f793ef10000, 138412032 [pid 5500] <... write resumed>) = 2097152 [pid 5500] munmap(0x7f7936b10000, 2097152 [pid 5501] <... munmap resumed>) = 0 [pid 5501] close(4) = 0 [pid 5501] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5501] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5499] <... futex resumed>) = 0 [pid 5500] <... munmap resumed>) = 0 [pid 5500] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 125.017316][ T5501] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 125.025321][ T5501] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 125.033420][ T5501] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 125.041446][ T5501] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 125.049437][ T5501] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 125.059261][ T5501] [ 125.063890][ T5501] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5500] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5500] close(5) = 0 [pid 5500] mkdir("./file0", 0777) = 0 [pid 5500] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5500] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5500] chdir("./file0") = 0 [pid 5500] ioctl(4, LOOP_CLR_FD) = 0 [pid 5500] close(4) = 0 [pid 5500] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5500] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5499] exit_group(0 [pid 5501] <... futex resumed>) = ? [pid 5500] <... futex resumed>) = ? [pid 5499] <... exit_group resumed>) = ? [pid 5501] +++ exited with 0 +++ [pid 5500] +++ exited with 0 +++ [pid 5499] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5499, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- umount2("./153", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./153", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./153/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./153/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./153/binderfs") = 0 umount2("./153/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./153/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./153/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./153/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./153/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./153/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./153") = 0 mkdir("./154", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5502 attached , child_tidptr=0x555555f17690) = 5502 [pid 5502] set_robust_list(0x555555f176a0, 24) = 0 [pid 5502] chdir("./154") = 0 [pid 5502] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5502] setpgid(0, 0) = 0 [pid 5502] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5502] write(3, "1000", 4) = 4 [pid 5502] close(3) = 0 [pid 5502] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5502] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5502] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5502] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5502] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5502] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5502] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5502] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5503 attached [ 125.096670][ T5500] loop0: detected capacity change from 0 to 4096 [ 125.109274][ T5500] ntfs: volume version 12.0. => {parent_tid=[5503]}, 88) = 5503 [pid 5502] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5502] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5502] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5502] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5502] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5502] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5502] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5504 attached [pid 5503] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5504] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5503] <... rseq resumed>) = 0 [pid 5504] <... rseq resumed>) = 0 [pid 5503] set_robust_list(0x7f79473519a0, 24 [pid 5504] set_robust_list(0x7f79473309a0, 24 [pid 5503] <... set_robust_list resumed>) = 0 [pid 5504] <... set_robust_list resumed>) = 0 [pid 5503] rt_sigprocmask(SIG_SETMASK, [], [pid 5504] rt_sigprocmask(SIG_SETMASK, [], [pid 5503] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5504] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5502] <... clone3 resumed> => {parent_tid=[5504]}, 88) = 5504 [pid 5502] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5502] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5502] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5503] memfd_create("syzkaller", 0 [pid 5504] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5503] <... memfd_create resumed>) = 3 [pid 5504] write(4, "85", 2 [pid 5503] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5503] munmap(0x7f793ef10000, 138412032) = 0 [pid 5504] <... write resumed>) = 2 [pid 5503] close(3 [pid 5504] memfd_create("syzkaller", 0 [pid 5503] <... close resumed>) = 0 [pid 5503] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5504] <... memfd_create resumed>) = 3 [pid 5503] <... futex resumed>) = 0 [pid 5503] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5504] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 125.178071][ T5504] FAULT_INJECTION: forcing a failure. [ 125.178071][ T5504] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 125.191834][ T5504] CPU: 0 PID: 5504 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 125.202282][ T5504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 125.212365][ T5504] Call Trace: [ 125.215652][ T5504] [ 125.218594][ T5504] dump_stack_lvl+0x1e7/0x2d0 [ 125.224079][ T5504] ? nf_tcp_handle_invalid+0x650/0x650 [ 125.229549][ T5504] ? panic+0x770/0x770 [ 125.233623][ T5504] should_fail_ex+0x3aa/0x4e0 [ 125.238302][ T5504] prepare_alloc_pages+0x1d9/0x5b0 [ 125.243506][ T5504] __alloc_pages+0x165/0x670 [ 125.248096][ T5504] ? zone_statistics+0x170/0x170 [ 125.253036][ T5504] ? verify_lock_unused+0x140/0x140 [ 125.258246][ T5504] ? handle_mm_fault+0x11d/0x62b0 [ 125.263283][ T5504] ? __lock_acquire+0x7f70/0x7f70 [ 125.268339][ T5504] ? pte_offset_map_nolock+0x137/0x1e0 [ 125.273815][ T5504] __folio_alloc+0x13/0x30 [ 125.278267][ T5504] vma_alloc_folio+0x48a/0x9a0 [ 125.283032][ T5504] handle_mm_fault+0x2376/0x62b0 [ 125.288058][ T5504] ? handle_mm_fault+0x11d/0x62b0 [ 125.293100][ T5504] ? numa_migrate_prep+0x380/0x380 [ 125.298231][ T5504] ? mtree_range_walk+0x6a0/0x7e0 [ 125.303273][ T5504] ? lock_vma_under_rcu+0x187/0x6f0 [ 125.308483][ T5504] ? __lock_acquire+0x7f70/0x7f70 [ 125.313546][ T5504] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 125.318773][ T5504] ? lock_vma_under_rcu+0x5df/0x6f0 [ 125.324055][ T5504] ? lock_vma_under_rcu+0x187/0x6f0 [ 125.329270][ T5504] ? exc_page_fault+0x10f/0x860 [ 125.334138][ T5504] exc_page_fault+0x455/0x860 [ 125.338830][ T5504] asm_exc_page_fault+0x26/0x30 [ 125.343724][ T5504] RIP: 0033:0x7f794735bd00 [ 125.348132][ T5504] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 125.367830][ T5504] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5504] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5504] munmap(0x7f793ef10000, 2097152) = 0 [pid 5504] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 125.373947][ T5504] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 125.382045][ T5504] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 125.390118][ T5504] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 125.398100][ T5504] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 125.406150][ T5504] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 125.414243][ T5504] [ 125.417551][ T5504] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5504] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5504] close(3) = 0 [pid 5504] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5504] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5504] ioctl(5, LOOP_CLR_FD) = 0 [pid 5504] close(5) = 0 [ 125.459855][ T5504] loop0: detected capacity change from 0 to 4096 [ 125.478721][ T5504] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 125.485858][ T5504] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5504] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5502] <... futex resumed>) = 0 [pid 5502] exit_group(0 [pid 5504] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5503] <... futex resumed>) = ? [pid 5504] +++ exited with 0 +++ [pid 5503] +++ exited with 0 +++ [pid 5502] <... exit_group resumed>) = ? [pid 5502] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5502, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./154", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./154", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./154/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./154/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./154/binderfs") = 0 umount2("\x2e\x2f\x31\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./154") = 0 mkdir("./155", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5505 ./strace-static-x86_64: Process 5505 attached [pid 5505] set_robust_list(0x555555f176a0, 24) = 0 [pid 5505] chdir("./155") = 0 [pid 5505] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5505] setpgid(0, 0) = 0 [pid 5505] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5505] write(3, "1000", 4) = 4 [pid 5505] close(3) = 0 [pid 5505] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5505] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5505] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5505] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5505] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5505] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5505] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5505] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5506 attached => {parent_tid=[5506]}, 88) = 5506 [pid 5506] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5505] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5505] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5505] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5505] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5505] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5506] <... rseq resumed>) = 0 [pid 5506] set_robust_list(0x7f79473519a0, 24 [pid 5505] <... mprotect resumed>) = 0 [pid 5506] <... set_robust_list resumed>) = 0 [pid 5506] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5505] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5505] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5507 attached [pid 5507] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5505] <... clone3 resumed> => {parent_tid=[5507]}, 88) = 5507 [pid 5507] set_robust_list(0x7f79473309a0, 24 [pid 5505] rt_sigprocmask(SIG_SETMASK, [], [pid 5507] <... set_robust_list resumed>) = 0 [pid 5505] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5507] rt_sigprocmask(SIG_SETMASK, [], [pid 5506] memfd_create("syzkaller", 0 [pid 5505] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5507] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5507] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5506] <... memfd_create resumed>) = 3 [pid 5505] <... futex resumed>) = 0 [pid 5505] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5506] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5506] munmap(0x7f793ef10000, 138412032 [pid 5507] <... openat resumed>) = 4 [pid 5506] <... munmap resumed>) = 0 [pid 5507] write(4, "85", 2) = 2 [pid 5507] memfd_create("syzkaller", 0) = 5 [pid 5506] close(3 [pid 5507] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5506] <... close resumed>) = 0 [pid 5506] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 125.608565][ T5507] FAULT_INJECTION: forcing a failure. [ 125.608565][ T5507] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 125.622217][ T5507] CPU: 0 PID: 5507 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 125.632647][ T5507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 125.642704][ T5507] Call Trace: [ 125.646068][ T5507] [ 125.648994][ T5507] dump_stack_lvl+0x1e7/0x2d0 [ 125.653671][ T5507] ? nf_tcp_handle_invalid+0x650/0x650 [ 125.659129][ T5507] ? panic+0x770/0x770 [ 125.663203][ T5507] should_fail_ex+0x3aa/0x4e0 [ 125.667880][ T5507] prepare_alloc_pages+0x1d9/0x5b0 [ 125.672993][ T5507] __alloc_pages+0x165/0x670 [ 125.677671][ T5507] ? zone_statistics+0x170/0x170 [ 125.682772][ T5507] ? verify_lock_unused+0x140/0x140 [ 125.687963][ T5507] ? handle_mm_fault+0x11d/0x62b0 [ 125.692985][ T5507] ? __lock_acquire+0x7f70/0x7f70 [ 125.698035][ T5507] ? pte_offset_map_nolock+0x137/0x1e0 [ 125.703501][ T5507] __folio_alloc+0x13/0x30 [ 125.707912][ T5507] vma_alloc_folio+0x48a/0x9a0 [ 125.712672][ T5507] handle_mm_fault+0x2376/0x62b0 [ 125.717615][ T5507] ? handle_mm_fault+0x11d/0x62b0 [ 125.722646][ T5507] ? numa_migrate_prep+0x380/0x380 [ 125.727763][ T5507] ? mtree_range_walk+0x6a0/0x7e0 [ 125.732790][ T5507] ? lock_vma_under_rcu+0x187/0x6f0 [ 125.737985][ T5507] ? __lock_acquire+0x7f70/0x7f70 [ 125.743000][ T5507] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 125.748205][ T5507] ? lock_vma_under_rcu+0x5df/0x6f0 [ 125.753401][ T5507] ? lock_vma_under_rcu+0x187/0x6f0 [ 125.758604][ T5507] ? exc_page_fault+0x10f/0x860 [ 125.763452][ T5507] exc_page_fault+0x455/0x860 [ 125.768133][ T5507] asm_exc_page_fault+0x26/0x30 [ 125.773060][ T5507] RIP: 0033:0x7f794735bd00 [ 125.777467][ T5507] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 125.797066][ T5507] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5506] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5507] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5507] munmap(0x7f793ef10000, 2097152) = 0 [pid 5507] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 125.803131][ T5507] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 125.811099][ T5507] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 125.819066][ T5507] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 125.827027][ T5507] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 125.834986][ T5507] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 125.842978][ T5507] [pid 5507] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5507] close(5) = 0 [pid 5507] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5507] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5507] ioctl(3, LOOP_CLR_FD) = 0 [pid 5507] close(3) = 0 [pid 5507] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5505] <... futex resumed>) = 0 [pid 5507] <... futex resumed>) = 1 [pid 5507] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5505] exit_group(0 [pid 5506] <... futex resumed>) = ? [pid 5505] <... exit_group resumed>) = ? [pid 5507] <... futex resumed>) = ? [pid 5507] +++ exited with 0 +++ [ 125.879587][ T5507] loop0: detected capacity change from 0 to 4096 [ 125.898453][ T5507] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 125.905542][ T5507] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5506] +++ exited with 0 +++ [pid 5505] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5505, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./155", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./155", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./155/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./155/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./155/binderfs") = 0 umount2("\x2e\x2f\x31\x35\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x35\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x35\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x35\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x35\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./155") = 0 mkdir("./156", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5508 attached , child_tidptr=0x555555f17690) = 5508 [pid 5508] set_robust_list(0x555555f176a0, 24) = 0 [pid 5508] chdir("./156") = 0 [pid 5508] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5508] setpgid(0, 0) = 0 [pid 5508] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5508] write(3, "1000", 4) = 4 [pid 5508] close(3) = 0 [pid 5508] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5508] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5508] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5508] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5508] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5508] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5508] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5508] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5509 attached => {parent_tid=[5509]}, 88) = 5509 [pid 5509] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5508] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5508] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5508] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5508] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5509] set_robust_list(0x7f79473519a0, 24 [pid 5508] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5508] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5508] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5509] <... set_robust_list resumed>) = 0 [pid 5509] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5508] <... clone3 resumed> => {parent_tid=[5510]}, 88) = 5510 [pid 5508] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5508] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5510 attached [pid 5508] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5510] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5510] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5510] rt_sigprocmask(SIG_SETMASK, [], [pid 5509] memfd_create("syzkaller", 0 [pid 5510] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5509] <... memfd_create resumed>) = 3 [pid 5509] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5510] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5510] write(4, "85", 2) = 2 [pid 5510] memfd_create("syzkaller", 0 [pid 5509] munmap(0x7f793ef10000, 138412032 [pid 5510] <... memfd_create resumed>) = 5 [pid 5510] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5509] <... munmap resumed>) = 0 [pid 5510] <... mmap resumed>) = 0x7f793ef10000 [pid 5509] close(3) = 0 [pid 5509] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 126.039405][ T5510] FAULT_INJECTION: forcing a failure. [ 126.039405][ T5510] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 126.052924][ T5510] CPU: 1 PID: 5510 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 126.063351][ T5510] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 126.073434][ T5510] Call Trace: [ 126.076726][ T5510] [ 126.079650][ T5510] dump_stack_lvl+0x1e7/0x2d0 [ 126.084334][ T5510] ? nf_tcp_handle_invalid+0x650/0x650 [ 126.089800][ T5510] ? panic+0x770/0x770 [ 126.093877][ T5510] should_fail_ex+0x3aa/0x4e0 [ 126.098563][ T5510] prepare_alloc_pages+0x1d9/0x5b0 [ 126.103684][ T5510] __alloc_pages+0x165/0x670 [ 126.108378][ T5510] ? zone_statistics+0x170/0x170 [ 126.113330][ T5510] ? verify_lock_unused+0x140/0x140 [ 126.118659][ T5510] ? handle_mm_fault+0x11d/0x62b0 [ 126.123694][ T5510] ? __lock_acquire+0x7f70/0x7f70 [ 126.128721][ T5510] ? pte_offset_map_nolock+0x137/0x1e0 [ 126.134192][ T5510] __folio_alloc+0x13/0x30 [ 126.138609][ T5510] vma_alloc_folio+0x48a/0x9a0 [ 126.143383][ T5510] handle_mm_fault+0x2376/0x62b0 [ 126.148332][ T5510] ? handle_mm_fault+0x11d/0x62b0 [ 126.153363][ T5510] ? numa_migrate_prep+0x380/0x380 [ 126.158492][ T5510] ? mtree_range_walk+0x6a0/0x7e0 [ 126.163514][ T5510] ? lock_vma_under_rcu+0x187/0x6f0 [ 126.168712][ T5510] ? __lock_acquire+0x7f70/0x7f70 [ 126.173811][ T5510] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 126.179013][ T5510] ? lock_vma_under_rcu+0x5df/0x6f0 [ 126.184240][ T5510] ? lock_vma_under_rcu+0x187/0x6f0 [ 126.189443][ T5510] ? exc_page_fault+0x10f/0x860 [ 126.194292][ T5510] exc_page_fault+0x455/0x860 [ 126.199062][ T5510] asm_exc_page_fault+0x26/0x30 [ 126.203909][ T5510] RIP: 0033:0x7f794735bd00 [ 126.208321][ T5510] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 126.227937][ T5510] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5509] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5510] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5510] munmap(0x7f793ef10000, 2097152) = 0 [pid 5510] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 126.234001][ T5510] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 126.241969][ T5510] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 126.249937][ T5510] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 126.257904][ T5510] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 126.265871][ T5510] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 126.273848][ T5510] [pid 5510] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5510] close(5) = 0 [pid 5510] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5510] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 126.313989][ T5510] loop0: detected capacity change from 0 to 4096 [ 126.332843][ T5510] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 126.340156][ T5510] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5510] ioctl(3, LOOP_CLR_FD) = 0 [pid 5510] close(3) = 0 [pid 5510] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5508] <... futex resumed>) = 0 [pid 5508] exit_group(0) = ? [pid 5509] <... futex resumed>) = ? [pid 5509] +++ exited with 0 +++ [pid 5510] <... futex resumed>) = ? [pid 5510] +++ exited with 0 +++ [pid 5508] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5508, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./156", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./156", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./156/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./156/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./156/binderfs") = 0 umount2("\x2e\x2f\x31\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./156") = 0 mkdir("./157", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5511 attached , child_tidptr=0x555555f17690) = 5511 [pid 5511] set_robust_list(0x555555f176a0, 24) = 0 [pid 5511] chdir("./157") = 0 [pid 5511] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5511] setpgid(0, 0) = 0 [pid 5511] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5511] write(3, "1000", 4) = 4 [pid 5511] close(3) = 0 [pid 5511] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5511] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5511] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5511] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5511] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5511] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5511] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5511] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5512]}, 88) = 5512 [pid 5511] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5511] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5511] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5511] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5511] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5511] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5511] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5513 attached => {parent_tid=[5513]}, 88) = 5513 [pid 5513] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5511] rt_sigprocmask(SIG_SETMASK, [], [pid 5513] <... rseq resumed>) = 0 [pid 5511] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5513] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5511] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5513] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5511] <... futex resumed>) = 0 ./strace-static-x86_64: Process 5512 attached [pid 5511] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5512] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5512] set_robust_list(0x7f79473519a0, 24 [pid 5513] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5512] <... set_robust_list resumed>) = 0 [pid 5512] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5513] <... openat resumed>) = 3 [pid 5513] write(3, "85", 2) = 2 [pid 5513] memfd_create("syzkaller", 0) = 4 [pid 5512] memfd_create("syzkaller", 0 [pid 5513] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5512] <... memfd_create resumed>) = 5 [pid 5512] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 126.482841][ T5513] FAULT_INJECTION: forcing a failure. [ 126.482841][ T5513] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 126.496958][ T5513] CPU: 0 PID: 5513 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 126.507411][ T5513] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 126.517585][ T5513] Call Trace: [ 126.520868][ T5513] [ 126.523793][ T5513] dump_stack_lvl+0x1e7/0x2d0 [ 126.528473][ T5513] ? nf_tcp_handle_invalid+0x650/0x650 [ 126.534016][ T5513] ? panic+0x770/0x770 [ 126.538090][ T5513] should_fail_ex+0x3aa/0x4e0 [ 126.542768][ T5513] prepare_alloc_pages+0x1d9/0x5b0 [ 126.547883][ T5513] __alloc_pages+0x165/0x670 [ 126.552474][ T5513] ? zone_statistics+0x170/0x170 [ 126.557417][ T5513] ? verify_lock_unused+0x140/0x140 [ 126.562631][ T5513] ? handle_mm_fault+0x11d/0x62b0 [ 126.567657][ T5513] ? __lock_acquire+0x7f70/0x7f70 [ 126.573035][ T5513] ? pte_offset_map_nolock+0x137/0x1e0 [ 126.578491][ T5513] __folio_alloc+0x13/0x30 [ 126.582917][ T5513] vma_alloc_folio+0x48a/0x9a0 [ 126.587682][ T5513] handle_mm_fault+0x2376/0x62b0 [ 126.592812][ T5513] ? handle_mm_fault+0x11d/0x62b0 [ 126.597932][ T5513] ? numa_migrate_prep+0x380/0x380 [ 126.603065][ T5513] ? mtree_range_walk+0x6a0/0x7e0 [ 126.608181][ T5513] ? lock_vma_under_rcu+0x187/0x6f0 [ 126.613377][ T5513] ? __lock_acquire+0x7f70/0x7f70 [ 126.618482][ T5513] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 126.623710][ T5513] ? lock_vma_under_rcu+0x5df/0x6f0 [ 126.628909][ T5513] ? lock_vma_under_rcu+0x187/0x6f0 [ 126.634656][ T5513] ? exc_page_fault+0x10f/0x860 [ 126.639957][ T5513] exc_page_fault+0x455/0x860 [ 126.644754][ T5513] asm_exc_page_fault+0x26/0x30 [ 126.649604][ T5513] RIP: 0033:0x7f794735bc53 [ 126.654135][ T5513] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 126.673735][ T5513] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 126.679812][ T5513] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 126.687776][ T5513] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 126.695919][ T5513] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 126.704072][ T5513] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 126.712210][ T5513] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 126.720244][ T5513] [pid 5512] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5512] munmap(0x7f7936b10000, 2097152) = 0 [pid 5512] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5512] ioctl(6, LOOP_SET_FD, 5) = 0 [pid 5513] munmap(0x7f793ef10000, 138412032 [pid 5512] close(5) = 0 [pid 5512] mkdir("./file0", 0777) = 0 [pid 5512] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5513] <... munmap resumed>) = 0 [pid 5513] close(4) = 0 [pid 5513] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5513] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5511] <... futex resumed>) = 0 [pid 5512] <... mount resumed>) = 0 [pid 5512] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5512] chdir("./file0") = 0 [pid 5512] ioctl(6, LOOP_CLR_FD) = 0 [pid 5512] close(6) = 0 [pid 5512] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5512] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5511] exit_group(0) = ? [pid 5513] <... futex resumed>) = ? [pid 5513] +++ exited with 0 +++ [pid 5512] <... futex resumed>) = ? [pid 5512] +++ exited with 0 +++ [pid 5511] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5511, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./157", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./157", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./157/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./157/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./157/binderfs") = 0 umount2("./157/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./157/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./157/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./157/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./157/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./157/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 [ 126.728620][ T5513] pagefault_out_of_memory: 2 callbacks suppressed [ 126.728635][ T5513] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 126.750859][ T5512] loop0: detected capacity change from 0 to 4096 [ 126.767049][ T5512] ntfs: volume version 12.0. rmdir("./157") = 0 mkdir("./158", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5514 attached , child_tidptr=0x555555f17690) = 5514 [pid 5514] set_robust_list(0x555555f176a0, 24) = 0 [pid 5514] chdir("./158") = 0 [pid 5514] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5514] setpgid(0, 0) = 0 [pid 5514] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5514] write(3, "1000", 4) = 4 [pid 5514] close(3) = 0 [pid 5514] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5514] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5514] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5514] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5514] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5514] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5514] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5514] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5515]}, 88) = 5515 ./strace-static-x86_64: Process 5515 attached [pid 5514] rt_sigprocmask(SIG_SETMASK, [], [pid 5515] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5514] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5515] <... rseq resumed>) = 0 [pid 5514] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5514] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5514] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5515] set_robust_list(0x7f79473519a0, 24 [pid 5514] <... mmap resumed>) = 0x7f7947310000 [pid 5515] <... set_robust_list resumed>) = 0 [pid 5515] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5514] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5514] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5514] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5516 attached [pid 5516] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5515] memfd_create("syzkaller", 0 [pid 5516] <... rseq resumed>) = 0 [pid 5514] <... clone3 resumed> => {parent_tid=[5516]}, 88) = 5516 [pid 5516] set_robust_list(0x7f79473309a0, 24 [pid 5514] rt_sigprocmask(SIG_SETMASK, [], [pid 5516] <... set_robust_list resumed>) = 0 [pid 5514] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5516] rt_sigprocmask(SIG_SETMASK, [], [pid 5514] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5516] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5516] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5514] <... futex resumed>) = 0 [pid 5514] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5516] <... openat resumed>) = 3 [pid 5516] write(3, "85", 2) = 2 [pid 5516] memfd_create("syzkaller", 0) = 4 [pid 5516] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5515] <... memfd_create resumed>) = 5 [pid 5515] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5515] munmap(0x7f7936b10000, 138412032) = 0 [pid 5515] close(5) = 0 [pid 5515] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 126.839778][ T5516] FAULT_INJECTION: forcing a failure. [ 126.839778][ T5516] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 126.853452][ T5516] CPU: 1 PID: 5516 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 126.863908][ T5516] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 126.873993][ T5516] Call Trace: [ 126.877294][ T5516] [ 126.880243][ T5516] dump_stack_lvl+0x1e7/0x2d0 [ 126.884974][ T5516] ? nf_tcp_handle_invalid+0x650/0x650 [ 126.890464][ T5516] ? panic+0x770/0x770 [ 126.894555][ T5516] should_fail_ex+0x3aa/0x4e0 [ 126.899243][ T5516] prepare_alloc_pages+0x1d9/0x5b0 [ 126.904375][ T5516] __alloc_pages+0x165/0x670 [ 126.908994][ T5516] ? zone_statistics+0x170/0x170 [ 126.913947][ T5516] ? verify_lock_unused+0x140/0x140 [ 126.919134][ T5516] ? handle_mm_fault+0x11d/0x62b0 [ 126.924248][ T5516] ? __lock_acquire+0x7f70/0x7f70 [ 126.929286][ T5516] ? pte_offset_map_nolock+0x137/0x1e0 [ 126.934745][ T5516] __folio_alloc+0x13/0x30 [ 126.939154][ T5516] vma_alloc_folio+0x48a/0x9a0 [ 126.944026][ T5516] handle_mm_fault+0x2376/0x62b0 [ 126.948990][ T5516] ? handle_mm_fault+0x11d/0x62b0 [ 126.954058][ T5516] ? numa_migrate_prep+0x380/0x380 [ 126.959198][ T5516] ? mtree_range_walk+0x6a0/0x7e0 [ 126.964228][ T5516] ? lock_vma_under_rcu+0x187/0x6f0 [ 126.969433][ T5516] ? __lock_acquire+0x7f70/0x7f70 [ 126.974451][ T5516] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 126.979684][ T5516] ? lock_vma_under_rcu+0x5df/0x6f0 [ 126.984881][ T5516] ? lock_vma_under_rcu+0x187/0x6f0 [ 126.990089][ T5516] ? exc_page_fault+0x10f/0x860 [ 126.994972][ T5516] exc_page_fault+0x455/0x860 [ 126.999648][ T5516] asm_exc_page_fault+0x26/0x30 [ 127.004490][ T5516] RIP: 0033:0x7f794735bc53 [ 127.008905][ T5516] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 127.028512][ T5516] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5515] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5516] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5516] munmap(0x7f793ef10000, 2097152) = 0 [ 127.034574][ T5516] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 127.042536][ T5516] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 127.050498][ T5516] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 127.058460][ T5516] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 127.066423][ T5516] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 127.074400][ T5516] [ 127.078049][ T5516] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5516] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 5516] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5516] close(4) = 0 [pid 5516] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5516] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5516] ioctl(5, LOOP_CLR_FD) = 0 [pid 5516] close(5) = 0 [pid 5516] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5514] <... futex resumed>) = 0 [ 127.122150][ T5516] loop0: detected capacity change from 0 to 4096 [ 127.143029][ T5516] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 127.150229][ T5516] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5514] exit_group(0 [pid 5516] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5514] <... exit_group resumed>) = ? [pid 5516] <... futex resumed>) = ? [pid 5516] +++ exited with 0 +++ [pid 5515] <... futex resumed>) = ? [pid 5515] +++ exited with 0 +++ [pid 5514] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5514, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./158", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./158", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./158/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./158/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./158/binderfs") = 0 umount2("\x2e\x2f\x31\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./158") = 0 mkdir("./159", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5517 attached , child_tidptr=0x555555f17690) = 5517 [pid 5517] set_robust_list(0x555555f176a0, 24) = 0 [pid 5517] chdir("./159") = 0 [pid 5517] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5517] setpgid(0, 0) = 0 [pid 5517] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5517] write(3, "1000", 4) = 4 [pid 5517] close(3) = 0 [pid 5517] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5517] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5517] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5517] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5517] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5517] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5517] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5517] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5518 attached => {parent_tid=[5518]}, 88) = 5518 [pid 5517] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5517] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5517] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5517] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5517] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5517] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5517] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5519 attached [pid 5519] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5519] set_robust_list(0x7f79473309a0, 24 [pid 5517] <... clone3 resumed> => {parent_tid=[5519]}, 88) = 5519 [pid 5519] <... set_robust_list resumed>) = 0 [pid 5517] rt_sigprocmask(SIG_SETMASK, [], [pid 5519] rt_sigprocmask(SIG_SETMASK, [], [pid 5517] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5519] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5517] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5519] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5518] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5517] <... futex resumed>) = 0 [pid 5518] <... rseq resumed>) = 0 [pid 5518] set_robust_list(0x7f79473519a0, 24 [pid 5517] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5518] <... set_robust_list resumed>) = 0 [pid 5518] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5519] <... openat resumed>) = 3 [pid 5519] write(3, "85", 2) = 2 [pid 5519] memfd_create("syzkaller", 0) = 4 [pid 5518] memfd_create("syzkaller", 0) = 5 [pid 5518] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5519] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5518] <... mmap resumed>) = 0x7f793ef10000 [pid 5519] <... mmap resumed>) = 0x7f7936b10000 [ 127.266619][ T5519] FAULT_INJECTION: forcing a failure. [ 127.266619][ T5519] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 127.280344][ T5519] CPU: 1 PID: 5519 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 127.290770][ T5519] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 127.300820][ T5519] Call Trace: [ 127.304094][ T5519] [ 127.307107][ T5519] dump_stack_lvl+0x1e7/0x2d0 [ 127.311782][ T5519] ? nf_tcp_handle_invalid+0x650/0x650 [ 127.317238][ T5519] ? panic+0x770/0x770 [ 127.321311][ T5519] should_fail_ex+0x3aa/0x4e0 [ 127.325994][ T5519] prepare_alloc_pages+0x1d9/0x5b0 [ 127.331107][ T5519] __alloc_pages+0x165/0x670 [ 127.335699][ T5519] ? zone_statistics+0x170/0x170 [ 127.340646][ T5519] ? verify_lock_unused+0x140/0x140 [ 127.345894][ T5519] ? handle_mm_fault+0x11d/0x62b0 [ 127.350916][ T5519] ? __lock_acquire+0x7f70/0x7f70 [ 127.355931][ T5519] ? pte_offset_map_nolock+0x137/0x1e0 [ 127.361387][ T5519] __folio_alloc+0x13/0x30 [ 127.365808][ T5519] vma_alloc_folio+0x48a/0x9a0 [ 127.370571][ T5519] handle_mm_fault+0x2376/0x62b0 [ 127.375607][ T5519] ? handle_mm_fault+0x11d/0x62b0 [ 127.380641][ T5519] ? numa_migrate_prep+0x380/0x380 [ 127.385766][ T5519] ? mtree_range_walk+0x6a0/0x7e0 [ 127.390803][ T5519] ? lock_vma_under_rcu+0x187/0x6f0 [ 127.395995][ T5519] ? __lock_acquire+0x7f70/0x7f70 [ 127.401011][ T5519] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 127.406226][ T5519] ? lock_vma_under_rcu+0x5df/0x6f0 [ 127.411599][ T5519] ? lock_vma_under_rcu+0x187/0x6f0 [ 127.416802][ T5519] ? exc_page_fault+0x10f/0x860 [ 127.421647][ T5519] exc_page_fault+0x455/0x860 [ 127.426321][ T5519] asm_exc_page_fault+0x26/0x30 [ 127.431160][ T5519] RIP: 0033:0x7f794735bc53 [ 127.435566][ T5519] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 127.455170][ T5519] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 127.461232][ T5519] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 127.469194][ T5519] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 127.477154][ T5519] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 127.485118][ T5519] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 127.493101][ T5519] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 127.501080][ T5519] [pid 5518] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5518] munmap(0x7f793ef10000, 2097152) = 0 [pid 5518] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5518] ioctl(6, LOOP_SET_FD, 5 [pid 5519] munmap(0x7f7936b10000, 138412032 [pid 5518] <... ioctl resumed>) = 0 [pid 5518] close(5) = 0 [pid 5519] <... munmap resumed>) = 0 [pid 5518] mkdir("./file0", 0777 [pid 5519] close(4) = 0 [pid 5519] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5517] <... futex resumed>) = 0 [pid 5519] <... futex resumed>) = 1 [pid 5519] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5518] <... mkdir resumed>) = 0 [pid 5518] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5518] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5518] chdir("./file0") = 0 [pid 5518] ioctl(6, LOOP_CLR_FD) = 0 [pid 5518] close(6) = 0 [pid 5518] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5517] exit_group(0) = ? [pid 5518] <... futex resumed>) = ? [pid 5518] +++ exited with 0 +++ [pid 5519] <... futex resumed>) = ? [pid 5519] +++ exited with 0 +++ [pid 5517] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5517, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./159", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./159", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./159/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./159/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./159/binderfs") = 0 umount2("./159/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./159/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./159/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./159/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./159/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 [ 127.510521][ T5519] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 127.531861][ T5518] loop0: detected capacity change from 0 to 4096 [ 127.547355][ T5518] ntfs: volume version 12.0. getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./159/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./159") = 0 mkdir("./160", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5520 attached , child_tidptr=0x555555f17690) = 5520 [pid 5520] set_robust_list(0x555555f176a0, 24) = 0 [pid 5520] chdir("./160") = 0 [pid 5520] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5520] setpgid(0, 0) = 0 [pid 5520] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5520] write(3, "1000", 4) = 4 [pid 5520] close(3) = 0 [pid 5520] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5520] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5520] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5520] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5520] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5520] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5520] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5521]}, 88) = 5521 ./strace-static-x86_64: Process 5521 attached [pid 5520] rt_sigprocmask(SIG_SETMASK, [], [pid 5521] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5520] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5521] set_robust_list(0x7f79473519a0, 24 [pid 5520] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5521] <... set_robust_list resumed>) = 0 [pid 5520] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5521] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5520] <... mmap resumed>) = 0x7f7947310000 [pid 5520] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5520] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5520] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5521] memfd_create("syzkaller", 0) = 3 ./strace-static-x86_64: Process 5522 attached [pid 5521] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5522] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5521] <... mmap resumed>) = 0x7f793ef10000 [pid 5520] <... clone3 resumed> => {parent_tid=[5522]}, 88) = 5522 [pid 5522] set_robust_list(0x7f79473309a0, 24 [pid 5520] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5520] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5522] <... set_robust_list resumed>) = 0 [pid 5522] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5522] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5522] write(4, "85", 2) = 2 [pid 5522] memfd_create("syzkaller", 0) = 5 [pid 5522] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5521] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 127.660769][ T5522] FAULT_INJECTION: forcing a failure. [ 127.660769][ T5522] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 127.674963][ T5522] CPU: 1 PID: 5522 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 127.685484][ T5522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 127.695544][ T5522] Call Trace: [ 127.698835][ T5522] [ 127.701755][ T5522] dump_stack_lvl+0x1e7/0x2d0 [ 127.706447][ T5522] ? nf_tcp_handle_invalid+0x650/0x650 [ 127.711898][ T5522] ? panic+0x770/0x770 [ 127.715968][ T5522] should_fail_ex+0x3aa/0x4e0 [ 127.720691][ T5522] prepare_alloc_pages+0x1d9/0x5b0 [ 127.725831][ T5522] __alloc_pages+0x165/0x670 [ 127.730434][ T5522] ? zone_statistics+0x170/0x170 [ 127.735371][ T5522] ? verify_lock_unused+0x140/0x140 [ 127.740570][ T5522] ? handle_mm_fault+0x11d/0x62b0 [ 127.745685][ T5522] ? __lock_acquire+0x7f70/0x7f70 [ 127.750707][ T5522] ? pte_offset_map_nolock+0x137/0x1e0 [ 127.756162][ T5522] __folio_alloc+0x13/0x30 [ 127.760574][ T5522] vma_alloc_folio+0x48a/0x9a0 [ 127.765596][ T5522] handle_mm_fault+0x2376/0x62b0 [ 127.770540][ T5522] ? handle_mm_fault+0x11d/0x62b0 [ 127.775590][ T5522] ? numa_migrate_prep+0x380/0x380 [ 127.780729][ T5522] ? mtree_range_walk+0x6a0/0x7e0 [ 127.785762][ T5522] ? lock_vma_under_rcu+0x187/0x6f0 [ 127.790960][ T5522] ? __lock_acquire+0x7f70/0x7f70 [ 127.795973][ T5522] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 127.801199][ T5522] ? lock_vma_under_rcu+0x5df/0x6f0 [ 127.806396][ T5522] ? lock_vma_under_rcu+0x187/0x6f0 [ 127.811597][ T5522] ? exc_page_fault+0x10f/0x860 [ 127.816443][ T5522] exc_page_fault+0x455/0x860 [ 127.821118][ T5522] asm_exc_page_fault+0x26/0x30 [ 127.825961][ T5522] RIP: 0033:0x7f794735bc53 [ 127.830368][ T5522] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 127.849970][ T5522] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5521] munmap(0x7f793ef10000, 2097152) = 0 [pid 5521] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 127.856030][ T5522] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 127.863993][ T5522] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 127.871975][ T5522] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 127.879938][ T5522] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 127.887901][ T5522] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 127.895876][ T5522] [ 127.899517][ T5522] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5521] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5521] close(3) = 0 [pid 5521] mkdir("./file0", 0777) = 0 [pid 5521] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5522] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5521] <... mount resumed>) = 0 [pid 5521] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5521] chdir("./file0") = 0 [pid 5521] ioctl(6, LOOP_CLR_FD) = 0 [pid 5521] close(6) = 0 [pid 5521] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5521] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5522] <... write resumed>) = 2097152 [pid 5522] munmap(0x7f7936b10000, 2097152) = 0 [pid 5522] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5522] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5522] ioctl(6, LOOP_CLR_FD) = 0 [pid 5522] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5522] close(6) = 0 [ 127.913746][ T5521] loop0: detected capacity change from 0 to 4096 [ 127.931200][ T5521] ntfs: volume version 12.0. [pid 5522] close(5) = 0 [pid 5522] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5520] <... futex resumed>) = 0 [pid 5522] <... futex resumed>) = 1 [pid 5520] exit_group(0 [pid 5522] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5521] <... futex resumed>) = ? [pid 5521] +++ exited with 0 +++ [pid 5520] <... exit_group resumed>) = ? [pid 5522] +++ exited with 0 +++ [pid 5520] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5520, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./160", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./160", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./160/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./160/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./160/binderfs") = 0 umount2("./160/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./160/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./160/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./160/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./160/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./160/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./160") = 0 mkdir("./161", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5523 attached , child_tidptr=0x555555f17690) = 5523 [pid 5523] set_robust_list(0x555555f176a0, 24) = 0 [pid 5523] chdir("./161") = 0 [pid 5523] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5523] setpgid(0, 0) = 0 [pid 5523] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5523] write(3, "1000", 4) = 4 [pid 5523] close(3) = 0 [pid 5523] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5523] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5523] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5523] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5523] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5523] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5523] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5523] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5524]}, 88) = 5524 [pid 5523] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5523] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5523] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5523] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0./strace-static-x86_64: Process 5524 attached [pid 5524] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5524] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5523] <... mmap resumed>) = 0x7f7947310000 [pid 5524] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5523] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5523] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5524] memfd_create("syzkaller", 0 [pid 5523] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5523] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5525 attached [pid 5525] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5523] <... clone3 resumed> => {parent_tid=[5525]}, 88) = 5525 [pid 5525] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5523] rt_sigprocmask(SIG_SETMASK, [], [pid 5525] rt_sigprocmask(SIG_SETMASK, [], [pid 5523] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5525] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5523] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5525] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5523] <... futex resumed>) = 0 [pid 5524] <... memfd_create resumed>) = 3 [pid 5523] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5524] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5524] munmap(0x7f793ef10000, 138412032) = 0 [pid 5525] <... openat resumed>) = 4 [pid 5524] close(3) = 0 [pid 5524] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5525] write(4, "85", 2 [pid 5524] <... futex resumed>) = 0 [pid 5525] <... write resumed>) = 2 [pid 5524] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5525] memfd_create("syzkaller", 0) = 3 [pid 5525] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 128.035552][ T5525] FAULT_INJECTION: forcing a failure. [ 128.035552][ T5525] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 128.048908][ T5525] CPU: 1 PID: 5525 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 128.059426][ T5525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 128.069690][ T5525] Call Trace: [ 128.073060][ T5525] [ 128.076007][ T5525] dump_stack_lvl+0x1e7/0x2d0 [ 128.080683][ T5525] ? nf_tcp_handle_invalid+0x650/0x650 [ 128.086134][ T5525] ? panic+0x770/0x770 [ 128.090201][ T5525] should_fail_ex+0x3aa/0x4e0 [ 128.094873][ T5525] prepare_alloc_pages+0x1d9/0x5b0 [ 128.099985][ T5525] __alloc_pages+0x165/0x670 [ 128.104570][ T5525] ? zone_statistics+0x170/0x170 [ 128.109518][ T5525] ? verify_lock_unused+0x140/0x140 [ 128.114724][ T5525] ? handle_mm_fault+0x11d/0x62b0 [ 128.119741][ T5525] ? __lock_acquire+0x7f70/0x7f70 [ 128.124771][ T5525] ? pte_offset_map_nolock+0x137/0x1e0 [ 128.130860][ T5525] __folio_alloc+0x13/0x30 [ 128.135281][ T5525] vma_alloc_folio+0x48a/0x9a0 [ 128.140050][ T5525] handle_mm_fault+0x2376/0x62b0 [ 128.144995][ T5525] ? handle_mm_fault+0x11d/0x62b0 [ 128.150040][ T5525] ? numa_migrate_prep+0x380/0x380 [ 128.155175][ T5525] ? mtree_range_walk+0x6a0/0x7e0 [ 128.160202][ T5525] ? lock_vma_under_rcu+0x187/0x6f0 [ 128.165408][ T5525] ? __lock_acquire+0x7f70/0x7f70 [ 128.170427][ T5525] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 128.175642][ T5525] ? lock_vma_under_rcu+0x5df/0x6f0 [ 128.180841][ T5525] ? lock_vma_under_rcu+0x187/0x6f0 [ 128.186050][ T5525] ? exc_page_fault+0x10f/0x860 [ 128.190906][ T5525] exc_page_fault+0x455/0x860 [ 128.195607][ T5525] asm_exc_page_fault+0x26/0x30 [ 128.200468][ T5525] RIP: 0033:0x7f794735bd00 [ 128.204881][ T5525] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 128.224512][ T5525] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5525] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5525] munmap(0x7f793ef10000, 2097152) = 0 [pid 5525] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 128.230575][ T5525] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 128.238628][ T5525] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 128.246595][ T5525] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 128.254559][ T5525] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 128.262526][ T5525] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 128.270504][ T5525] [ 128.273927][ T5525] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5525] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5525] close(3) = 0 [pid 5525] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5525] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5525] ioctl(5, LOOP_CLR_FD) = 0 [pid 5525] close(5) = 0 [ 128.311708][ T5525] loop0: detected capacity change from 0 to 4096 [ 128.330693][ T5525] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 128.337792][ T5525] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5525] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5525] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5523] <... futex resumed>) = 0 [pid 5523] exit_group(0 [pid 5525] <... futex resumed>) = ? [pid 5523] <... exit_group resumed>) = ? [pid 5525] +++ exited with 0 +++ [pid 5524] <... futex resumed>) = ? [pid 5524] +++ exited with 0 +++ [pid 5523] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5523, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./161", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./161", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./161/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./161/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./161/binderfs") = 0 umount2("\x2e\x2f\x31\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./161") = 0 mkdir("./162", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5526 attached , child_tidptr=0x555555f17690) = 5526 [pid 5526] set_robust_list(0x555555f176a0, 24) = 0 [pid 5526] chdir("./162") = 0 [pid 5526] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5526] setpgid(0, 0) = 0 [pid 5526] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5526] write(3, "1000", 4) = 4 [pid 5526] close(3) = 0 [pid 5526] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5526] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5526] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5526] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5526] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5526] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5526] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5526] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5527 attached [pid 5527] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5526] <... clone3 resumed> => {parent_tid=[5527]}, 88) = 5527 [pid 5527] <... rseq resumed>) = 0 [pid 5526] rt_sigprocmask(SIG_SETMASK, [], [pid 5527] set_robust_list(0x7f79473519a0, 24 [pid 5526] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5527] <... set_robust_list resumed>) = 0 [pid 5526] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5527] rt_sigprocmask(SIG_SETMASK, [], [pid 5526] <... futex resumed>) = 0 [pid 5527] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5526] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5527] memfd_create("syzkaller", 0) = 3 [pid 5526] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5527] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5526] <... mmap resumed>) = 0x7f793ef10000 [pid 5526] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5526] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5526] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5528 attached => {parent_tid=[5528]}, 88) = 5528 [pid 5526] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5526] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5526] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5528] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5528] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5528] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5528] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5528] write(4, "85", 2) = 2 [pid 5528] memfd_create("syzkaller", 0) = 5 [pid 5528] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 128.484949][ T5528] FAULT_INJECTION: forcing a failure. [ 128.484949][ T5528] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 128.499639][ T5528] CPU: 0 PID: 5528 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 128.510214][ T5528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 128.520267][ T5528] Call Trace: [ 128.523542][ T5528] [ 128.526468][ T5528] dump_stack_lvl+0x1e7/0x2d0 [ 128.531231][ T5528] ? nf_tcp_handle_invalid+0x650/0x650 [ 128.536681][ T5528] ? panic+0x770/0x770 [ 128.540753][ T5528] should_fail_ex+0x3aa/0x4e0 [ 128.545445][ T5528] prepare_alloc_pages+0x1d9/0x5b0 [ 128.550560][ T5528] __alloc_pages+0x165/0x670 [ 128.555152][ T5528] ? zone_statistics+0x170/0x170 [ 128.560097][ T5528] ? verify_lock_unused+0x140/0x140 [ 128.565288][ T5528] ? handle_mm_fault+0x11d/0x62b0 [ 128.570318][ T5528] ? __lock_acquire+0x7f70/0x7f70 [ 128.575334][ T5528] ? pte_offset_map_nolock+0x137/0x1e0 [ 128.580789][ T5528] __folio_alloc+0x13/0x30 [ 128.585205][ T5528] vma_alloc_folio+0x48a/0x9a0 [ 128.589970][ T5528] handle_mm_fault+0x2376/0x62b0 [ 128.594917][ T5528] ? handle_mm_fault+0x11d/0x62b0 [ 128.599946][ T5528] ? numa_migrate_prep+0x380/0x380 [ 128.605070][ T5528] ? mtree_range_walk+0x6a0/0x7e0 [ 128.610095][ T5528] ? lock_vma_under_rcu+0x187/0x6f0 [ 128.615289][ T5528] ? __lock_acquire+0x7f70/0x7f70 [ 128.620311][ T5528] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 128.625518][ T5528] ? lock_vma_under_rcu+0x5df/0x6f0 [ 128.630712][ T5528] ? lock_vma_under_rcu+0x187/0x6f0 [ 128.635917][ T5528] ? exc_page_fault+0x10f/0x860 [ 128.641021][ T5528] exc_page_fault+0x455/0x860 [ 128.645695][ T5528] asm_exc_page_fault+0x26/0x30 [ 128.650539][ T5528] RIP: 0033:0x7f794735bc53 [ 128.654953][ T5528] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 128.674640][ T5528] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5527] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5527] munmap(0x7f793ef31000, 2097152) = 0 [pid 5527] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 128.680702][ T5528] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 128.688673][ T5528] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 128.696637][ T5528] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 128.704620][ T5528] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 128.712604][ T5528] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 128.720589][ T5528] [ 128.725397][ T5528] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5527] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5527] close(3) = 0 [pid 5527] mkdir("./file0", 0777) = 0 [pid 5527] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5527] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5528] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5527] chdir("./file0") = 0 [pid 5527] ioctl(6, LOOP_CLR_FD) = 0 [pid 5527] close(6) = 0 [pid 5527] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5527] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5528] <... write resumed>) = 2097152 [pid 5528] munmap(0x7f7936b10000, 2097152) = 0 [ 128.729067][ T5527] loop0: detected capacity change from 0 to 4096 [ 128.750873][ T5527] ntfs: volume version 12.0. [pid 5528] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5528] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5528] ioctl(6, LOOP_CLR_FD) = 0 [pid 5528] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5528] close(6) = 0 [pid 5528] close(5) = 0 [pid 5528] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5528] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5526] <... futex resumed>) = 0 [pid 5526] exit_group(0 [pid 5528] <... futex resumed>) = ? [pid 5527] <... futex resumed>) = ? [pid 5528] +++ exited with 0 +++ [pid 5527] +++ exited with 0 +++ [pid 5526] <... exit_group resumed>) = ? [pid 5526] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5526, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./162", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./162", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./162/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./162/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./162/binderfs") = 0 umount2("./162/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./162/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./162/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./162/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./162/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./162/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./162") = 0 mkdir("./163", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5529 attached [pid 5529] set_robust_list(0x555555f176a0, 24 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5529 [pid 5529] <... set_robust_list resumed>) = 0 [pid 5529] chdir("./163") = 0 [pid 5529] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5529] setpgid(0, 0) = 0 [pid 5529] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5529] write(3, "1000", 4) = 4 [pid 5529] close(3) = 0 [pid 5529] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5529] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5529] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5529] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5529] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5529] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5529] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5529] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5530 attached => {parent_tid=[5530]}, 88) = 5530 [pid 5530] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5529] rt_sigprocmask(SIG_SETMASK, [], [pid 5530] <... rseq resumed>) = 0 [pid 5529] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5530] set_robust_list(0x7f79473519a0, 24 [pid 5529] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5530] <... set_robust_list resumed>) = 0 [pid 5529] <... futex resumed>) = 0 [pid 5530] rt_sigprocmask(SIG_SETMASK, [], [pid 5529] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5530] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5529] <... futex resumed>) = 0 [pid 5530] memfd_create("syzkaller", 0 [pid 5529] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5529] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5529] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5530] <... memfd_create resumed>) = 3 [pid 5529] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5529] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5530] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5531 attached [pid 5531] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5529] <... clone3 resumed> => {parent_tid=[5531]}, 88) = 5531 [pid 5531] <... rseq resumed>) = 0 [pid 5530] <... mmap resumed>) = 0x7f793ef10000 [pid 5529] rt_sigprocmask(SIG_SETMASK, [], [pid 5531] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5531] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5531] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5529] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5529] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5531] <... futex resumed>) = 0 [pid 5529] <... futex resumed>) = 1 [pid 5531] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5529] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5531] <... openat resumed>) = 4 [pid 5531] write(4, "85", 2) = 2 [pid 5531] memfd_create("syzkaller", 0) = 5 [pid 5531] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5530] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 128.925865][ T5531] FAULT_INJECTION: forcing a failure. [ 128.925865][ T5531] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 128.939391][ T5531] CPU: 0 PID: 5531 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 128.949815][ T5531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 128.959874][ T5531] Call Trace: [ 128.963147][ T5531] [ 128.966076][ T5531] dump_stack_lvl+0x1e7/0x2d0 [ 128.970755][ T5531] ? nf_tcp_handle_invalid+0x650/0x650 [ 128.976213][ T5531] ? panic+0x770/0x770 [ 128.980289][ T5531] should_fail_ex+0x3aa/0x4e0 [ 128.984969][ T5531] prepare_alloc_pages+0x1d9/0x5b0 [ 128.990087][ T5531] __alloc_pages+0x165/0x670 [ 128.994695][ T5531] ? zone_statistics+0x170/0x170 [ 128.999631][ T5531] ? verify_lock_unused+0x140/0x140 [ 129.004835][ T5531] ? handle_mm_fault+0x11d/0x62b0 [ 129.009955][ T5531] ? __lock_acquire+0x7f70/0x7f70 [ 129.014976][ T5531] ? pte_offset_map_nolock+0x137/0x1e0 [ 129.020433][ T5531] __folio_alloc+0x13/0x30 [ 129.024846][ T5531] vma_alloc_folio+0x48a/0x9a0 [ 129.029622][ T5531] handle_mm_fault+0x2376/0x62b0 [ 129.034563][ T5531] ? handle_mm_fault+0x11d/0x62b0 [ 129.039771][ T5531] ? numa_migrate_prep+0x380/0x380 [ 129.044890][ T5531] ? mtree_range_walk+0x6a0/0x7e0 [ 129.049912][ T5531] ? lock_vma_under_rcu+0x187/0x6f0 [ 129.055109][ T5531] ? __lock_acquire+0x7f70/0x7f70 [ 129.060177][ T5531] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 129.065426][ T5531] ? lock_vma_under_rcu+0x5df/0x6f0 [ 129.070641][ T5531] ? lock_vma_under_rcu+0x187/0x6f0 [ 129.075859][ T5531] ? exc_page_fault+0x10f/0x860 [ 129.080716][ T5531] exc_page_fault+0x455/0x860 [ 129.085401][ T5531] asm_exc_page_fault+0x26/0x30 [ 129.090252][ T5531] RIP: 0033:0x7f794735bc53 [ 129.094663][ T5531] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 129.114280][ T5531] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5530] munmap(0x7f793ef10000, 2097152) = 0 [ 129.120354][ T5531] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 129.128363][ T5531] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 129.136330][ T5531] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 129.144292][ T5531] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 129.152294][ T5531] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 129.160363][ T5531] [ 129.165827][ T5531] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5530] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5530] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5530] close(3) = 0 [pid 5530] mkdir("./file0", 0777) = 0 [ 129.178215][ T5530] loop0: detected capacity change from 0 to 4096 [ 129.190688][ T5530] __ntfs_error: 137 callbacks suppressed [ 129.190700][ T5530] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 129.207391][ T5530] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5530] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5531] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 129.220861][ T5530] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 129.236001][ T5530] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 129.245657][ T5530] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 129.254154][ T5530] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5531] munmap(0x7f7936b10000, 2097152) = 0 [pid 5531] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5531] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5531] ioctl(3, LOOP_CLR_FD) = 0 [pid 5531] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5531] close(3) = 0 [pid 5531] close(5) = 0 [pid 5531] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5529] <... futex resumed>) = 0 [pid 5531] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5530] <... mount resumed>) = 0 [pid 5530] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5530] chdir("./file0") = 0 [pid 5530] ioctl(6, LOOP_CLR_FD) = 0 [pid 5530] close(6) = 0 [pid 5530] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5529] exit_group(0 [pid 5531] <... futex resumed>) = ? [pid 5530] <... futex resumed>) = ? [pid 5529] <... exit_group resumed>) = ? [pid 5531] +++ exited with 0 +++ [pid 5530] +++ exited with 0 +++ [pid 5529] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5529, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=25 /* 0.25 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./163", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./163", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./163/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./163/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./163/binderfs") = 0 umount2("./163/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./163/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./163/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./163/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./163/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./163/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./163") = 0 mkdir("./164", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5532 ./strace-static-x86_64: Process 5532 attached [pid 5532] set_robust_list(0x555555f176a0, 24) = 0 [pid 5532] chdir("./164") = 0 [pid 5532] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5532] setpgid(0, 0) = 0 [pid 5532] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5532] write(3, "1000", 4) = 4 [pid 5532] close(3) = 0 [pid 5532] symlink("/dev/binderfs", "./binderfs") = 0 [ 129.268009][ T5530] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 129.280935][ T5530] ntfs: volume version 12.0. [ 129.286139][ T5530] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 129.295078][ T5530] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 129.310715][ T5530] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. [pid 5532] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5532] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5532] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5532] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5532] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5532] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5533 attached => {parent_tid=[5533]}, 88) = 5533 [pid 5532] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5532] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5532] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5532] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5532] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5533] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053./strace-static-x86_64: Process 5534 attached ) = 0 [pid 5534] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5533] set_robust_list(0x7f79473519a0, 24 [pid 5534] <... rseq resumed>) = 0 [pid 5533] <... set_robust_list resumed>) = 0 [pid 5534] set_robust_list(0x7f79473309a0, 24 [pid 5533] rt_sigprocmask(SIG_SETMASK, [], [pid 5534] <... set_robust_list resumed>) = 0 [pid 5533] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5534] rt_sigprocmask(SIG_SETMASK, [], [pid 5532] <... clone3 resumed> => {parent_tid=[5534]}, 88) = 5534 [pid 5532] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5532] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5533] memfd_create("syzkaller", 0 [pid 5532] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5534] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5533] <... memfd_create resumed>) = 3 [pid 5534] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5533] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5534] <... openat resumed>) = 4 [pid 5533] munmap(0x7f793ef10000, 138412032) = 0 [pid 5533] close(3 [pid 5534] write(4, "85", 2 [pid 5533] <... close resumed>) = 0 [pid 5534] <... write resumed>) = 2 [pid 5533] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5534] memfd_create("syzkaller", 0 [pid 5533] <... futex resumed>) = 0 [pid 5534] <... memfd_create resumed>) = 3 [pid 5533] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5534] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 129.387429][ T5534] FAULT_INJECTION: forcing a failure. [ 129.387429][ T5534] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 129.401446][ T5534] CPU: 0 PID: 5534 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 129.412241][ T5534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 129.422303][ T5534] Call Trace: [ 129.425573][ T5534] [ 129.428498][ T5534] dump_stack_lvl+0x1e7/0x2d0 [ 129.433180][ T5534] ? nf_tcp_handle_invalid+0x650/0x650 [ 129.438655][ T5534] ? panic+0x770/0x770 [ 129.442766][ T5534] should_fail_ex+0x3aa/0x4e0 [ 129.447458][ T5534] prepare_alloc_pages+0x1d9/0x5b0 [ 129.452586][ T5534] __alloc_pages+0x165/0x670 [ 129.457202][ T5534] ? zone_statistics+0x170/0x170 [ 129.462245][ T5534] ? verify_lock_unused+0x140/0x140 [ 129.467463][ T5534] ? handle_mm_fault+0x11d/0x62b0 [ 129.472491][ T5534] ? __lock_acquire+0x7f70/0x7f70 [ 129.477692][ T5534] ? pte_offset_map_nolock+0x137/0x1e0 [ 129.483427][ T5534] __folio_alloc+0x13/0x30 [ 129.487882][ T5534] vma_alloc_folio+0x48a/0x9a0 [ 129.492664][ T5534] handle_mm_fault+0x2376/0x62b0 [ 129.497638][ T5534] ? handle_mm_fault+0x11d/0x62b0 [ 129.502704][ T5534] ? numa_migrate_prep+0x380/0x380 [ 129.507940][ T5534] ? mtree_range_walk+0x6a0/0x7e0 [ 129.513019][ T5534] ? lock_vma_under_rcu+0x187/0x6f0 [ 129.518344][ T5534] ? __lock_acquire+0x7f70/0x7f70 [ 129.523478][ T5534] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 129.528703][ T5534] ? lock_vma_under_rcu+0x5df/0x6f0 [ 129.533907][ T5534] ? lock_vma_under_rcu+0x187/0x6f0 [ 129.539134][ T5534] ? exc_page_fault+0x10f/0x860 [ 129.543993][ T5534] exc_page_fault+0x455/0x860 [ 129.548677][ T5534] asm_exc_page_fault+0x26/0x30 [ 129.553540][ T5534] RIP: 0033:0x7f794735bd00 [ 129.558202][ T5534] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 129.577855][ T5534] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5534] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5534] munmap(0x7f793ef10000, 2097152) = 0 [pid 5534] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 129.583929][ T5534] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 129.592119][ T5534] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 129.600106][ T5534] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 129.608120][ T5534] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 129.616102][ T5534] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 129.624271][ T5534] [ 129.629780][ T5534] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5534] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5534] close(3) = 0 [pid 5534] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5534] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 129.668208][ T5534] loop0: detected capacity change from 0 to 4096 [ 129.687410][ T5534] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 129.694403][ T5534] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5534] ioctl(5, LOOP_CLR_FD) = 0 [pid 5534] close(5) = 0 [pid 5534] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5532] <... futex resumed>) = 0 [pid 5532] exit_group(0) = ? [pid 5533] <... futex resumed>) = ? [pid 5533] +++ exited with 0 +++ [pid 5534] +++ exited with 0 +++ [pid 5532] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5532, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./164", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./164", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./164/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./164/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./164/binderfs") = 0 umount2("\x2e\x2f\x31\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./164") = 0 mkdir("./165", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5535 attached , child_tidptr=0x555555f17690) = 5535 [pid 5535] set_robust_list(0x555555f176a0, 24) = 0 [pid 5535] chdir("./165") = 0 [pid 5535] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5535] setpgid(0, 0) = 0 [pid 5535] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5535] write(3, "1000", 4) = 4 [pid 5535] close(3) = 0 [pid 5535] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5535] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5535] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5535] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5535] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5535] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5535] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5535] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5536 attached [pid 5536] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5535] <... clone3 resumed> => {parent_tid=[5536]}, 88) = 5536 [pid 5536] <... rseq resumed>) = 0 [pid 5535] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5536] set_robust_list(0x7f79473519a0, 24 [pid 5535] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5536] <... set_robust_list resumed>) = 0 [pid 5535] <... futex resumed>) = 0 [pid 5536] rt_sigprocmask(SIG_SETMASK, [], [pid 5535] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5536] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5535] <... futex resumed>) = 0 [pid 5536] memfd_create("syzkaller", 0 [pid 5535] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5535] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5535] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5535] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5537 attached [pid 5537] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5536] <... memfd_create resumed>) = 3 [pid 5535] <... clone3 resumed> => {parent_tid=[5537]}, 88) = 5537 [pid 5536] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5537] <... rseq resumed>) = 0 [pid 5536] <... mmap resumed>) = 0x7f793ef10000 [pid 5535] rt_sigprocmask(SIG_SETMASK, [], [pid 5537] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5535] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5537] rt_sigprocmask(SIG_SETMASK, [], [pid 5535] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5537] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5535] <... futex resumed>) = 0 [pid 5537] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5535] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5537] <... openat resumed>) = 4 [pid 5537] write(4, "85", 2) = 2 [pid 5537] memfd_create("syzkaller", 0) = 5 [pid 5537] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5536] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 129.830806][ T5537] FAULT_INJECTION: forcing a failure. [ 129.830806][ T5537] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 129.844317][ T5537] CPU: 0 PID: 5537 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 129.854762][ T5537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 129.864856][ T5537] Call Trace: [ 129.868144][ T5537] [ 129.871087][ T5537] dump_stack_lvl+0x1e7/0x2d0 [ 129.875842][ T5537] ? nf_tcp_handle_invalid+0x650/0x650 [ 129.881313][ T5537] ? panic+0x770/0x770 [ 129.885389][ T5537] should_fail_ex+0x3aa/0x4e0 [ 129.890069][ T5537] prepare_alloc_pages+0x1d9/0x5b0 [ 129.895281][ T5537] __alloc_pages+0x165/0x670 [ 129.899876][ T5537] ? zone_statistics+0x170/0x170 [ 129.904832][ T5537] ? verify_lock_unused+0x140/0x140 [ 129.910039][ T5537] ? handle_mm_fault+0x11d/0x62b0 [ 129.915060][ T5537] ? __lock_acquire+0x7f70/0x7f70 [ 129.920087][ T5537] ? pte_offset_map_nolock+0x137/0x1e0 [ 129.925667][ T5537] __folio_alloc+0x13/0x30 [ 129.930108][ T5537] vma_alloc_folio+0x48a/0x9a0 [ 129.934890][ T5537] handle_mm_fault+0x2376/0x62b0 [ 129.939842][ T5537] ? handle_mm_fault+0x11d/0x62b0 [ 129.944884][ T5537] ? numa_migrate_prep+0x380/0x380 [ 129.949996][ T5537] ? mtree_range_walk+0x6a0/0x7e0 [ 129.955113][ T5537] ? lock_vma_under_rcu+0x187/0x6f0 [ 129.960318][ T5537] ? __lock_acquire+0x7f70/0x7f70 [ 129.965368][ T5537] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 129.970569][ T5537] ? lock_vma_under_rcu+0x5df/0x6f0 [ 129.975777][ T5537] ? lock_vma_under_rcu+0x187/0x6f0 [ 129.981010][ T5537] ? exc_page_fault+0x10f/0x860 [ 129.985960][ T5537] exc_page_fault+0x455/0x860 [ 129.990657][ T5537] asm_exc_page_fault+0x26/0x30 [ 129.995558][ T5537] RIP: 0033:0x7f794735bc53 [ 129.999994][ T5537] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 130.019616][ T5537] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5536] munmap(0x7f793ef10000, 2097152) = 0 [pid 5536] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 130.025690][ T5537] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 130.033691][ T5537] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 130.041749][ T5537] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 130.049727][ T5537] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 130.057778][ T5537] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 130.065775][ T5537] [ 130.069497][ T5537] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5536] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5536] close(3) = 0 [pid 5536] mkdir("./file0", 0777) = 0 [pid 5536] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5537] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5536] <... mount resumed>) = 0 [pid 5537] <... write resumed>) = 2097152 [pid 5537] munmap(0x7f7936b10000, 2097152 [pid 5536] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5536] chdir("./file0") = 0 [pid 5536] ioctl(6, LOOP_CLR_FD) = 0 [pid 5536] close(6) = 0 [pid 5536] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5536] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5537] <... munmap resumed>) = 0 [pid 5537] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5537] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5537] ioctl(6, LOOP_CLR_FD) = 0 [pid 5537] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5537] close(6) = 0 [pid 5537] close(5) = 0 [pid 5537] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5535] <... futex resumed>) = 0 [pid 5535] exit_group(0) = ? [pid 5536] <... futex resumed>) = ? [pid 5536] +++ exited with 0 +++ [pid 5537] +++ exited with 0 +++ [pid 5535] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5535, si_uid=0, si_status=0, si_utime=0, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./165", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./165", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./165/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./165/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./165/binderfs") = 0 umount2("./165/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./165/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./165/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./165/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./165/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./165/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./165") = 0 mkdir("./166", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 130.081958][ T5536] loop0: detected capacity change from 0 to 4096 [ 130.106875][ T5536] ntfs: volume version 12.0. ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5538 ./strace-static-x86_64: Process 5538 attached [pid 5538] set_robust_list(0x555555f176a0, 24) = 0 [pid 5538] chdir("./166") = 0 [pid 5538] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5538] setpgid(0, 0) = 0 [pid 5538] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5538] write(3, "1000", 4) = 4 [pid 5538] close(3) = 0 [pid 5538] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5538] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5538] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5538] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5538] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5538] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5538] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5538] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5539 attached => {parent_tid=[5539]}, 88) = 5539 [pid 5538] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5538] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5538] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5538] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5539] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5538] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5539] <... rseq resumed>) = 0 [pid 5538] <... mprotect resumed>) = 0 [pid 5539] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5538] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5539] rt_sigprocmask(SIG_SETMASK, [], [pid 5538] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5539] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5538] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5539] memfd_create("syzkaller", 0./strace-static-x86_64: Process 5540 attached [pid 5540] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5538] <... clone3 resumed> => {parent_tid=[5540]}, 88) = 5540 [pid 5540] <... rseq resumed>) = 0 [pid 5539] <... memfd_create resumed>) = 3 [pid 5538] rt_sigprocmask(SIG_SETMASK, [], [pid 5540] set_robust_list(0x7f79473309a0, 24 [pid 5539] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5538] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5540] <... set_robust_list resumed>) = 0 [pid 5540] rt_sigprocmask(SIG_SETMASK, [], [pid 5539] <... mmap resumed>) = 0x7f793ef10000 [pid 5538] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5540] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5538] <... futex resumed>) = 0 [pid 5538] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5540] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5539] munmap(0x7f793ef10000, 138412032 [pid 5540] write(4, "85", 2) = 2 [pid 5540] memfd_create("syzkaller", 0) = 5 [pid 5540] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5539] <... munmap resumed>) = 0 [pid 5540] <... mmap resumed>) = 0x7f793ef10000 [pid 5539] close(3) = 0 [pid 5539] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 130.214557][ T5540] FAULT_INJECTION: forcing a failure. [ 130.214557][ T5540] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 130.229330][ T5540] CPU: 0 PID: 5540 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 130.239769][ T5540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 130.249818][ T5540] Call Trace: [ 130.253105][ T5540] [ 130.256039][ T5540] dump_stack_lvl+0x1e7/0x2d0 [ 130.260823][ T5540] ? nf_tcp_handle_invalid+0x650/0x650 [ 130.266284][ T5540] ? panic+0x770/0x770 [ 130.270371][ T5540] should_fail_ex+0x3aa/0x4e0 [ 130.275052][ T5540] prepare_alloc_pages+0x1d9/0x5b0 [ 130.280166][ T5540] __alloc_pages+0x165/0x670 [ 130.284773][ T5540] ? zone_statistics+0x170/0x170 [ 130.289714][ T5540] ? verify_lock_unused+0x140/0x140 [ 130.294925][ T5540] ? handle_mm_fault+0x11d/0x62b0 [ 130.299967][ T5540] ? __lock_acquire+0x7f70/0x7f70 [ 130.304991][ T5540] ? pte_offset_map_nolock+0x137/0x1e0 [ 130.310452][ T5540] __folio_alloc+0x13/0x30 [ 130.314868][ T5540] vma_alloc_folio+0x48a/0x9a0 [ 130.319639][ T5540] handle_mm_fault+0x2376/0x62b0 [ 130.324586][ T5540] ? handle_mm_fault+0x11d/0x62b0 [ 130.329625][ T5540] ? numa_migrate_prep+0x380/0x380 [ 130.334830][ T5540] ? mtree_range_walk+0x6a0/0x7e0 [ 130.339854][ T5540] ? lock_vma_under_rcu+0x187/0x6f0 [ 130.345046][ T5540] ? __lock_acquire+0x7f70/0x7f70 [ 130.350062][ T5540] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 130.355291][ T5540] ? lock_vma_under_rcu+0x5df/0x6f0 [ 130.360486][ T5540] ? lock_vma_under_rcu+0x187/0x6f0 [ 130.365806][ T5540] ? exc_page_fault+0x10f/0x860 [ 130.370694][ T5540] exc_page_fault+0x455/0x860 [ 130.375459][ T5540] asm_exc_page_fault+0x26/0x30 [ 130.380395][ T5540] RIP: 0033:0x7f794735bd00 [ 130.384805][ T5540] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 130.405101][ T5540] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5539] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5540] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5540] munmap(0x7f793ef10000, 2097152) = 0 [pid 5540] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 130.411164][ T5540] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 130.419128][ T5540] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 130.427094][ T5540] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 130.435056][ T5540] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 130.443020][ T5540] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 130.451004][ T5540] [ 130.454448][ T5540] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5540] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5540] close(5) = 0 [pid 5540] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5540] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 130.491028][ T5540] loop0: detected capacity change from 0 to 4096 [ 130.507672][ T5540] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 130.514686][ T5540] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5540] ioctl(3, LOOP_CLR_FD) = 0 [pid 5540] close(3) = 0 [pid 5540] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5538] <... futex resumed>) = 0 [pid 5538] exit_group(0 [pid 5539] <... futex resumed>) = ? [pid 5538] <... exit_group resumed>) = ? [pid 5540] <... futex resumed>) = ? [pid 5539] +++ exited with 0 +++ [pid 5540] +++ exited with 0 +++ [pid 5538] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5538, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./166", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./166", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./166/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./166/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./166/binderfs") = 0 umount2("\x2e\x2f\x31\x36\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x36\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x36\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x36\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x36\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./166") = 0 mkdir("./167", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5541 ./strace-static-x86_64: Process 5541 attached [pid 5541] set_robust_list(0x555555f176a0, 24) = 0 [pid 5541] chdir("./167") = 0 [pid 5541] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5541] setpgid(0, 0) = 0 [pid 5541] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5541] write(3, "1000", 4) = 4 [pid 5541] close(3) = 0 [pid 5541] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5541] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5541] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5541] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5541] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5541] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5541] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5541] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5542]}, 88) = 5542 [pid 5541] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5541] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5541] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5541] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5541] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5541] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5541] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5542 attached [pid 5542] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5542] set_robust_list(0x7f79473519a0, 24) = 0 ./strace-static-x86_64: Process 5543 attached [pid 5542] rt_sigprocmask(SIG_SETMASK, [], [pid 5543] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5542] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5541] <... clone3 resumed> => {parent_tid=[5543]}, 88) = 5543 [pid 5543] <... rseq resumed>) = 0 [pid 5541] rt_sigprocmask(SIG_SETMASK, [], [pid 5543] set_robust_list(0x7f79473309a0, 24 [pid 5541] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5543] <... set_robust_list resumed>) = 0 [pid 5541] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5543] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5541] <... futex resumed>) = 0 [pid 5543] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5542] memfd_create("syzkaller", 0 [pid 5541] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5543] <... openat resumed>) = 3 [pid 5543] write(3, "85", 2) = 2 [pid 5543] memfd_create("syzkaller", 0) = 4 [pid 5543] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5542] <... memfd_create resumed>) = 5 [pid 5542] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5542] munmap(0x7f7936b10000, 138412032) = 0 [pid 5542] close(5) = 0 [pid 5542] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 130.646353][ T5543] FAULT_INJECTION: forcing a failure. [ 130.646353][ T5543] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 130.660200][ T5543] CPU: 1 PID: 5543 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 130.670609][ T5543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 130.680772][ T5543] Call Trace: [ 130.684104][ T5543] [ 130.687033][ T5543] dump_stack_lvl+0x1e7/0x2d0 [ 130.691709][ T5543] ? nf_tcp_handle_invalid+0x650/0x650 [ 130.697172][ T5543] ? panic+0x770/0x770 [ 130.701277][ T5543] should_fail_ex+0x3aa/0x4e0 [ 130.705974][ T5543] prepare_alloc_pages+0x1d9/0x5b0 [ 130.711095][ T5543] __alloc_pages+0x165/0x670 [ 130.715694][ T5543] ? zone_statistics+0x170/0x170 [ 130.720633][ T5543] ? verify_lock_unused+0x140/0x140 [ 130.725828][ T5543] ? handle_mm_fault+0x11d/0x62b0 [ 130.730943][ T5543] ? __lock_acquire+0x7f70/0x7f70 [ 130.735961][ T5543] ? pte_offset_map_nolock+0x137/0x1e0 [ 130.741416][ T5543] __folio_alloc+0x13/0x30 [ 130.745828][ T5543] vma_alloc_folio+0x48a/0x9a0 [ 130.750592][ T5543] handle_mm_fault+0x2376/0x62b0 [ 130.755646][ T5543] ? handle_mm_fault+0x11d/0x62b0 [ 130.760782][ T5543] ? numa_migrate_prep+0x380/0x380 [ 130.766098][ T5543] ? mtree_range_walk+0x6a0/0x7e0 [ 130.771137][ T5543] ? lock_vma_under_rcu+0x187/0x6f0 [ 130.776340][ T5543] ? __lock_acquire+0x7f70/0x7f70 [ 130.781365][ T5543] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 130.786579][ T5543] ? lock_vma_under_rcu+0x5df/0x6f0 [ 130.791776][ T5543] ? lock_vma_under_rcu+0x187/0x6f0 [ 130.796981][ T5543] ? exc_page_fault+0x10f/0x860 [ 130.801842][ T5543] exc_page_fault+0x455/0x860 [ 130.806522][ T5543] asm_exc_page_fault+0x26/0x30 [ 130.811393][ T5543] RIP: 0033:0x7f794735bc53 [ 130.815893][ T5543] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 130.835511][ T5543] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5542] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5543] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5543] munmap(0x7f793ef10000, 2097152) = 0 [pid 5543] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 130.841572][ T5543] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 130.849533][ T5543] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 130.857497][ T5543] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 130.865458][ T5543] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 130.873429][ T5543] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 130.881424][ T5543] [pid 5543] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5543] close(4) = 0 [pid 5543] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5543] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5543] ioctl(5, LOOP_CLR_FD) = 0 [pid 5543] close(5) = 0 [pid 5543] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5541] <... futex resumed>) = 0 [ 130.917785][ T5543] loop0: detected capacity change from 0 to 4096 [ 130.933310][ T5543] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 130.940568][ T5543] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5543] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5541] exit_group(0) = ? [pid 5543] <... futex resumed>) = ? [pid 5542] <... futex resumed>) = ? [pid 5543] +++ exited with 0 +++ [pid 5542] +++ exited with 0 +++ [pid 5541] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5541, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./167", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./167", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./167/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./167/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./167/binderfs") = 0 umount2("\x2e\x2f\x31\x36\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x36\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x36\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x36\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x36\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./167") = 0 mkdir("./168", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5544 ./strace-static-x86_64: Process 5544 attached [pid 5544] set_robust_list(0x555555f176a0, 24) = 0 [pid 5544] chdir("./168") = 0 [pid 5544] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5544] setpgid(0, 0) = 0 [pid 5544] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5544] write(3, "1000", 4) = 4 [pid 5544] close(3) = 0 [pid 5544] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5544] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5544] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5544] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5544] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5544] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5544] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5545 attached => {parent_tid=[5545]}, 88) = 5545 [pid 5545] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5544] rt_sigprocmask(SIG_SETMASK, [], [pid 5545] <... rseq resumed>) = 0 [pid 5544] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5545] set_robust_list(0x7f79473519a0, 24 [pid 5544] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5545] <... set_robust_list resumed>) = 0 [pid 5544] <... futex resumed>) = 0 [pid 5545] rt_sigprocmask(SIG_SETMASK, [], [pid 5544] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5545] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5544] <... futex resumed>) = 0 [pid 5544] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5544] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5545] memfd_create("syzkaller", 0 [pid 5544] <... mprotect resumed>) = 0 [pid 5545] <... memfd_create resumed>) = 3 [pid 5544] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5545] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5544] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5545] <... mmap resumed>) = 0x7f793ef10000 [pid 5544] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5546]}, 88) = 5546 [pid 5544] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5544] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5546 attached [pid 5544] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5546] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5546] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5546] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5546] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5546] write(4, "85", 2) = 2 [pid 5546] memfd_create("syzkaller", 0) = 5 [pid 5546] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5545] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2280033) = 2280033 [ 131.085231][ T5546] FAULT_INJECTION: forcing a failure. [ 131.085231][ T5546] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 131.099792][ T5546] CPU: 1 PID: 5546 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 131.110245][ T5546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 131.120322][ T5546] Call Trace: [ 131.125628][ T5546] [ 131.128615][ T5546] dump_stack_lvl+0x1e7/0x2d0 [ 131.133304][ T5546] ? nf_tcp_handle_invalid+0x650/0x650 [ 131.138785][ T5546] ? panic+0x770/0x770 [ 131.142871][ T5546] should_fail_ex+0x3aa/0x4e0 [ 131.147550][ T5546] prepare_alloc_pages+0x1d9/0x5b0 [ 131.152664][ T5546] __alloc_pages+0x165/0x670 [ 131.157264][ T5546] ? zone_statistics+0x170/0x170 [ 131.162214][ T5546] ? verify_lock_unused+0x140/0x140 [ 131.167412][ T5546] ? handle_mm_fault+0x11d/0x62b0 [ 131.172445][ T5546] ? __lock_acquire+0x7f70/0x7f70 [ 131.177465][ T5546] ? pte_offset_map_nolock+0x137/0x1e0 [ 131.183188][ T5546] __folio_alloc+0x13/0x30 [ 131.187606][ T5546] vma_alloc_folio+0x48a/0x9a0 [ 131.192376][ T5546] handle_mm_fault+0x2376/0x62b0 [ 131.197317][ T5546] ? handle_mm_fault+0x11d/0x62b0 [ 131.202342][ T5546] ? numa_migrate_prep+0x380/0x380 [ 131.207460][ T5546] ? mtree_range_walk+0x6a0/0x7e0 [ 131.212486][ T5546] ? lock_vma_under_rcu+0x187/0x6f0 [ 131.217680][ T5546] ? __lock_acquire+0x7f70/0x7f70 [ 131.222696][ T5546] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 131.227902][ T5546] ? lock_vma_under_rcu+0x5df/0x6f0 [ 131.233094][ T5546] ? lock_vma_under_rcu+0x187/0x6f0 [ 131.238299][ T5546] ? exc_page_fault+0x10f/0x860 [ 131.243144][ T5546] exc_page_fault+0x455/0x860 [ 131.247820][ T5546] asm_exc_page_fault+0x26/0x30 [ 131.252676][ T5546] RIP: 0033:0x7f794735bc53 [ 131.257089][ T5546] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 131.276691][ T5546] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5545] munmap(0x7f793ef10000, 2280033) = 0 [pid 5545] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 131.282758][ T5546] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 131.290721][ T5546] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 131.298689][ T5546] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 131.306827][ T5546] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 131.314798][ T5546] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 131.322777][ T5546] [pid 5545] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5545] close(3) = 0 [pid 5545] mkdir("./file0", 0777) = 0 [pid 5545] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5545] ioctl(6, LOOP_CLR_FD [pid 5546] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5546] munmap(0x7f7936b10000, 2097152) = 0 [pid 5546] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5546] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5546] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5546] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5546] close(3) = 0 [ 131.337610][ T5545] loop0: detected capacity change from 0 to 4453 [pid 5546] close(5) = 0 [pid 5545] <... ioctl resumed>) = 0 [pid 5546] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5546] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5544] <... futex resumed>) = 0 [pid 5545] close(6) = 0 [pid 5545] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5545] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5544] exit_group(0 [pid 5545] <... futex resumed>) = ? [pid 5544] <... exit_group resumed>) = ? [pid 5546] <... futex resumed>) = ? [pid 5545] +++ exited with 0 +++ [pid 5546] +++ exited with 0 +++ [pid 5544] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5544, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=12 /* 0.12 s */} --- umount2("./168", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./168", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./168/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./168/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./168/binderfs") = 0 umount2("./168/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./168/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./168/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./168/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./168/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./168") = 0 mkdir("./169", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5547 attached [pid 5547] set_robust_list(0x555555f176a0, 24) = 0 [pid 5547] chdir("./169") = 0 [pid 5547] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5547] setpgid(0, 0) = 0 [pid 5547] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5547 [pid 5547] <... openat resumed>) = 3 [pid 5547] write(3, "1000", 4) = 4 [pid 5547] close(3) = 0 [pid 5547] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5547] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5547] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5547] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5547] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5547] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5547] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5547] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5548 attached => {parent_tid=[5548]}, 88) = 5548 [pid 5547] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5548] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5547] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5547] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5548] set_robust_list(0x7f79473519a0, 24 [pid 5547] <... futex resumed>) = 0 [pid 5548] <... set_robust_list resumed>) = 0 [pid 5548] rt_sigprocmask(SIG_SETMASK, [], [pid 5547] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5548] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5547] <... mmap resumed>) = 0x7f7947310000 [pid 5547] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5547] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5547] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5549]}, 88) = 5549 [pid 5547] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5547] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5547] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5548] memfd_create("syzkaller", 0) = 3 ./strace-static-x86_64: Process 5549 attached [pid 5549] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5548] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5549] set_robust_list(0x7f79473309a0, 24 [pid 5548] <... mmap resumed>) = 0x7f793ef10000 [pid 5549] <... set_robust_list resumed>) = 0 [pid 5549] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5549] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5549] write(4, "85", 2) = 2 [pid 5549] memfd_create("syzkaller", 0) = 5 [pid 5549] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5548] munmap(0x7f793ef10000, 138412032) = 0 [pid 5548] close(3) = 0 [pid 5548] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 131.478888][ T5549] FAULT_INJECTION: forcing a failure. [ 131.478888][ T5549] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 131.492318][ T5549] CPU: 1 PID: 5549 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 131.502740][ T5549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 131.513353][ T5549] Call Trace: [ 131.516632][ T5549] [ 131.519571][ T5549] dump_stack_lvl+0x1e7/0x2d0 [ 131.524243][ T5549] ? nf_tcp_handle_invalid+0x650/0x650 [ 131.529718][ T5549] ? panic+0x770/0x770 [ 131.533802][ T5549] should_fail_ex+0x3aa/0x4e0 [ 131.538506][ T5549] prepare_alloc_pages+0x1d9/0x5b0 [ 131.543710][ T5549] __alloc_pages+0x165/0x670 [ 131.548313][ T5549] ? zone_statistics+0x170/0x170 [ 131.553261][ T5549] ? verify_lock_unused+0x140/0x140 [ 131.558466][ T5549] ? handle_mm_fault+0x11d/0x62b0 [ 131.563499][ T5549] ? __lock_acquire+0x7f70/0x7f70 [ 131.568522][ T5549] ? pte_offset_map_nolock+0x137/0x1e0 [ 131.573999][ T5549] __folio_alloc+0x13/0x30 [ 131.578420][ T5549] vma_alloc_folio+0x48a/0x9a0 [ 131.583217][ T5549] handle_mm_fault+0x2376/0x62b0 [ 131.588184][ T5549] ? handle_mm_fault+0x11d/0x62b0 [ 131.593238][ T5549] ? numa_migrate_prep+0x380/0x380 [ 131.598369][ T5549] ? mtree_range_walk+0x6a0/0x7e0 [ 131.603400][ T5549] ? lock_vma_under_rcu+0x187/0x6f0 [ 131.608598][ T5549] ? __lock_acquire+0x7f70/0x7f70 [ 131.613614][ T5549] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 131.618993][ T5549] ? lock_vma_under_rcu+0x5df/0x6f0 [ 131.624187][ T5549] ? lock_vma_under_rcu+0x187/0x6f0 [ 131.629388][ T5549] ? exc_page_fault+0x10f/0x860 [ 131.634324][ T5549] exc_page_fault+0x455/0x860 [ 131.639008][ T5549] asm_exc_page_fault+0x26/0x30 [ 131.643854][ T5549] RIP: 0033:0x7f794735bc53 [ 131.648370][ T5549] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 131.667987][ T5549] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5548] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5549] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5549] munmap(0x7f7936b10000, 2097152) = 0 [pid 5549] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 131.674061][ T5549] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 131.682027][ T5549] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 131.690021][ T5549] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 131.697991][ T5549] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 131.705974][ T5549] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 131.713964][ T5549] [pid 5549] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5549] close(5) = 0 [pid 5549] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5549] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5549] ioctl(3, LOOP_CLR_FD) = 0 [pid 5549] close(3) = 0 [pid 5549] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5549] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5547] <... futex resumed>) = 0 [ 131.748376][ T5549] loop0: detected capacity change from 0 to 4096 [ 131.767236][ T5549] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 131.774380][ T5549] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5547] exit_group(0 [pid 5549] <... futex resumed>) = ? [pid 5547] <... exit_group resumed>) = ? [pid 5549] +++ exited with 0 +++ [pid 5548] <... futex resumed>) = ? [pid 5548] +++ exited with 0 +++ [pid 5547] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5547, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=6 /* 0.06 s */} --- umount2("./169", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./169", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./169/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./169/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./169/binderfs") = 0 umount2("\x2e\x2f\x31\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x36\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./169") = 0 mkdir("./170", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5550 attached , child_tidptr=0x555555f17690) = 5550 [pid 5550] set_robust_list(0x555555f176a0, 24) = 0 [pid 5550] chdir("./170") = 0 [pid 5550] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5550] setpgid(0, 0) = 0 [pid 5550] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5550] write(3, "1000", 4) = 4 [pid 5550] close(3) = 0 [pid 5550] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5550] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5550] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5550] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5550] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5550] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5550] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5550] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5551]}, 88) = 5551 [pid 5550] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5550] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5550] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5550] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5550] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5550] rt_sigprocmask(SIG_BLOCK, ~[], ./strace-static-x86_64: Process 5551 attached [], 8) = 0 [pid 5550] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5552 attached [pid 5552] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5552] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5550] <... clone3 resumed> => {parent_tid=[5552]}, 88) = 5552 [pid 5552] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5550] rt_sigprocmask(SIG_SETMASK, [], [pid 5552] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5550] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5550] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5552] <... futex resumed>) = 0 [pid 5550] <... futex resumed>) = 1 [pid 5552] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5551] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5550] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5551] <... rseq resumed>) = 0 [pid 5551] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5551] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5552] <... openat resumed>) = 3 [pid 5552] write(3, "85", 2) = 2 [pid 5552] memfd_create("syzkaller", 0 [pid 5551] memfd_create("syzkaller", 0 [pid 5552] <... memfd_create resumed>) = 4 [pid 5551] <... memfd_create resumed>) = 5 [pid 5552] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5551] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5552] <... mmap resumed>) = 0x7f793ef10000 [pid 5551] <... mmap resumed>) = 0x7f7936b10000 [ 131.882896][ T5552] FAULT_INJECTION: forcing a failure. [ 131.882896][ T5552] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 131.896669][ T5552] CPU: 1 PID: 5552 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 131.907287][ T5552] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 131.917362][ T5552] Call Trace: [ 131.920654][ T5552] [ 131.923589][ T5552] dump_stack_lvl+0x1e7/0x2d0 [ 131.928268][ T5552] ? nf_tcp_handle_invalid+0x650/0x650 [ 131.933718][ T5552] ? panic+0x770/0x770 [ 131.937787][ T5552] should_fail_ex+0x3aa/0x4e0 [ 131.942483][ T5552] prepare_alloc_pages+0x1d9/0x5b0 [ 131.947624][ T5552] __alloc_pages+0x165/0x670 [ 131.952220][ T5552] ? zone_statistics+0x170/0x170 [ 131.957170][ T5552] ? verify_lock_unused+0x140/0x140 [ 131.962884][ T5552] ? handle_mm_fault+0x11d/0x62b0 [ 131.967941][ T5552] ? __lock_acquire+0x7f70/0x7f70 [ 131.972967][ T5552] ? pte_offset_map_nolock+0x137/0x1e0 [ 131.978436][ T5552] __folio_alloc+0x13/0x30 [ 131.982861][ T5552] vma_alloc_folio+0x48a/0x9a0 [ 131.987630][ T5552] handle_mm_fault+0x2376/0x62b0 [ 131.992573][ T5552] ? handle_mm_fault+0x11d/0x62b0 [ 131.997612][ T5552] ? numa_migrate_prep+0x380/0x380 [ 132.002728][ T5552] ? mtree_range_walk+0x6a0/0x7e0 [ 132.007765][ T5552] ? lock_vma_under_rcu+0x187/0x6f0 [ 132.012964][ T5552] ? __lock_acquire+0x7f70/0x7f70 [ 132.018068][ T5552] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 132.023278][ T5552] ? lock_vma_under_rcu+0x5df/0x6f0 [ 132.028477][ T5552] ? lock_vma_under_rcu+0x187/0x6f0 [ 132.033680][ T5552] ? exc_page_fault+0x10f/0x860 [ 132.038525][ T5552] exc_page_fault+0x455/0x860 [ 132.043200][ T5552] asm_exc_page_fault+0x26/0x30 [ 132.048042][ T5552] RIP: 0033:0x7f794735bc53 [ 132.052454][ T5552] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 132.072162][ T5552] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 132.078233][ T5552] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 132.086201][ T5552] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 132.094174][ T5552] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 132.102140][ T5552] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 132.110111][ T5552] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 132.118088][ T5552] [ 132.127555][ T5552] pagefault_out_of_memory: 3 callbacks suppressed [pid 5551] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5552] munmap(0x7f793ef10000, 138412032 [pid 5551] <... write resumed>) = 2097152 [pid 5551] munmap(0x7f7936b10000, 2097152 [pid 5552] <... munmap resumed>) = 0 [pid 5552] close(4 [pid 5551] <... munmap resumed>) = 0 [pid 5552] <... close resumed>) = 0 [pid 5551] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5552] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5550] <... futex resumed>) = 0 [pid 5552] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5551] <... openat resumed>) = 4 [pid 5551] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5551] close(5) = 0 [pid 5551] mkdir("./file0", 0777) = 0 [ 132.127572][ T5552] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 132.167848][ T5551] loop0: detected capacity change from 0 to 4096 [pid 5551] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5551] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5551] chdir("./file0") = 0 [pid 5551] ioctl(4, LOOP_CLR_FD) = 0 [pid 5551] close(4) = 0 [pid 5551] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5550] exit_group(0 [pid 5552] <... futex resumed>) = ? [pid 5550] <... exit_group resumed>) = ? [ 132.181646][ T5551] ntfs: volume version 12.0. [pid 5552] +++ exited with 0 +++ [pid 5551] +++ exited with 0 +++ [pid 5550] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5550, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- umount2("./170", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./170", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./170/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./170/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./170/binderfs") = 0 umount2("./170/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./170/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./170/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./170/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./170/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./170/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./170") = 0 mkdir("./171", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5553 attached , child_tidptr=0x555555f17690) = 5553 [pid 5553] set_robust_list(0x555555f176a0, 24) = 0 [pid 5553] chdir("./171") = 0 [pid 5553] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5553] setpgid(0, 0) = 0 [pid 5553] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5553] write(3, "1000", 4) = 4 [pid 5553] close(3) = 0 [pid 5553] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5553] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5553] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5553] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5553] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5553] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5553] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5553] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5554 attached [pid 5554] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5553] <... clone3 resumed> => {parent_tid=[5554]}, 88) = 5554 [pid 5554] <... rseq resumed>) = 0 [pid 5554] set_robust_list(0x7f79473519a0, 24 [pid 5553] rt_sigprocmask(SIG_SETMASK, [], [pid 5554] <... set_robust_list resumed>) = 0 [pid 5553] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5554] rt_sigprocmask(SIG_SETMASK, [], [pid 5553] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5554] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5553] <... futex resumed>) = 0 [pid 5554] memfd_create("syzkaller", 0 [pid 5553] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5553] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5554] <... memfd_create resumed>) = 3 [pid 5554] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5553] <... mmap resumed>) = 0x7f7947310000 [pid 5553] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5554] <... mmap resumed>) = 0x7f793ef10000 [pid 5553] <... mprotect resumed>) = 0 [pid 5553] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5553] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5555 attached => {parent_tid=[5555]}, 88) = 5555 [pid 5555] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5553] rt_sigprocmask(SIG_SETMASK, [], [pid 5555] <... rseq resumed>) = 0 [pid 5553] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5555] set_robust_list(0x7f79473309a0, 24 [pid 5553] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5555] <... set_robust_list resumed>) = 0 [pid 5555] rt_sigprocmask(SIG_SETMASK, [], [pid 5553] <... futex resumed>) = 0 [pid 5555] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5553] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5555] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5555] write(4, "85", 2) = 2 [pid 5555] memfd_create("syzkaller", 0) = 5 [pid 5555] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5554] munmap(0x7f793ef10000, 138412032) = 0 [pid 5554] close(3) = 0 [pid 5554] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 132.313459][ T5555] FAULT_INJECTION: forcing a failure. [ 132.313459][ T5555] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 132.326811][ T5555] CPU: 1 PID: 5555 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 132.337241][ T5555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 132.347635][ T5555] Call Trace: [ 132.350899][ T5555] [ 132.353812][ T5555] dump_stack_lvl+0x1e7/0x2d0 [ 132.358585][ T5555] ? nf_tcp_handle_invalid+0x650/0x650 [ 132.364027][ T5555] ? panic+0x770/0x770 [ 132.368087][ T5555] should_fail_ex+0x3aa/0x4e0 [ 132.372752][ T5555] prepare_alloc_pages+0x1d9/0x5b0 [ 132.377855][ T5555] __alloc_pages+0x165/0x670 [ 132.382435][ T5555] ? zone_statistics+0x170/0x170 [ 132.387358][ T5555] ? verify_lock_unused+0x140/0x140 [ 132.392543][ T5555] ? handle_mm_fault+0x11d/0x62b0 [ 132.397556][ T5555] ? __lock_acquire+0x7f70/0x7f70 [ 132.402564][ T5555] ? pte_offset_map_nolock+0x137/0x1e0 [ 132.408010][ T5555] __folio_alloc+0x13/0x30 [ 132.412412][ T5555] vma_alloc_folio+0x48a/0x9a0 [ 132.417251][ T5555] handle_mm_fault+0x2376/0x62b0 [ 132.422181][ T5555] ? handle_mm_fault+0x11d/0x62b0 [ 132.427203][ T5555] ? numa_migrate_prep+0x380/0x380 [ 132.432333][ T5555] ? mtree_range_walk+0x6a0/0x7e0 [ 132.437432][ T5555] ? lock_vma_under_rcu+0x187/0x6f0 [ 132.442617][ T5555] ? __lock_acquire+0x7f70/0x7f70 [ 132.447624][ T5555] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 132.452817][ T5555] ? lock_vma_under_rcu+0x5df/0x6f0 [ 132.458000][ T5555] ? lock_vma_under_rcu+0x187/0x6f0 [ 132.463186][ T5555] ? exc_page_fault+0x10f/0x860 [ 132.469239][ T5555] exc_page_fault+0x455/0x860 [ 132.473991][ T5555] asm_exc_page_fault+0x26/0x30 [ 132.478826][ T5555] RIP: 0033:0x7f794735bc53 [ 132.483222][ T5555] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 132.502899][ T5555] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5554] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5555] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5555] munmap(0x7f7936b10000, 2097152) = 0 [pid 5555] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 132.509040][ T5555] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 132.517169][ T5555] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 132.525210][ T5555] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 132.533163][ T5555] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 132.541130][ T5555] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 132.549105][ T5555] [ 132.553263][ T5555] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5555] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5555] close(5) = 0 [pid 5555] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5555] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5555] ioctl(3, LOOP_CLR_FD) = 0 [ 132.588567][ T5555] loop0: detected capacity change from 0 to 4096 [ 132.606858][ T5555] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 132.613917][ T5555] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5555] close(3) = 0 [pid 5555] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5553] <... futex resumed>) = 0 [pid 5553] exit_group(0 [pid 5554] <... futex resumed>) = ? [pid 5553] <... exit_group resumed>) = ? [pid 5554] +++ exited with 0 +++ [pid 5555] <... futex resumed>) = ? [pid 5555] +++ exited with 0 +++ [pid 5553] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5553, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./171", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./171", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./171/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./171/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./171/binderfs") = 0 umount2("\x2e\x2f\x31\x37\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x37\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x37\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x37\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x37\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./171") = 0 mkdir("./172", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5556 attached [pid 5556] set_robust_list(0x555555f176a0, 24) = 0 [pid 5556] chdir("./172") = 0 [pid 5556] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5556 [pid 5556] <... prctl resumed>) = 0 [pid 5556] setpgid(0, 0) = 0 [pid 5556] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5556] write(3, "1000", 4) = 4 [pid 5556] close(3) = 0 [pid 5556] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5556] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5556] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5556] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5556] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5556] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5556] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5557 attached => {parent_tid=[5557]}, 88) = 5557 [pid 5556] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5556] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5557] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5556] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5557] <... rseq resumed>) = 0 [pid 5557] set_robust_list(0x7f79473519a0, 24 [pid 5556] <... mprotect resumed>) = 0 [pid 5557] <... set_robust_list resumed>) = 0 [pid 5557] rt_sigprocmask(SIG_SETMASK, [], [pid 5556] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5557] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5556] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5558 attached [pid 5558] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5558] set_robust_list(0x7f79473309a0, 24 [pid 5556] <... clone3 resumed> => {parent_tid=[5558]}, 88) = 5558 [pid 5558] <... set_robust_list resumed>) = 0 [pid 5558] rt_sigprocmask(SIG_SETMASK, [], [pid 5556] rt_sigprocmask(SIG_SETMASK, [], [pid 5558] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5556] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5558] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5557] memfd_create("syzkaller", 0 [pid 5556] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5558] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5556] <... futex resumed>) = 0 [pid 5558] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5557] <... memfd_create resumed>) = 3 [pid 5556] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5557] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5558] <... openat resumed>) = 4 [pid 5557] munmap(0x7f793ef10000, 138412032 [pid 5558] write(4, "85", 2) = 2 [pid 5557] <... munmap resumed>) = 0 [pid 5558] memfd_create("syzkaller", 0) = 5 [pid 5558] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5557] close(3 [pid 5558] <... mmap resumed>) = 0x7f793ef10000 [pid 5557] <... close resumed>) = 0 [pid 5557] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 132.725498][ T5558] FAULT_INJECTION: forcing a failure. [ 132.725498][ T5558] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 132.738797][ T5558] CPU: 0 PID: 5558 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 132.749247][ T5558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 132.759296][ T5558] Call Trace: [ 132.762578][ T5558] [ 132.765512][ T5558] dump_stack_lvl+0x1e7/0x2d0 [ 132.770193][ T5558] ? nf_tcp_handle_invalid+0x650/0x650 [ 132.775653][ T5558] ? panic+0x770/0x770 [ 132.779726][ T5558] should_fail_ex+0x3aa/0x4e0 [ 132.784494][ T5558] prepare_alloc_pages+0x1d9/0x5b0 [ 132.789607][ T5558] __alloc_pages+0x165/0x670 [ 132.794192][ T5558] ? zone_statistics+0x170/0x170 [ 132.799133][ T5558] ? verify_lock_unused+0x140/0x140 [ 132.804321][ T5558] ? handle_mm_fault+0x11d/0x62b0 [ 132.809339][ T5558] ? __lock_acquire+0x7f70/0x7f70 [ 132.814349][ T5558] ? pte_offset_map_nolock+0x137/0x1e0 [ 132.819804][ T5558] __folio_alloc+0x13/0x30 [ 132.824214][ T5558] vma_alloc_folio+0x48a/0x9a0 [ 132.828986][ T5558] handle_mm_fault+0x2376/0x62b0 [ 132.833934][ T5558] ? handle_mm_fault+0x11d/0x62b0 [ 132.838962][ T5558] ? numa_migrate_prep+0x380/0x380 [ 132.844093][ T5558] ? mtree_range_walk+0x6a0/0x7e0 [ 132.849118][ T5558] ? lock_vma_under_rcu+0x187/0x6f0 [ 132.854312][ T5558] ? __lock_acquire+0x7f70/0x7f70 [ 132.859326][ T5558] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 132.864601][ T5558] ? lock_vma_under_rcu+0x5df/0x6f0 [ 132.869796][ T5558] ? lock_vma_under_rcu+0x187/0x6f0 [ 132.875010][ T5558] ? exc_page_fault+0x10f/0x860 [ 132.879942][ T5558] exc_page_fault+0x455/0x860 [ 132.884616][ T5558] asm_exc_page_fault+0x26/0x30 [ 132.889459][ T5558] RIP: 0033:0x7f794735bd00 [ 132.893869][ T5558] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 132.913492][ T5558] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5557] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5558] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5558] munmap(0x7f793ef10000, 2097152) = 0 [pid 5558] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 132.919584][ T5558] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 132.927645][ T5558] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 132.935807][ T5558] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 132.943812][ T5558] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 132.951806][ T5558] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 132.959907][ T5558] [ 132.965232][ T5558] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5558] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5558] close(5) = 0 [pid 5558] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5558] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 133.002952][ T5558] loop0: detected capacity change from 0 to 4096 [ 133.021393][ T5558] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 133.028607][ T5558] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5558] ioctl(3, LOOP_CLR_FD) = 0 [pid 5558] close(3) = 0 [pid 5558] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5556] <... futex resumed>) = 0 [pid 5558] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5556] exit_group(0 [pid 5557] <... futex resumed>) = ? [pid 5556] <... exit_group resumed>) = ? [pid 5558] <... futex resumed>) = ? [pid 5557] +++ exited with 0 +++ [pid 5558] +++ exited with 0 +++ [pid 5556] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5556, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- umount2("./172", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./172", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./172/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./172/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./172/binderfs") = 0 umount2("\x2e\x2f\x31\x37\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x37\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x37\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x37\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x37\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./172") = 0 mkdir("./173", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5559 ./strace-static-x86_64: Process 5559 attached [pid 5559] set_robust_list(0x555555f176a0, 24) = 0 [pid 5559] chdir("./173") = 0 [pid 5559] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5559] setpgid(0, 0) = 0 [pid 5559] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5559] write(3, "1000", 4) = 4 [pid 5559] close(3) = 0 [pid 5559] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5559] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5559] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5559] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5559] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5559] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5559] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5559] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5560 attached => {parent_tid=[5560]}, 88) = 5560 [pid 5559] rt_sigprocmask(SIG_SETMASK, [], [pid 5560] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5559] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5559] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5559] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5559] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5560] set_robust_list(0x7f79473519a0, 24 [pid 5559] <... mmap resumed>) = 0x7f7947310000 [pid 5559] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5560] <... set_robust_list resumed>) = 0 [pid 5560] rt_sigprocmask(SIG_SETMASK, [], [pid 5559] <... mprotect resumed>) = 0 [pid 5560] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5559] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5559] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5561 attached => {parent_tid=[5561]}, 88) = 5561 [pid 5559] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5559] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5561] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5560] memfd_create("syzkaller", 0 [pid 5561] <... rseq resumed>) = 0 [pid 5559] <... futex resumed>) = 0 [pid 5559] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5560] <... memfd_create resumed>) = 3 [pid 5560] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5561] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5561] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5561] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5561] write(4, "85", 2) = 2 [pid 5561] memfd_create("syzkaller", 0) = 5 [pid 5561] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 133.177902][ T5561] FAULT_INJECTION: forcing a failure. [ 133.177902][ T5561] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 133.191727][ T5561] CPU: 1 PID: 5561 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 133.202158][ T5561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 133.212210][ T5561] Call Trace: [ 133.215527][ T5561] [ 133.218455][ T5561] dump_stack_lvl+0x1e7/0x2d0 [ 133.223130][ T5561] ? nf_tcp_handle_invalid+0x650/0x650 [ 133.228584][ T5561] ? panic+0x770/0x770 [ 133.232652][ T5561] should_fail_ex+0x3aa/0x4e0 [ 133.237326][ T5561] prepare_alloc_pages+0x1d9/0x5b0 [ 133.242451][ T5561] __alloc_pages+0x165/0x670 [ 133.247038][ T5561] ? zone_statistics+0x170/0x170 [ 133.251975][ T5561] ? verify_lock_unused+0x140/0x140 [ 133.257167][ T5561] ? handle_mm_fault+0x11d/0x62b0 [ 133.262185][ T5561] ? __lock_acquire+0x7f70/0x7f70 [ 133.267196][ T5561] ? pte_offset_map_nolock+0x137/0x1e0 [ 133.272651][ T5561] __folio_alloc+0x13/0x30 [ 133.277061][ T5561] vma_alloc_folio+0x48a/0x9a0 [ 133.281822][ T5561] handle_mm_fault+0x2376/0x62b0 [ 133.286766][ T5561] ? handle_mm_fault+0x11d/0x62b0 [ 133.291792][ T5561] ? numa_migrate_prep+0x380/0x380 [ 133.296914][ T5561] ? mtree_range_walk+0x6a0/0x7e0 [ 133.301933][ T5561] ? lock_vma_under_rcu+0x187/0x6f0 [ 133.307128][ T5561] ? __lock_acquire+0x7f70/0x7f70 [ 133.312141][ T5561] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 133.317344][ T5561] ? lock_vma_under_rcu+0x5df/0x6f0 [ 133.322537][ T5561] ? lock_vma_under_rcu+0x187/0x6f0 [ 133.327745][ T5561] ? exc_page_fault+0x10f/0x860 [ 133.332589][ T5561] exc_page_fault+0x455/0x860 [ 133.337262][ T5561] asm_exc_page_fault+0x26/0x30 [ 133.342104][ T5561] RIP: 0033:0x7f794735bc53 [ 133.346513][ T5561] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 133.366112][ T5561] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 133.372170][ T5561] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 133.380130][ T5561] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 133.388264][ T5561] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 133.396228][ T5561] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 133.404189][ T5561] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 133.412161][ T5561] [pid 5560] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2591604) = 2591604 [pid 5560] munmap(0x7f793ef10000, 2591604 [pid 5561] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5560] <... munmap resumed>) = 0 [pid 5560] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 133.421729][ T5561] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5560] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5560] close(3) = 0 [pid 5560] mkdir("./file0", 0777) = 0 [pid 5560] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5560] ioctl(6, LOOP_CLR_FD [pid 5561] <... write resumed>) = 2097152 [pid 5561] munmap(0x7f7936b10000, 2097152) = 0 [pid 5561] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5561] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5561] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5561] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5561] close(3) = 0 [pid 5561] close(5) = 0 [pid 5561] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5559] <... futex resumed>) = 0 [ 133.461613][ T5560] loop0: detected capacity change from 0 to 5061 [pid 5561] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5560] <... ioctl resumed>) = 0 [pid 5560] close(6) = 0 [pid 5560] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5560] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5559] exit_group(0 [pid 5561] <... futex resumed>) = ? [pid 5560] <... futex resumed>) = ? [pid 5559] <... exit_group resumed>) = ? [pid 5561] +++ exited with 0 +++ [pid 5560] +++ exited with 0 +++ [pid 5559] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5559, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=38 /* 0.38 s */} --- umount2("./173", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./173", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./173/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./173/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./173/binderfs") = 0 umount2("./173/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./173/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./173/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./173/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./173/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./173") = 0 mkdir("./174", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5562 attached , child_tidptr=0x555555f17690) = 5562 [pid 5562] set_robust_list(0x555555f176a0, 24) = 0 [pid 5562] chdir("./174") = 0 [pid 5562] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5562] setpgid(0, 0) = 0 [pid 5562] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5562] write(3, "1000", 4) = 4 [pid 5562] close(3) = 0 [pid 5562] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5562] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5562] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5562] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5562] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5562] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5562] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5562] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5563]}, 88) = 5563 [pid 5562] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5562] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5562] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5562] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5562] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5562] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5562] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5564 attached => {parent_tid=[5564]}, 88) = 5564 [pid 5564] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5562] rt_sigprocmask(SIG_SETMASK, [], [pid 5564] set_robust_list(0x7f79473309a0, 24 [pid 5562] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5563 attached [pid 5564] <... set_robust_list resumed>) = 0 [pid 5562] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5564] rt_sigprocmask(SIG_SETMASK, [], [pid 5562] <... futex resumed>) = 0 [pid 5564] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5563] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5562] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5564] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5563] <... rseq resumed>) = 0 [pid 5563] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5563] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5564] <... openat resumed>) = 3 [pid 5564] write(3, "85", 2 [pid 5563] memfd_create("syzkaller", 0 [pid 5564] <... write resumed>) = 2 [pid 5564] memfd_create("syzkaller", 0 [pid 5563] <... memfd_create resumed>) = 4 [pid 5564] <... memfd_create resumed>) = 5 [pid 5563] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5564] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5563] <... mmap resumed>) = 0x7f793ef10000 [ 133.610824][ T5564] FAULT_INJECTION: forcing a failure. [ 133.610824][ T5564] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 133.624374][ T5564] CPU: 1 PID: 5564 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 133.634811][ T5564] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 133.644885][ T5564] Call Trace: [ 133.648166][ T5564] [ 133.651111][ T5564] dump_stack_lvl+0x1e7/0x2d0 [ 133.655801][ T5564] ? nf_tcp_handle_invalid+0x650/0x650 [ 133.661271][ T5564] ? panic+0x770/0x770 [ 133.665365][ T5564] should_fail_ex+0x3aa/0x4e0 [ 133.670156][ T5564] prepare_alloc_pages+0x1d9/0x5b0 [ 133.675291][ T5564] __alloc_pages+0x165/0x670 [ 133.679887][ T5564] ? zone_statistics+0x170/0x170 [ 133.684844][ T5564] ? verify_lock_unused+0x140/0x140 [ 133.690056][ T5564] ? handle_mm_fault+0x11d/0x62b0 [ 133.695087][ T5564] ? __lock_acquire+0x7f70/0x7f70 [ 133.700116][ T5564] ? pte_offset_map_nolock+0x137/0x1e0 [ 133.705580][ T5564] __folio_alloc+0x13/0x30 [ 133.710261][ T5564] vma_alloc_folio+0x48a/0x9a0 [ 133.715028][ T5564] handle_mm_fault+0x2376/0x62b0 [ 133.719970][ T5564] ? handle_mm_fault+0x11d/0x62b0 [ 133.725000][ T5564] ? numa_migrate_prep+0x380/0x380 [ 133.730116][ T5564] ? mtree_range_walk+0x6a0/0x7e0 [ 133.735139][ T5564] ? lock_vma_under_rcu+0x187/0x6f0 [ 133.740505][ T5564] ? __lock_acquire+0x7f70/0x7f70 [ 133.745540][ T5564] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 133.750743][ T5564] ? lock_vma_under_rcu+0x5df/0x6f0 [ 133.755944][ T5564] ? lock_vma_under_rcu+0x187/0x6f0 [ 133.761231][ T5564] ? exc_page_fault+0x10f/0x860 [ 133.766082][ T5564] exc_page_fault+0x455/0x860 [ 133.770769][ T5564] asm_exc_page_fault+0x26/0x30 [ 133.775612][ T5564] RIP: 0033:0x7f794735bc53 [ 133.780021][ T5564] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 133.799621][ T5564] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5563] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5564] munmap(0x7f7936b10000, 138412032) = 0 [pid 5564] close(5) = 0 [pid 5564] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5562] <... futex resumed>) = 0 [pid 5564] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5563] <... write resumed>) = 2097152 [pid 5563] munmap(0x7f793ef10000, 2097152) = 0 [pid 5563] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 133.805684][ T5564] RAX: 0000000000087000 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 133.813646][ T5564] RDX: 00007f794732f8f0 RSI: 0000000000000002 RDI: 00007f794732f7f0 [ 133.821632][ T5564] RBP: 00000000000000ac R08: 0000000000000009 R09: 0000000000000127 [ 133.829611][ T5564] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 133.837584][ T5564] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f794732f7f0 [ 133.845570][ T5564] [ 133.848836][ T5564] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5563] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5563] close(4) = 0 [pid 5563] mkdir("./file0", 0777) = 0 [pid 5563] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5563] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5563] chdir("./file0") = 0 [pid 5563] ioctl(5, LOOP_CLR_FD) = 0 [pid 5563] close(5) = 0 [pid 5563] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5563] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5562] exit_group(0 [pid 5564] <... futex resumed>) = ? [pid 5563] <... futex resumed>) = ? [pid 5564] +++ exited with 0 +++ [pid 5563] +++ exited with 0 +++ [pid 5562] <... exit_group resumed>) = ? [pid 5562] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5562, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./174", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./174", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./174/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./174/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./174/binderfs") = 0 umount2("./174/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./174/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./174/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./174/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./174/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./174/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./174") = 0 mkdir("./175", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5565 attached , child_tidptr=0x555555f17690) = 5565 [pid 5565] set_robust_list(0x555555f176a0, 24) = 0 [pid 5565] chdir("./175") = 0 [pid 5565] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5565] setpgid(0, 0) = 0 [pid 5565] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5565] write(3, "1000", 4) = 4 [pid 5565] close(3) = 0 [pid 5565] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5565] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5565] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5565] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5565] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5565] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [ 133.889361][ T5563] loop0: detected capacity change from 0 to 4096 [ 133.902584][ T5563] ntfs: volume version 12.0. [pid 5565] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5565] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5566 attached [pid 5566] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5565] <... clone3 resumed> => {parent_tid=[5566]}, 88) = 5566 [pid 5566] <... rseq resumed>) = 0 [pid 5565] rt_sigprocmask(SIG_SETMASK, [], [pid 5566] set_robust_list(0x7f79473519a0, 24 [pid 5565] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5566] <... set_robust_list resumed>) = 0 [pid 5565] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5566] rt_sigprocmask(SIG_SETMASK, [], [pid 5565] <... futex resumed>) = 0 [pid 5566] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5565] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5566] memfd_create("syzkaller", 0 [pid 5565] <... futex resumed>) = 0 [pid 5565] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5565] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5565] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5565] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5567 attached [pid 5566] <... memfd_create resumed>) = 3 [pid 5565] <... clone3 resumed> => {parent_tid=[5567]}, 88) = 5567 [pid 5567] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5566] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5565] rt_sigprocmask(SIG_SETMASK, [], [pid 5566] <... mmap resumed>) = 0x7f793ef10000 [pid 5565] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5565] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5567] <... rseq resumed>) = 0 [pid 5565] <... futex resumed>) = 0 [pid 5565] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5567] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5567] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5567] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5566] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5567] write(4, "85", 2) = 2 [pid 5567] memfd_create("syzkaller", 0) = 5 [pid 5567] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5566] <... write resumed>) = 2097152 [ 133.991374][ T5567] FAULT_INJECTION: forcing a failure. [ 133.991374][ T5567] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 134.005446][ T5567] CPU: 0 PID: 5567 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 134.015958][ T5567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 134.026264][ T5567] Call Trace: [ 134.029607][ T5567] [ 134.032528][ T5567] dump_stack_lvl+0x1e7/0x2d0 [ 134.037290][ T5567] ? nf_tcp_handle_invalid+0x650/0x650 [ 134.042771][ T5567] ? panic+0x770/0x770 [ 134.046869][ T5567] should_fail_ex+0x3aa/0x4e0 [ 134.051724][ T5567] prepare_alloc_pages+0x1d9/0x5b0 [ 134.056869][ T5567] __alloc_pages+0x165/0x670 [ 134.061458][ T5567] ? zone_statistics+0x170/0x170 [ 134.066421][ T5567] ? verify_lock_unused+0x140/0x140 [ 134.071624][ T5567] ? handle_mm_fault+0x11d/0x62b0 [ 134.076643][ T5567] ? __lock_acquire+0x7f70/0x7f70 [ 134.081669][ T5567] ? pte_offset_map_nolock+0x137/0x1e0 [ 134.087151][ T5567] __folio_alloc+0x13/0x30 [ 134.091590][ T5567] vma_alloc_folio+0x48a/0x9a0 [ 134.096360][ T5567] handle_mm_fault+0x2376/0x62b0 [ 134.101318][ T5567] ? handle_mm_fault+0x11d/0x62b0 [ 134.106381][ T5567] ? numa_migrate_prep+0x380/0x380 [ 134.111517][ T5567] ? mtree_range_walk+0x6a0/0x7e0 [ 134.116557][ T5567] ? lock_vma_under_rcu+0x187/0x6f0 [ 134.121759][ T5567] ? __lock_acquire+0x7f70/0x7f70 [ 134.126777][ T5567] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 134.132008][ T5567] ? lock_vma_under_rcu+0x5df/0x6f0 [ 134.137204][ T5567] ? lock_vma_under_rcu+0x187/0x6f0 [ 134.142436][ T5567] ? exc_page_fault+0x10f/0x860 [ 134.147315][ T5567] exc_page_fault+0x455/0x860 [ 134.152003][ T5567] asm_exc_page_fault+0x26/0x30 [ 134.156864][ T5567] RIP: 0033:0x7f794735bc53 [ 134.161272][ T5567] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 134.180964][ T5567] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5566] munmap(0x7f793ef10000, 2097152) = 0 [pid 5566] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 134.187038][ T5567] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 134.195016][ T5567] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 134.202977][ T5567] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 134.210941][ T5567] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 134.218949][ T5567] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 134.226944][ T5567] [ 134.230619][ T5567] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5566] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5566] close(3) = 0 [pid 5566] mkdir("./file0", 0777) = 0 [ 134.241949][ T5566] loop0: detected capacity change from 0 to 4096 [ 134.257088][ T5566] __ntfs_error: 78 callbacks suppressed [ 134.257105][ T5566] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 134.273534][ T5566] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5566] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5567] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5567] munmap(0x7f7936b10000, 2097152) = 0 [pid 5567] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5567] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5567] ioctl(3, LOOP_CLR_FD) = 0 [ 134.286897][ T5566] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 134.303823][ T5566] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 134.315822][ T5566] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 134.323894][ T5566] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5567] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5567] close(3) = 0 [pid 5567] close(5) = 0 [pid 5567] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5565] <... futex resumed>) = 0 [pid 5567] <... futex resumed>) = 1 [ 134.337833][ T5566] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 134.357764][ T5566] ntfs: volume version 12.0. [ 134.362697][ T5566] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 134.371700][ T5566] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [pid 5567] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5566] <... mount resumed>) = 0 [pid 5566] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5566] chdir("./file0") = 0 [pid 5566] ioctl(6, LOOP_CLR_FD) = 0 [pid 5566] close(6) = 0 [pid 5566] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5566] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5565] exit_group(0 [pid 5567] <... futex resumed>) = ? [pid 5566] <... futex resumed>) = ? [pid 5565] <... exit_group resumed>) = ? [pid 5566] +++ exited with 0 +++ [pid 5567] +++ exited with 0 +++ [pid 5565] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5565, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=24 /* 0.24 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./175", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./175", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./175/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./175/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./175/binderfs") = 0 umount2("./175/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./175/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./175/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./175/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./175/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./175/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./175") = 0 mkdir("./176", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 [ 134.385022][ T5566] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5568 attached , child_tidptr=0x555555f17690) = 5568 [pid 5568] set_robust_list(0x555555f176a0, 24) = 0 [pid 5568] chdir("./176") = 0 [pid 5568] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5568] setpgid(0, 0) = 0 [pid 5568] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5568] write(3, "1000", 4) = 4 [pid 5568] close(3) = 0 [pid 5568] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5568] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5568] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5568] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5568] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5568] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5568] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5569 attached [pid 5569] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5568] <... clone3 resumed> => {parent_tid=[5569]}, 88) = 5569 [pid 5569] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5568] rt_sigprocmask(SIG_SETMASK, [], [pid 5569] rt_sigprocmask(SIG_SETMASK, [], [pid 5568] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5569] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5568] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5569] memfd_create("syzkaller", 0 [pid 5568] <... futex resumed>) = 0 [pid 5568] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5568] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5568] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5569] <... memfd_create resumed>) = 3 [pid 5568] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5568] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5569] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5568] <... clone3 resumed> => {parent_tid=[5570]}, 88) = 5570 [pid 5568] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5568] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5570 attached [pid 5570] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5570] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5570] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5570] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5570] write(4, "85", 2) = 2 [pid 5570] memfd_create("syzkaller", 0) = 5 [pid 5570] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5569] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 134.493426][ T5570] FAULT_INJECTION: forcing a failure. [ 134.493426][ T5570] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 134.515323][ T5570] CPU: 0 PID: 5570 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 134.525780][ T5570] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 134.536040][ T5570] Call Trace: [ 134.539335][ T5570] [ 134.542361][ T5570] dump_stack_lvl+0x1e7/0x2d0 [ 134.547053][ T5570] ? nf_tcp_handle_invalid+0x650/0x650 [ 134.552633][ T5570] ? panic+0x770/0x770 [ 134.556737][ T5570] should_fail_ex+0x3aa/0x4e0 [ 134.561431][ T5570] prepare_alloc_pages+0x1d9/0x5b0 [ 134.566565][ T5570] __alloc_pages+0x165/0x670 [ 134.571170][ T5570] ? zone_statistics+0x170/0x170 [ 134.576214][ T5570] ? verify_lock_unused+0x140/0x140 [ 134.581479][ T5570] ? handle_mm_fault+0x11d/0x62b0 [ 134.587053][ T5570] ? __lock_acquire+0x7f70/0x7f70 [ 134.592094][ T5570] ? pte_offset_map_nolock+0x137/0x1e0 [ 134.597553][ T5570] __folio_alloc+0x13/0x30 [ 134.601989][ T5570] vma_alloc_folio+0x48a/0x9a0 [ 134.606776][ T5570] handle_mm_fault+0x2376/0x62b0 [ 134.611731][ T5570] ? handle_mm_fault+0x11d/0x62b0 [ 134.616781][ T5570] ? numa_migrate_prep+0x380/0x380 [ 134.621917][ T5570] ? mtree_range_walk+0x6a0/0x7e0 [ 134.626941][ T5570] ? lock_vma_under_rcu+0x187/0x6f0 [ 134.632163][ T5570] ? __lock_acquire+0x7f70/0x7f70 [ 134.637226][ T5570] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 134.642427][ T5570] ? lock_vma_under_rcu+0x5df/0x6f0 [ 134.647641][ T5570] ? lock_vma_under_rcu+0x187/0x6f0 [ 134.652857][ T5570] ? exc_page_fault+0x10f/0x860 [ 134.657807][ T5570] exc_page_fault+0x455/0x860 [ 134.662569][ T5570] asm_exc_page_fault+0x26/0x30 [ 134.667414][ T5570] RIP: 0033:0x7f794735bc53 [ 134.671819][ T5570] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 134.691510][ T5570] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 134.697580][ T5570] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 134.705570][ T5570] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 134.713532][ T5570] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 134.721501][ T5570] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 134.729478][ T5570] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 134.737500][ T5570] [pid 5569] munmap(0x7f793ef10000, 2097152) = 0 [pid 5569] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5569] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5569] close(3) = 0 [pid 5569] mkdir("./file0", 0777) = 0 [pid 5569] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5570] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5569] <... mount resumed>) = 0 [pid 5569] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5569] chdir("./file0") = 0 [pid 5569] ioctl(6, LOOP_CLR_FD) = 0 [pid 5569] close(6) = 0 [pid 5569] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5569] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5570] <... write resumed>) = 2097152 [pid 5570] munmap(0x7f7936b10000, 2097152) = 0 [pid 5570] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5570] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5570] ioctl(6, LOOP_CLR_FD) = 0 [pid 5570] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [ 134.741479][ T5570] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 134.757647][ T5569] loop0: detected capacity change from 0 to 4096 [ 134.773911][ T5569] ntfs: volume version 12.0. [pid 5570] close(6) = 0 [pid 5570] close(5) = 0 [pid 5570] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5568] <... futex resumed>) = 0 [pid 5570] <... futex resumed>) = 1 [pid 5570] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5568] exit_group(0 [pid 5569] <... futex resumed>) = ? [pid 5568] <... exit_group resumed>) = ? [pid 5570] <... futex resumed>) = ? [pid 5570] +++ exited with 0 +++ [pid 5569] +++ exited with 0 +++ [pid 5568] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5568, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=12 /* 0.12 s */} --- umount2("./176", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./176", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./176/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./176/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./176/binderfs") = 0 umount2("./176/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./176/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./176/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./176/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./176/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./176/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./176") = 0 mkdir("./177", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5571 ./strace-static-x86_64: Process 5571 attached [pid 5571] set_robust_list(0x555555f176a0, 24) = 0 [pid 5571] chdir("./177") = 0 [pid 5571] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5571] setpgid(0, 0) = 0 [pid 5571] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5571] write(3, "1000", 4) = 4 [pid 5571] close(3) = 0 [pid 5571] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5571] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5571] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5571] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5571] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5571] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5571] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5571] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5572 attached => {parent_tid=[5572]}, 88) = 5572 [pid 5571] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5571] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5571] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5571] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5572] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5571] <... mmap resumed>) = 0x7f7947310000 [pid 5571] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5572] <... rseq resumed>) = 0 [pid 5571] <... mprotect resumed>) = 0 [pid 5572] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5572] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5571] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5571] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5573 attached [pid 5573] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5571] <... clone3 resumed> => {parent_tid=[5573]}, 88) = 5573 [pid 5573] <... rseq resumed>) = 0 [pid 5571] rt_sigprocmask(SIG_SETMASK, [], [pid 5573] set_robust_list(0x7f79473309a0, 24 [pid 5571] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5573] <... set_robust_list resumed>) = 0 [pid 5571] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5573] rt_sigprocmask(SIG_SETMASK, [], [pid 5571] <... futex resumed>) = 0 [pid 5573] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5571] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5573] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5572] memfd_create("syzkaller", 0 [pid 5573] <... openat resumed>) = 3 [pid 5573] write(3, "85", 2) = 2 [pid 5573] memfd_create("syzkaller", 0) = 4 [pid 5573] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5572] <... memfd_create resumed>) = 5 [pid 5572] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5572] munmap(0x7f7936b10000, 138412032) = 0 [pid 5572] close(5) = 0 [pid 5572] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 134.929383][ T5573] FAULT_INJECTION: forcing a failure. [ 134.929383][ T5573] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 134.943037][ T5573] CPU: 1 PID: 5573 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 134.953463][ T5573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 134.963565][ T5573] Call Trace: [ 134.966860][ T5573] [ 134.969815][ T5573] dump_stack_lvl+0x1e7/0x2d0 [ 134.974506][ T5573] ? nf_tcp_handle_invalid+0x650/0x650 [ 134.979992][ T5573] ? panic+0x770/0x770 [ 134.984093][ T5573] should_fail_ex+0x3aa/0x4e0 [ 134.988881][ T5573] prepare_alloc_pages+0x1d9/0x5b0 [ 134.994258][ T5573] __alloc_pages+0x165/0x670 [ 134.998938][ T5573] ? zone_statistics+0x170/0x170 [ 135.003894][ T5573] ? verify_lock_unused+0x140/0x140 [ 135.009091][ T5573] ? handle_mm_fault+0x11d/0x62b0 [ 135.014288][ T5573] ? __lock_acquire+0x7f70/0x7f70 [ 135.019427][ T5573] ? pte_offset_map_nolock+0x137/0x1e0 [ 135.024906][ T5573] __folio_alloc+0x13/0x30 [ 135.029341][ T5573] vma_alloc_folio+0x48a/0x9a0 [ 135.034134][ T5573] handle_mm_fault+0x2376/0x62b0 [ 135.039080][ T5573] ? handle_mm_fault+0x11d/0x62b0 [ 135.044150][ T5573] ? numa_migrate_prep+0x380/0x380 [ 135.049270][ T5573] ? mtree_range_walk+0x6a0/0x7e0 [ 135.054294][ T5573] ? lock_vma_under_rcu+0x187/0x6f0 [ 135.059488][ T5573] ? __lock_acquire+0x7f70/0x7f70 [ 135.065119][ T5573] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 135.070325][ T5573] ? lock_vma_under_rcu+0x5df/0x6f0 [ 135.075633][ T5573] ? lock_vma_under_rcu+0x187/0x6f0 [ 135.080874][ T5573] ? exc_page_fault+0x10f/0x860 [ 135.085737][ T5573] exc_page_fault+0x455/0x860 [ 135.090513][ T5573] asm_exc_page_fault+0x26/0x30 [ 135.095369][ T5573] RIP: 0033:0x7f794735bc53 [ 135.099785][ T5573] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 135.119407][ T5573] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5572] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5573] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5573] munmap(0x7f793ef10000, 2097152) = 0 [pid 5573] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 135.125503][ T5573] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 135.133497][ T5573] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 135.141499][ T5573] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 135.149567][ T5573] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 135.157565][ T5573] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 135.165639][ T5573] [ 135.169216][ T5573] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5573] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5573] close(4) = 0 [pid 5573] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5573] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5573] ioctl(5, LOOP_CLR_FD) = 0 [pid 5573] close(5) = 0 [pid 5573] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [ 135.208834][ T5573] loop0: detected capacity change from 0 to 4096 [ 135.227152][ T5573] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 135.234247][ T5573] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5573] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5571] <... futex resumed>) = 0 [pid 5571] exit_group(0) = ? [pid 5573] <... futex resumed>) = ? [pid 5573] +++ exited with 0 +++ [pid 5572] <... futex resumed>) = ? [pid 5572] +++ exited with 0 +++ [pid 5571] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5571, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./177", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./177", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./177/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./177/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./177/binderfs") = 0 umount2("\x2e\x2f\x31\x37\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x37\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x37\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x37\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x37\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./177") = 0 mkdir("./178", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5574 attached [pid 5574] set_robust_list(0x555555f176a0, 24) = 0 [pid 5574] chdir("./178") = 0 [pid 5574] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5574] setpgid(0, 0) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5574 [pid 5574] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5574] write(3, "1000", 4) = 4 [pid 5574] close(3) = 0 [pid 5574] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5574] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5574] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5574] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5574] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5574] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5574] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5574] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5575 attached [pid 5575] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5575] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5574] <... clone3 resumed> => {parent_tid=[5575]}, 88) = 5575 [pid 5575] rt_sigprocmask(SIG_SETMASK, [], [pid 5574] rt_sigprocmask(SIG_SETMASK, [], [pid 5575] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5574] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5575] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5574] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5575] <... futex resumed>) = 0 [pid 5574] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5574] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5574] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5575] memfd_create("syzkaller", 0) = 3 [pid 5574] <... mprotect resumed>) = 0 [pid 5575] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5574] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5574] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5576 attached => {parent_tid=[5576]}, 88) = 5576 [pid 5576] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5574] rt_sigprocmask(SIG_SETMASK, [], [pid 5576] <... rseq resumed>) = 0 [pid 5576] set_robust_list(0x7f79473309a0, 24 [pid 5574] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5576] <... set_robust_list resumed>) = 0 [pid 5576] rt_sigprocmask(SIG_SETMASK, [], [pid 5574] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5576] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5574] <... futex resumed>) = 0 [pid 5576] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5574] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5576] <... openat resumed>) = 4 [pid 5576] write(4, "85", 2) = 2 [pid 5576] memfd_create("syzkaller", 0) = 5 [pid 5576] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5575] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2086949) = 2086949 [ 135.371002][ T5576] FAULT_INJECTION: forcing a failure. [ 135.371002][ T5576] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 135.384592][ T5576] CPU: 0 PID: 5576 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 135.395227][ T5576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 135.405313][ T5576] Call Trace: [ 135.408692][ T5576] [ 135.411648][ T5576] dump_stack_lvl+0x1e7/0x2d0 [ 135.416339][ T5576] ? nf_tcp_handle_invalid+0x650/0x650 [ 135.422002][ T5576] ? panic+0x770/0x770 [ 135.426293][ T5576] should_fail_ex+0x3aa/0x4e0 [ 135.430993][ T5576] prepare_alloc_pages+0x1d9/0x5b0 [ 135.436107][ T5576] __alloc_pages+0x165/0x670 [ 135.440695][ T5576] ? zone_statistics+0x170/0x170 [ 135.445631][ T5576] ? verify_lock_unused+0x140/0x140 [ 135.450834][ T5576] ? handle_mm_fault+0x11d/0x62b0 [ 135.455887][ T5576] ? __lock_acquire+0x7f70/0x7f70 [ 135.460916][ T5576] ? pte_offset_map_nolock+0x137/0x1e0 [ 135.466378][ T5576] __folio_alloc+0x13/0x30 [ 135.470876][ T5576] vma_alloc_folio+0x48a/0x9a0 [ 135.475649][ T5576] handle_mm_fault+0x2376/0x62b0 [ 135.480603][ T5576] ? handle_mm_fault+0x11d/0x62b0 [ 135.485663][ T5576] ? numa_migrate_prep+0x380/0x380 [ 135.490780][ T5576] ? mtree_range_walk+0x6a0/0x7e0 [ 135.495814][ T5576] ? lock_vma_under_rcu+0x187/0x6f0 [ 135.501034][ T5576] ? __lock_acquire+0x7f70/0x7f70 [ 135.506149][ T5576] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 135.511453][ T5576] ? lock_vma_under_rcu+0x5df/0x6f0 [ 135.517353][ T5576] ? lock_vma_under_rcu+0x187/0x6f0 [ 135.522569][ T5576] ? exc_page_fault+0x10f/0x860 [ 135.527428][ T5576] exc_page_fault+0x455/0x860 [ 135.532122][ T5576] asm_exc_page_fault+0x26/0x30 [ 135.536993][ T5576] RIP: 0033:0x7f794735bc53 [ 135.541507][ T5576] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 135.561808][ T5576] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5575] munmap(0x7f793ef10000, 2086949) = 0 [pid 5575] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 135.567879][ T5576] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 135.575857][ T5576] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 135.583826][ T5576] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 135.591799][ T5576] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 135.599866][ T5576] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 135.607875][ T5576] [pid 5575] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5575] close(3) = 0 [pid 5575] mkdir("./file0", 0777) = 0 [pid 5575] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5575] ioctl(6, LOOP_CLR_FD [pid 5576] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5576] munmap(0x7f7936b10000, 2097152) = 0 [pid 5576] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5576] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5576] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5576] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5576] close(3) = 0 [pid 5576] close(5) = 0 [pid 5576] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5574] <... futex resumed>) = 0 [pid 5576] <... futex resumed>) = 1 [ 135.615250][ T5576] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 135.620255][ T5575] loop0: detected capacity change from 0 to 4076 [pid 5576] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5575] <... ioctl resumed>) = 0 [pid 5575] close(6) = 0 [pid 5575] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5575] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5574] exit_group(0) = ? [pid 5575] <... futex resumed>) = ? [pid 5575] +++ exited with 0 +++ [pid 5576] <... futex resumed>) = ? [pid 5576] +++ exited with 0 +++ [pid 5574] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5574, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./178", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./178", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./178/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./178/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./178/binderfs") = 0 umount2("./178/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./178/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./178/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./178/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./178/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./178") = 0 mkdir("./179", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5577 attached , child_tidptr=0x555555f17690) = 5577 [pid 5577] set_robust_list(0x555555f176a0, 24) = 0 [pid 5577] chdir("./179") = 0 [pid 5577] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5577] setpgid(0, 0) = 0 [pid 5577] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5577] write(3, "1000", 4) = 4 [pid 5577] close(3) = 0 [pid 5577] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5577] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5577] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5577] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5577] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5577] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5577] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5577] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5578 attached [pid 5578] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5578] set_robust_list(0x7f79473519a0, 24 [pid 5577] <... clone3 resumed> => {parent_tid=[5578]}, 88) = 5578 [pid 5578] <... set_robust_list resumed>) = 0 [pid 5578] rt_sigprocmask(SIG_SETMASK, [], [pid 5577] rt_sigprocmask(SIG_SETMASK, [], [pid 5578] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5578] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5577] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5577] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5577] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5578] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5577] <... futex resumed>) = 0 [pid 5577] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5578] memfd_create("syzkaller", 0 [pid 5577] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5578] <... memfd_create resumed>) = 3 [pid 5577] <... mprotect resumed>) = 0 [pid 5577] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5577] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5579 attached [pid 5578] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5579] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5577] <... clone3 resumed> => {parent_tid=[5579]}, 88) = 5579 [pid 5579] <... rseq resumed>) = 0 [pid 5579] set_robust_list(0x7f79473309a0, 24 [pid 5577] rt_sigprocmask(SIG_SETMASK, [], [pid 5579] <... set_robust_list resumed>) = 0 [pid 5579] rt_sigprocmask(SIG_SETMASK, [], [pid 5577] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5579] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5579] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5577] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5579] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5577] <... futex resumed>) = 0 [pid 5577] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5579] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5578] munmap(0x7f793ef10000, 138412032 [pid 5579] <... openat resumed>) = 4 [pid 5579] write(4, "85", 2) = 2 [pid 5579] memfd_create("syzkaller", 0) = 5 [pid 5579] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5578] <... munmap resumed>) = 0 [pid 5579] <... mmap resumed>) = 0x7f793ef10000 [pid 5578] close(3) = 0 [pid 5578] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 135.771449][ T5579] FAULT_INJECTION: forcing a failure. [ 135.771449][ T5579] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 135.784810][ T5579] CPU: 1 PID: 5579 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 135.795240][ T5579] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 135.805288][ T5579] Call Trace: [ 135.808562][ T5579] [ 135.811487][ T5579] dump_stack_lvl+0x1e7/0x2d0 [ 135.816158][ T5579] ? nf_tcp_handle_invalid+0x650/0x650 [ 135.821627][ T5579] ? panic+0x770/0x770 [ 135.825697][ T5579] should_fail_ex+0x3aa/0x4e0 [ 135.830399][ T5579] prepare_alloc_pages+0x1d9/0x5b0 [ 135.835535][ T5579] __alloc_pages+0x165/0x670 [ 135.840122][ T5579] ? zone_statistics+0x170/0x170 [ 135.845084][ T5579] ? verify_lock_unused+0x140/0x140 [ 135.850305][ T5579] ? handle_mm_fault+0x11d/0x62b0 [ 135.855339][ T5579] ? __lock_acquire+0x7f70/0x7f70 [ 135.860356][ T5579] ? pte_offset_map_nolock+0x137/0x1e0 [ 135.865816][ T5579] __folio_alloc+0x13/0x30 [ 135.870232][ T5579] vma_alloc_folio+0x48a/0x9a0 [ 135.874999][ T5579] handle_mm_fault+0x2376/0x62b0 [ 135.879943][ T5579] ? handle_mm_fault+0x11d/0x62b0 [ 135.884970][ T5579] ? numa_migrate_prep+0x380/0x380 [ 135.890086][ T5579] ? mtree_range_walk+0x6a0/0x7e0 [ 135.895105][ T5579] ? lock_vma_under_rcu+0x187/0x6f0 [ 135.900296][ T5579] ? __lock_acquire+0x7f70/0x7f70 [ 135.905314][ T5579] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 135.910517][ T5579] ? lock_vma_under_rcu+0x5df/0x6f0 [ 135.915713][ T5579] ? lock_vma_under_rcu+0x187/0x6f0 [ 135.920926][ T5579] ? exc_page_fault+0x10f/0x860 [ 135.925773][ T5579] exc_page_fault+0x455/0x860 [ 135.930447][ T5579] asm_exc_page_fault+0x26/0x30 [ 135.935287][ T5579] RIP: 0033:0x7f794735bd00 [ 135.939697][ T5579] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 135.959295][ T5579] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5578] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5579] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5579] munmap(0x7f793ef10000, 2097152) = 0 [pid 5579] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 135.965357][ T5579] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 135.973324][ T5579] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 135.981287][ T5579] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 135.989255][ T5579] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 135.997218][ T5579] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 136.005279][ T5579] [ 136.008658][ T5579] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5579] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5579] close(5) = 0 [pid 5579] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5579] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 136.044709][ T5579] loop0: detected capacity change from 0 to 4096 [ 136.064199][ T5579] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 136.071449][ T5579] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5579] ioctl(3, LOOP_CLR_FD) = 0 [pid 5579] close(3) = 0 [pid 5579] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5577] <... futex resumed>) = 0 [pid 5579] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5577] exit_group(0) = ? [pid 5578] <... futex resumed>) = ? [pid 5579] <... futex resumed>) = ? [pid 5578] +++ exited with 0 +++ [pid 5579] +++ exited with 0 +++ [pid 5577] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5577, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./179", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./179", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./179/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./179/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./179/binderfs") = 0 umount2("\x2e\x2f\x31\x37\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x37\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x37\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x37\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x37\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./179") = 0 mkdir("./180", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5580 attached , child_tidptr=0x555555f17690) = 5580 [pid 5580] set_robust_list(0x555555f176a0, 24) = 0 [pid 5580] chdir("./180") = 0 [pid 5580] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5580] setpgid(0, 0) = 0 [pid 5580] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5580] write(3, "1000", 4) = 4 [pid 5580] close(3) = 0 [pid 5580] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5580] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5580] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5580] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5580] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5580] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5580] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5581 attached => {parent_tid=[5581]}, 88) = 5581 [pid 5581] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5580] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5580] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5581] <... rseq resumed>) = 0 [pid 5581] set_robust_list(0x7f79473519a0, 24 [pid 5580] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5581] <... set_robust_list resumed>) = 0 [pid 5580] <... mprotect resumed>) = 0 [pid 5581] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5580] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5580] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5582 attached [pid 5582] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5580] <... clone3 resumed> => {parent_tid=[5582]}, 88) = 5582 [pid 5581] memfd_create("syzkaller", 0 [pid 5582] <... rseq resumed>) = 0 [pid 5580] rt_sigprocmask(SIG_SETMASK, [], [pid 5582] set_robust_list(0x7f79473309a0, 24 [pid 5580] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5582] <... set_robust_list resumed>) = 0 [pid 5581] <... memfd_create resumed>) = 3 [pid 5580] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5582] rt_sigprocmask(SIG_SETMASK, [], [pid 5580] <... futex resumed>) = 0 [pid 5582] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5581] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5580] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5582] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5581] <... mmap resumed>) = 0x7f793ef10000 [pid 5581] munmap(0x7f793ef10000, 138412032 [pid 5582] <... openat resumed>) = 4 [pid 5581] <... munmap resumed>) = 0 [pid 5582] write(4, "85", 2) = 2 [pid 5582] memfd_create("syzkaller", 0 [pid 5581] close(3) = 0 [pid 5581] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5581] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5582] <... memfd_create resumed>) = 3 [pid 5582] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 136.220861][ T5582] FAULT_INJECTION: forcing a failure. [ 136.220861][ T5582] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 136.234323][ T5582] CPU: 1 PID: 5582 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 136.244843][ T5582] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 136.254905][ T5582] Call Trace: [ 136.258187][ T5582] [ 136.261130][ T5582] dump_stack_lvl+0x1e7/0x2d0 [ 136.265817][ T5582] ? nf_tcp_handle_invalid+0x650/0x650 [ 136.271266][ T5582] ? panic+0x770/0x770 [ 136.275332][ T5582] should_fail_ex+0x3aa/0x4e0 [ 136.280004][ T5582] prepare_alloc_pages+0x1d9/0x5b0 [ 136.285116][ T5582] __alloc_pages+0x165/0x670 [ 136.289704][ T5582] ? zone_statistics+0x170/0x170 [ 136.294642][ T5582] ? verify_lock_unused+0x140/0x140 [ 136.299831][ T5582] ? handle_mm_fault+0x11d/0x62b0 [ 136.304852][ T5582] ? __lock_acquire+0x7f70/0x7f70 [ 136.309866][ T5582] ? pte_offset_map_nolock+0x137/0x1e0 [ 136.315320][ T5582] __folio_alloc+0x13/0x30 [ 136.319731][ T5582] vma_alloc_folio+0x48a/0x9a0 [ 136.324495][ T5582] handle_mm_fault+0x2376/0x62b0 [ 136.329436][ T5582] ? handle_mm_fault+0x11d/0x62b0 [ 136.334464][ T5582] ? numa_migrate_prep+0x380/0x380 [ 136.339581][ T5582] ? mtree_range_walk+0x6a0/0x7e0 [ 136.344602][ T5582] ? lock_vma_under_rcu+0x187/0x6f0 [ 136.349805][ T5582] ? __lock_acquire+0x7f70/0x7f70 [ 136.354821][ T5582] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 136.360207][ T5582] ? lock_vma_under_rcu+0x5df/0x6f0 [ 136.365489][ T5582] ? lock_vma_under_rcu+0x187/0x6f0 [ 136.370693][ T5582] ? exc_page_fault+0x10f/0x860 [ 136.375546][ T5582] exc_page_fault+0x455/0x860 [ 136.380222][ T5582] asm_exc_page_fault+0x26/0x30 [ 136.385068][ T5582] RIP: 0033:0x7f794735bd00 [ 136.389484][ T5582] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 136.409082][ T5582] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5582] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5582] munmap(0x7f793ef10000, 2097152) = 0 [pid 5582] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 136.415142][ T5582] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 136.423192][ T5582] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 136.431762][ T5582] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 136.439724][ T5582] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 136.447683][ T5582] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 136.455658][ T5582] [pid 5582] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5582] close(3) = 0 [pid 5582] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5582] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 136.490322][ T5582] loop0: detected capacity change from 0 to 4096 [ 136.508330][ T5582] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 136.515321][ T5582] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5582] ioctl(5, LOOP_CLR_FD) = 0 [pid 5582] close(5) = 0 [pid 5582] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5582] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5580] <... futex resumed>) = 0 [pid 5580] exit_group(0 [pid 5581] <... futex resumed>) = ? [pid 5580] <... exit_group resumed>) = ? [pid 5582] <... futex resumed>) = ? [pid 5581] +++ exited with 0 +++ [pid 5582] +++ exited with 0 +++ [pid 5580] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5580, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./180", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./180", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./180/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./180/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./180/binderfs") = 0 umount2("\x2e\x2f\x31\x38\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x38\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x38\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x38\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x38\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./180") = 0 mkdir("./181", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5583 attached , child_tidptr=0x555555f17690) = 5583 [pid 5583] set_robust_list(0x555555f176a0, 24) = 0 [pid 5583] chdir("./181") = 0 [pid 5583] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5583] setpgid(0, 0) = 0 [pid 5583] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5583] write(3, "1000", 4) = 4 [pid 5583] close(3) = 0 [pid 5583] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5583] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5583] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5583] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5583] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5583] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5583] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5583] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5584 attached [pid 5584] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5584] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5584] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5584] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5583] <... clone3 resumed> => {parent_tid=[5584]}, 88) = 5584 [pid 5583] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5583] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5584] <... futex resumed>) = 0 [pid 5583] <... futex resumed>) = 1 [pid 5584] memfd_create("syzkaller", 0 [pid 5583] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5583] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5584] <... memfd_create resumed>) = 3 [pid 5583] <... mmap resumed>) = 0x7f7947310000 [pid 5584] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5583] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5583] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5583] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5585 attached [pid 5585] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5583] <... clone3 resumed> => {parent_tid=[5585]}, 88) = 5585 [pid 5585] set_robust_list(0x7f79473309a0, 24 [pid 5583] rt_sigprocmask(SIG_SETMASK, [], [pid 5585] <... set_robust_list resumed>) = 0 [pid 5584] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5585] rt_sigprocmask(SIG_SETMASK, [], [pid 5583] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5585] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5583] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5585] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5583] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5585] <... openat resumed>) = 4 [pid 5585] write(4, "85", 2) = 2 [pid 5585] memfd_create("syzkaller", 0) = 5 [pid 5585] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 136.675460][ T5585] FAULT_INJECTION: forcing a failure. [ 136.675460][ T5585] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 136.689516][ T5585] CPU: 0 PID: 5585 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 136.700055][ T5585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 136.710999][ T5585] Call Trace: [ 136.714276][ T5585] [ 136.717209][ T5585] dump_stack_lvl+0x1e7/0x2d0 [ 136.721887][ T5585] ? nf_tcp_handle_invalid+0x650/0x650 [ 136.727337][ T5585] ? panic+0x770/0x770 [ 136.731408][ T5585] should_fail_ex+0x3aa/0x4e0 [ 136.736103][ T5585] prepare_alloc_pages+0x1d9/0x5b0 [ 136.741223][ T5585] __alloc_pages+0x165/0x670 [ 136.745834][ T5585] ? zone_statistics+0x170/0x170 [ 136.750855][ T5585] ? verify_lock_unused+0x140/0x140 [ 136.756049][ T5585] ? handle_mm_fault+0x11d/0x62b0 [ 136.761069][ T5585] ? __lock_acquire+0x7f70/0x7f70 [ 136.766516][ T5585] ? pte_offset_map_nolock+0x137/0x1e0 [ 136.772001][ T5585] __folio_alloc+0x13/0x30 [ 136.776411][ T5585] vma_alloc_folio+0x48a/0x9a0 [ 136.781275][ T5585] handle_mm_fault+0x2376/0x62b0 [ 136.786222][ T5585] ? handle_mm_fault+0x11d/0x62b0 [ 136.791286][ T5585] ? numa_migrate_prep+0x380/0x380 [ 136.796404][ T5585] ? mtree_range_walk+0x6a0/0x7e0 [ 136.801515][ T5585] ? lock_vma_under_rcu+0x187/0x6f0 [ 136.806707][ T5585] ? __lock_acquire+0x7f70/0x7f70 [ 136.811723][ T5585] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 136.816927][ T5585] ? lock_vma_under_rcu+0x5df/0x6f0 [ 136.822122][ T5585] ? lock_vma_under_rcu+0x187/0x6f0 [ 136.827332][ T5585] ? exc_page_fault+0x10f/0x860 [ 136.832179][ T5585] exc_page_fault+0x455/0x860 [ 136.836860][ T5585] asm_exc_page_fault+0x26/0x30 [ 136.841706][ T5585] RIP: 0033:0x7f794735bc53 [ 136.846114][ T5585] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 136.865728][ T5585] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5584] <... write resumed>) = 2097152 [pid 5584] munmap(0x7f793ef10000, 2097152) = 0 [pid 5584] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 136.871830][ T5585] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 136.879803][ T5585] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 136.887773][ T5585] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 136.895744][ T5585] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 136.903731][ T5585] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 136.911710][ T5585] [pid 5584] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5584] close(3) = 0 [pid 5584] mkdir("./file0", 0777) = 0 [pid 5584] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5584] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5584] chdir("./file0") = 0 [pid 5584] ioctl(6, LOOP_CLR_FD) = 0 [pid 5584] close(6) = 0 [pid 5584] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5585] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5585] munmap(0x7f7936b10000, 2097152) = 0 [pid 5585] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5585] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5585] ioctl(6, LOOP_CLR_FD) = 0 [pid 5585] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5585] close(6) = 0 [pid 5585] close(5) = 0 [pid 5585] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5583] <... futex resumed>) = 0 [pid 5583] exit_group(0) = ? [pid 5584] <... futex resumed>) = ? [pid 5584] +++ exited with 0 +++ [pid 5585] +++ exited with 0 +++ [pid 5583] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5583, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./181", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./181", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./181/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./181/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./181/binderfs") = 0 [ 136.924239][ T5584] loop0: detected capacity change from 0 to 4096 [ 136.937353][ T5584] ntfs: volume version 12.0. umount2("./181/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./181/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./181/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./181/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./181/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./181/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./181") = 0 mkdir("./182", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5586 attached [pid 5586] set_robust_list(0x555555f176a0, 24) = 0 [pid 5586] chdir("./182") = 0 [pid 5586] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5586] setpgid(0, 0) = 0 [pid 5586] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5586] write(3, "1000", 4) = 4 [pid 5586] close(3) = 0 [pid 5586] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5586] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5586] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5586] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5586] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5586] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5586] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5586] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5587 attached => {parent_tid=[5587]}, 88) = 5587 [pid 5587] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5587] set_robust_list(0x7f79473519a0, 24 [pid 5586] rt_sigprocmask(SIG_SETMASK, [], [pid 5587] <... set_robust_list resumed>) = 0 [pid 5586] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5587] rt_sigprocmask(SIG_SETMASK, [], [pid 5586] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5587] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5586] <... futex resumed>) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5586 [pid 5587] memfd_create("syzkaller", 0 [pid 5586] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5586] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5586] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5586] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5586] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5587] <... memfd_create resumed>) = 3 [pid 5586] <... clone3 resumed> => {parent_tid=[5588]}, 88) = 5588 [pid 5587] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5586] rt_sigprocmask(SIG_SETMASK, [], [pid 5587] <... mmap resumed>) = 0x7f793ef10000 [pid 5586] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5586] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5588 attached [pid 5586] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5588] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5588] set_robust_list(0x7f79473309a0, 24 [pid 5587] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5588] <... set_robust_list resumed>) = 0 [pid 5588] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5588] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5588] write(4, "85", 2) = 2 [pid 5588] memfd_create("syzkaller", 0) = 5 [pid 5588] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5587] <... write resumed>) = 2097152 [ 137.074475][ T5588] FAULT_INJECTION: forcing a failure. [ 137.074475][ T5588] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 137.088230][ T5588] CPU: 1 PID: 5588 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 137.099000][ T5588] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 137.109050][ T5588] Call Trace: [ 137.112333][ T5588] [ 137.115264][ T5588] dump_stack_lvl+0x1e7/0x2d0 [ 137.119950][ T5588] ? nf_tcp_handle_invalid+0x650/0x650 [ 137.125500][ T5588] ? panic+0x770/0x770 [ 137.129584][ T5588] should_fail_ex+0x3aa/0x4e0 [ 137.134269][ T5588] prepare_alloc_pages+0x1d9/0x5b0 [ 137.139386][ T5588] __alloc_pages+0x165/0x670 [ 137.143977][ T5588] ? zone_statistics+0x170/0x170 [ 137.148932][ T5588] ? verify_lock_unused+0x140/0x140 [ 137.154146][ T5588] ? handle_mm_fault+0x11d/0x62b0 [ 137.159172][ T5588] ? __lock_acquire+0x7f70/0x7f70 [ 137.164192][ T5588] ? pte_offset_map_nolock+0x137/0x1e0 [ 137.169656][ T5588] __folio_alloc+0x13/0x30 [ 137.174082][ T5588] vma_alloc_folio+0x48a/0x9a0 [ 137.178869][ T5588] handle_mm_fault+0x2376/0x62b0 [ 137.183834][ T5588] ? handle_mm_fault+0x11d/0x62b0 [ 137.188880][ T5588] ? numa_migrate_prep+0x380/0x380 [ 137.194012][ T5588] ? mtree_range_walk+0x6a0/0x7e0 [ 137.199034][ T5588] ? lock_vma_under_rcu+0x187/0x6f0 [ 137.204248][ T5588] ? __lock_acquire+0x7f70/0x7f70 [ 137.209282][ T5588] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 137.214485][ T5588] ? lock_vma_under_rcu+0x5df/0x6f0 [ 137.219700][ T5588] ? lock_vma_under_rcu+0x187/0x6f0 [ 137.224921][ T5588] ? exc_page_fault+0x10f/0x860 [ 137.229784][ T5588] exc_page_fault+0x455/0x860 [ 137.234455][ T5588] asm_exc_page_fault+0x26/0x30 [ 137.239293][ T5588] RIP: 0033:0x7f794735bc53 [ 137.243697][ T5588] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 137.263407][ T5588] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 137.269470][ T5588] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 137.277433][ T5588] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 137.285391][ T5588] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 137.293441][ T5588] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 137.301405][ T5588] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 137.309390][ T5588] [ 137.312811][ T5588] pagefault_out_of_memory: 2 callbacks suppressed [pid 5587] munmap(0x7f793ef10000, 2097152) = 0 [pid 5587] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5587] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5587] close(3) = 0 [pid 5587] mkdir("./file0", 0777 [pid 5588] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5587] <... mkdir resumed>) = 0 [pid 5587] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5587] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5587] chdir("./file0" [pid 5588] <... write resumed>) = 2097152 [pid 5588] munmap(0x7f7936b10000, 2097152 [pid 5587] <... chdir resumed>) = 0 [pid 5587] ioctl(6, LOOP_CLR_FD) = 0 [pid 5587] close(6 [pid 5588] <... munmap resumed>) = 0 [pid 5587] <... close resumed>) = 0 [pid 5587] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5588] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5588] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5588] ioctl(6, LOOP_CLR_FD) = 0 [pid 5587] <... futex resumed>) = 0 [pid 5587] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5588] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5588] close(6) = 0 [pid 5588] close(5) = 0 [pid 5588] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5586] <... futex resumed>) = 0 [pid 5588] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5586] exit_group(0 [pid 5587] <... futex resumed>) = ? [pid 5586] <... exit_group resumed>) = ? [pid 5587] +++ exited with 0 +++ [pid 5588] <... futex resumed>) = ? [pid 5588] +++ exited with 0 +++ [pid 5586] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5586, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- [ 137.312825][ T5588] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 137.338809][ T5587] loop0: detected capacity change from 0 to 4096 [ 137.359753][ T5587] ntfs: volume version 12.0. umount2("./182", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./182", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./182/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./182/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./182/binderfs") = 0 umount2("./182/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./182/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./182/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./182/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./182/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./182/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./182") = 0 mkdir("./183", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5589 attached , child_tidptr=0x555555f17690) = 5589 [pid 5589] set_robust_list(0x555555f176a0, 24) = 0 [pid 5589] chdir("./183") = 0 [pid 5589] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5589] setpgid(0, 0) = 0 [pid 5589] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5589] write(3, "1000", 4) = 4 [pid 5589] close(3) = 0 [pid 5589] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5589] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5589] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5589] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5589] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5589] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5589] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5589] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5590 attached => {parent_tid=[5590]}, 88) = 5590 [pid 5590] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5589] rt_sigprocmask(SIG_SETMASK, [], [pid 5590] <... rseq resumed>) = 0 [pid 5589] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5590] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5589] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5590] rt_sigprocmask(SIG_SETMASK, [], [pid 5589] <... futex resumed>) = 0 [pid 5590] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5589] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5590] memfd_create("syzkaller", 0 [pid 5589] <... futex resumed>) = 0 [pid 5589] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5589] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5589] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5590] <... memfd_create resumed>) = 3 [pid 5589] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5589] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5590] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5591 attached ) = 0x7f793ef10000 [pid 5591] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5591] set_robust_list(0x7f79473309a0, 24 [pid 5589] <... clone3 resumed> => {parent_tid=[5591]}, 88) = 5591 [pid 5591] <... set_robust_list resumed>) = 0 [pid 5591] rt_sigprocmask(SIG_SETMASK, [], [pid 5589] rt_sigprocmask(SIG_SETMASK, [], [pid 5591] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5591] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5589] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5589] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5591] <... futex resumed>) = 0 [pid 5589] <... futex resumed>) = 1 [pid 5589] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5591] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5591] write(4, "85", 2) = 2 [pid 5591] memfd_create("syzkaller", 0) = 5 [pid 5591] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5590] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 137.501739][ T5591] FAULT_INJECTION: forcing a failure. [ 137.501739][ T5591] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 137.515105][ T5591] CPU: 0 PID: 5591 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 137.525546][ T5591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 137.535614][ T5591] Call Trace: [ 137.538885][ T5591] [ 137.541810][ T5591] dump_stack_lvl+0x1e7/0x2d0 [ 137.546581][ T5591] ? nf_tcp_handle_invalid+0x650/0x650 [ 137.552043][ T5591] ? panic+0x770/0x770 [ 137.556154][ T5591] should_fail_ex+0x3aa/0x4e0 [ 137.560846][ T5591] prepare_alloc_pages+0x1d9/0x5b0 [ 137.566066][ T5591] __alloc_pages+0x165/0x670 [ 137.570671][ T5591] ? zone_statistics+0x170/0x170 [ 137.575615][ T5591] ? verify_lock_unused+0x140/0x140 [ 137.580825][ T5591] ? handle_mm_fault+0x11d/0x62b0 [ 137.585850][ T5591] ? __lock_acquire+0x7f70/0x7f70 [ 137.590870][ T5591] ? pte_offset_map_nolock+0x137/0x1e0 [ 137.596444][ T5591] __folio_alloc+0x13/0x30 [ 137.600883][ T5591] vma_alloc_folio+0x48a/0x9a0 [ 137.605656][ T5591] handle_mm_fault+0x2376/0x62b0 [ 137.610609][ T5591] ? handle_mm_fault+0x11d/0x62b0 [ 137.615646][ T5591] ? numa_migrate_prep+0x380/0x380 [ 137.620757][ T5591] ? mtree_range_walk+0x6a0/0x7e0 [ 137.625781][ T5591] ? lock_vma_under_rcu+0x187/0x6f0 [ 137.630993][ T5591] ? __lock_acquire+0x7f70/0x7f70 [ 137.636011][ T5591] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 137.641226][ T5591] ? lock_vma_under_rcu+0x5df/0x6f0 [ 137.646434][ T5591] ? lock_vma_under_rcu+0x187/0x6f0 [ 137.651647][ T5591] ? exc_page_fault+0x10f/0x860 [ 137.656496][ T5591] exc_page_fault+0x455/0x860 [ 137.661172][ T5591] asm_exc_page_fault+0x26/0x30 [ 137.666036][ T5591] RIP: 0033:0x7f794735bc53 [ 137.670462][ T5591] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 137.690066][ T5591] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5590] munmap(0x7f793ef10000, 2097152) = 0 [pid 5590] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 137.696127][ T5591] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 137.704092][ T5591] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 137.712063][ T5591] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 137.720038][ T5591] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 137.728021][ T5591] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 137.735999][ T5591] [ 137.739628][ T5591] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5590] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5590] close(3) = 0 [pid 5590] mkdir("./file0", 0777) = 0 [pid 5590] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5591] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5590] <... mount resumed>) = 0 [pid 5590] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5590] chdir("./file0") = 0 [pid 5590] ioctl(6, LOOP_CLR_FD) = 0 [pid 5590] close(6) = 0 [pid 5590] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5590] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5591] <... write resumed>) = 2097152 [pid 5591] munmap(0x7f7936b10000, 2097152) = 0 [pid 5591] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5591] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5591] ioctl(6, LOOP_CLR_FD) = 0 [pid 5591] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5591] close(6) = 0 [pid 5591] close(5) = 0 [pid 5591] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5589] <... futex resumed>) = 0 [pid 5591] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5589] exit_group(0 [pid 5591] <... futex resumed>) = ? [pid 5590] <... futex resumed>) = ? [pid 5589] <... exit_group resumed>) = ? [pid 5591] +++ exited with 0 +++ [ 137.756914][ T5590] loop0: detected capacity change from 0 to 4096 [ 137.771262][ T5590] ntfs: volume version 12.0. [pid 5590] +++ exited with 0 +++ [pid 5589] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5589, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- umount2("./183", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./183", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./183/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./183/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./183/binderfs") = 0 umount2("./183/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./183/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./183/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./183/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./183/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./183/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./183") = 0 mkdir("./184", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5592 ./strace-static-x86_64: Process 5592 attached [pid 5592] set_robust_list(0x555555f176a0, 24) = 0 [pid 5592] chdir("./184") = 0 [pid 5592] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5592] setpgid(0, 0) = 0 [pid 5592] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5592] write(3, "1000", 4) = 4 [pid 5592] close(3) = 0 [pid 5592] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5592] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5592] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5592] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5592] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5592] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5592] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5592] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5593 attached => {parent_tid=[5593]}, 88) = 5593 [pid 5593] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5592] rt_sigprocmask(SIG_SETMASK, [], [pid 5593] set_robust_list(0x7f79473519a0, 24 [pid 5592] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5593] <... set_robust_list resumed>) = 0 [pid 5592] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5593] rt_sigprocmask(SIG_SETMASK, [], [pid 5592] <... futex resumed>) = 0 [pid 5593] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5592] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5593] memfd_create("syzkaller", 0 [pid 5592] <... futex resumed>) = 0 [pid 5592] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5592] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5592] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5592] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5593] <... memfd_create resumed>) = 3 [pid 5592] <... clone3 resumed> => {parent_tid=[5594]}, 88) = 5594 ./strace-static-x86_64: Process 5594 attached [pid 5592] rt_sigprocmask(SIG_SETMASK, [], [pid 5594] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5593] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5594] <... rseq resumed>) = 0 [pid 5594] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5593] <... mmap resumed>) = 0x7f793ef10000 [pid 5592] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5594] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5594] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5592] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5594] <... futex resumed>) = 0 [pid 5592] <... futex resumed>) = 1 [pid 5592] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5594] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5593] munmap(0x7f793ef10000, 138412032 [pid 5594] <... openat resumed>) = 4 [pid 5594] write(4, "85", 2) = 2 [pid 5594] memfd_create("syzkaller", 0) = 5 [pid 5594] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5593] <... munmap resumed>) = 0 [pid 5593] close(3 [pid 5594] <... mmap resumed>) = 0x7f793ef10000 [pid 5593] <... close resumed>) = 0 [pid 5593] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 137.884554][ T5594] FAULT_INJECTION: forcing a failure. [ 137.884554][ T5594] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 137.898301][ T5594] CPU: 0 PID: 5594 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 137.908735][ T5594] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 137.918794][ T5594] Call Trace: [ 137.922069][ T5594] [ 137.925008][ T5594] dump_stack_lvl+0x1e7/0x2d0 [ 137.929680][ T5594] ? nf_tcp_handle_invalid+0x650/0x650 [ 137.935132][ T5594] ? panic+0x770/0x770 [ 137.939203][ T5594] should_fail_ex+0x3aa/0x4e0 [ 137.943892][ T5594] prepare_alloc_pages+0x1d9/0x5b0 [ 137.949023][ T5594] __alloc_pages+0x165/0x670 [ 137.953627][ T5594] ? zone_statistics+0x170/0x170 [ 137.958587][ T5594] ? verify_lock_unused+0x140/0x140 [ 137.963783][ T5594] ? handle_mm_fault+0x11d/0x62b0 [ 137.968807][ T5594] ? __lock_acquire+0x7f70/0x7f70 [ 137.973857][ T5594] ? pte_offset_map_nolock+0x137/0x1e0 [ 137.979319][ T5594] __folio_alloc+0x13/0x30 [ 137.983752][ T5594] vma_alloc_folio+0x48a/0x9a0 [ 137.988519][ T5594] handle_mm_fault+0x2376/0x62b0 [ 137.993464][ T5594] ? handle_mm_fault+0x11d/0x62b0 [ 137.998492][ T5594] ? numa_migrate_prep+0x380/0x380 [ 138.003610][ T5594] ? mtree_range_walk+0x6a0/0x7e0 [ 138.008637][ T5594] ? lock_vma_under_rcu+0x187/0x6f0 [ 138.013832][ T5594] ? __lock_acquire+0x7f70/0x7f70 [ 138.018874][ T5594] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 138.024086][ T5594] ? lock_vma_under_rcu+0x5df/0x6f0 [ 138.029283][ T5594] ? lock_vma_under_rcu+0x187/0x6f0 [ 138.034488][ T5594] ? exc_page_fault+0x10f/0x860 [ 138.039341][ T5594] exc_page_fault+0x455/0x860 [ 138.044021][ T5594] asm_exc_page_fault+0x26/0x30 [ 138.048869][ T5594] RIP: 0033:0x7f794735bd00 [ 138.053279][ T5594] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 138.072967][ T5594] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5593] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5594] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5594] munmap(0x7f793ef10000, 2097152) = 0 [pid 5594] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 138.079032][ T5594] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 138.087013][ T5594] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 138.095005][ T5594] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 138.102975][ T5594] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 138.111047][ T5594] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 138.119026][ T5594] [ 138.124715][ T5594] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5594] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5594] close(5) = 0 [pid 5594] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5594] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 138.163033][ T5594] loop0: detected capacity change from 0 to 4096 [ 138.183466][ T5594] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 138.190886][ T5594] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5594] ioctl(3, LOOP_CLR_FD) = 0 [pid 5594] close(3) = 0 [pid 5594] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5592] <... futex resumed>) = 0 [pid 5592] exit_group(0) = ? [pid 5593] <... futex resumed>) = ? [pid 5593] +++ exited with 0 +++ [pid 5594] <... futex resumed>) = ? [pid 5594] +++ exited with 0 +++ [pid 5592] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5592, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- umount2("./184", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./184", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./184/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./184/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./184/binderfs") = 0 umount2("\x2e\x2f\x31\x38\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x38\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x38\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x38\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x38\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./184") = 0 mkdir("./185", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5595 attached , child_tidptr=0x555555f17690) = 5595 [pid 5595] set_robust_list(0x555555f176a0, 24) = 0 [pid 5595] chdir("./185") = 0 [pid 5595] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5595] setpgid(0, 0) = 0 [pid 5595] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5595] write(3, "1000", 4) = 4 [pid 5595] close(3) = 0 [pid 5595] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5595] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5595] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5595] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5595] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5595] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5595] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5595] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5596 attached => {parent_tid=[5596]}, 88) = 5596 [pid 5595] rt_sigprocmask(SIG_SETMASK, [], [pid 5596] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5595] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5596] <... rseq resumed>) = 0 [pid 5595] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5596] set_robust_list(0x7f79473519a0, 24 [pid 5595] <... futex resumed>) = 0 [pid 5596] <... set_robust_list resumed>) = 0 [pid 5596] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5596] memfd_create("syzkaller", 0 [pid 5595] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5595] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5596] <... memfd_create resumed>) = 3 [pid 5595] <... mmap resumed>) = 0x7f7947310000 [pid 5596] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5595] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5596] <... mmap resumed>) = 0x7f793ef10000 [pid 5595] <... mprotect resumed>) = 0 [pid 5595] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5595] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5597 attached => {parent_tid=[5597]}, 88) = 5597 [pid 5597] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5595] rt_sigprocmask(SIG_SETMASK, [], [pid 5597] <... rseq resumed>) = 0 [pid 5595] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5595] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5597] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5595] <... futex resumed>) = 0 [pid 5595] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5597] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5597] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5597] write(4, "85", 2) = 2 [pid 5597] memfd_create("syzkaller", 0) = 5 [pid 5597] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5596] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 138.335960][ T5597] FAULT_INJECTION: forcing a failure. [ 138.335960][ T5597] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 138.355933][ T5597] CPU: 0 PID: 5597 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 138.366422][ T5597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 138.376681][ T5597] Call Trace: [ 138.379968][ T5597] [ 138.382912][ T5597] dump_stack_lvl+0x1e7/0x2d0 [ 138.387608][ T5597] ? nf_tcp_handle_invalid+0x650/0x650 [ 138.393169][ T5597] ? panic+0x770/0x770 [ 138.397503][ T5597] should_fail_ex+0x3aa/0x4e0 [ 138.402181][ T5597] prepare_alloc_pages+0x1d9/0x5b0 [ 138.407308][ T5597] __alloc_pages+0x165/0x670 [ 138.412271][ T5597] ? zone_statistics+0x170/0x170 [ 138.417221][ T5597] ? verify_lock_unused+0x140/0x140 [ 138.422501][ T5597] ? handle_mm_fault+0x11d/0x62b0 [ 138.427524][ T5597] ? __lock_acquire+0x7f70/0x7f70 [ 138.432560][ T5597] ? pte_offset_map_nolock+0x137/0x1e0 [ 138.438061][ T5597] __folio_alloc+0x13/0x30 [ 138.442507][ T5597] vma_alloc_folio+0x48a/0x9a0 [ 138.447291][ T5597] handle_mm_fault+0x2376/0x62b0 [ 138.452271][ T5597] ? handle_mm_fault+0x11d/0x62b0 [ 138.457337][ T5597] ? numa_migrate_prep+0x380/0x380 [ 138.462831][ T5597] ? mtree_range_walk+0x6a0/0x7e0 [ 138.467966][ T5597] ? lock_vma_under_rcu+0x187/0x6f0 [ 138.473174][ T5597] ? __lock_acquire+0x7f70/0x7f70 [ 138.478197][ T5597] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 138.483411][ T5597] ? lock_vma_under_rcu+0x5df/0x6f0 [ 138.488615][ T5597] ? lock_vma_under_rcu+0x187/0x6f0 [ 138.493843][ T5597] ? exc_page_fault+0x10f/0x860 [ 138.498717][ T5597] exc_page_fault+0x455/0x860 [ 138.503443][ T5597] asm_exc_page_fault+0x26/0x30 [ 138.508919][ T5597] RIP: 0033:0x7f794735bc53 [ 138.513370][ T5597] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 138.533247][ T5597] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 138.539316][ T5597] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 138.547284][ T5597] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 138.555454][ T5597] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 138.563436][ T5597] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 138.571416][ T5597] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 138.579415][ T5597] [pid 5596] munmap(0x7f793ef10000, 2097152 [pid 5597] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5596] <... munmap resumed>) = 0 [pid 5596] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 138.582838][ T5597] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5596] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5596] close(3) = 0 [pid 5596] mkdir("./file0", 0777) = 0 [pid 5596] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5597] <... write resumed>) = 2097152 [pid 5597] munmap(0x7f7936b10000, 2097152 [pid 5596] <... mount resumed>) = 0 [pid 5596] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5596] chdir("./file0") = 0 [pid 5596] ioctl(6, LOOP_CLR_FD) = 0 [pid 5596] close(6) = 0 [pid 5596] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5596] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5597] <... munmap resumed>) = 0 [pid 5597] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5597] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5597] ioctl(6, LOOP_CLR_FD) = 0 [pid 5597] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5597] close(6) = 0 [ 138.626835][ T5596] loop0: detected capacity change from 0 to 4096 [ 138.654001][ T5596] ntfs: volume version 12.0. [pid 5597] close(5) = 0 [pid 5597] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5595] <... futex resumed>) = 0 [pid 5595] exit_group(0 [pid 5596] <... futex resumed>) = ? [pid 5595] <... exit_group resumed>) = ? [pid 5596] +++ exited with 0 +++ [pid 5597] +++ exited with 0 +++ [pid 5595] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5595, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./185", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./185", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./185/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./185/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./185/binderfs") = 0 umount2("./185/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./185/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./185/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./185/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./185/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./185/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./185") = 0 mkdir("./186", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5598 ./strace-static-x86_64: Process 5598 attached [pid 5598] set_robust_list(0x555555f176a0, 24) = 0 [pid 5598] chdir("./186") = 0 [pid 5598] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5598] setpgid(0, 0) = 0 [pid 5598] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5598] write(3, "1000", 4) = 4 [pid 5598] close(3) = 0 [pid 5598] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5598] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5598] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5598] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5598] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5598] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5598] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5598] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5599]}, 88) = 5599 [pid 5598] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5598] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5598] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5598] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5598] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5598] rt_sigprocmask(SIG_BLOCK, ~[], ./strace-static-x86_64: Process 5599 attached [pid 5599] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5598] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5598] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5600 attached [pid 5600] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5598] <... clone3 resumed> => {parent_tid=[5600]}, 88) = 5600 [pid 5600] <... rseq resumed>) = 0 [pid 5600] set_robust_list(0x7f79473309a0, 24 [pid 5598] rt_sigprocmask(SIG_SETMASK, [], [pid 5600] <... set_robust_list resumed>) = 0 [pid 5598] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5600] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5598] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5598] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5600] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5600] write(3, "85", 2 [pid 5599] <... rseq resumed>) = 0 [pid 5600] <... write resumed>) = 2 [pid 5600] memfd_create("syzkaller", 0) = 4 [pid 5600] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5599] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5599] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 138.835707][ T5600] FAULT_INJECTION: forcing a failure. [ 138.835707][ T5600] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 138.850694][ T5600] CPU: 1 PID: 5600 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 138.861185][ T5600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 138.871515][ T5600] Call Trace: [ 138.874814][ T5600] [ 138.877768][ T5600] dump_stack_lvl+0x1e7/0x2d0 [ 138.882477][ T5600] ? nf_tcp_handle_invalid+0x650/0x650 [ 138.887961][ T5600] ? panic+0x770/0x770 [ 138.892074][ T5600] should_fail_ex+0x3aa/0x4e0 [ 138.896777][ T5600] prepare_alloc_pages+0x1d9/0x5b0 [ 138.901915][ T5600] __alloc_pages+0x165/0x670 [ 138.906531][ T5600] ? zone_statistics+0x170/0x170 [ 138.911486][ T5600] ? verify_lock_unused+0x140/0x140 [ 138.916685][ T5600] ? handle_mm_fault+0x11d/0x62b0 [ 138.921709][ T5600] ? __lock_acquire+0x7f70/0x7f70 [ 138.926813][ T5600] ? pte_offset_map_nolock+0x137/0x1e0 [ 138.932292][ T5600] __folio_alloc+0x13/0x30 [ 138.936737][ T5600] vma_alloc_folio+0x48a/0x9a0 [ 138.941531][ T5600] handle_mm_fault+0x2376/0x62b0 [ 138.946491][ T5600] ? handle_mm_fault+0x11d/0x62b0 [ 138.951537][ T5600] ? numa_migrate_prep+0x380/0x380 [ 138.956674][ T5600] ? mtree_range_walk+0x6a0/0x7e0 [ 138.961703][ T5600] ? lock_vma_under_rcu+0x187/0x6f0 [ 138.967027][ T5600] ? __lock_acquire+0x7f70/0x7f70 [ 138.972136][ T5600] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 138.977342][ T5600] ? lock_vma_under_rcu+0x5df/0x6f0 [ 138.982539][ T5600] ? lock_vma_under_rcu+0x187/0x6f0 [ 138.987746][ T5600] ? exc_page_fault+0x10f/0x860 [ 138.992606][ T5600] exc_page_fault+0x455/0x860 [ 138.997289][ T5600] asm_exc_page_fault+0x26/0x30 [ 139.002137][ T5600] RIP: 0033:0x7f794735bc53 [ 139.006566][ T5600] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 139.026167][ T5600] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5599] memfd_create("syzkaller", 0) = 5 [ 139.032405][ T5600] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 139.040368][ T5600] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 139.048350][ T5600] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 139.056407][ T5600] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 139.064465][ T5600] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 139.072453][ T5600] [pid 5599] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5600] munmap(0x7f793ef10000, 138412032 [pid 5599] <... mmap resumed>) = 0x7f7936b10000 [ 139.081284][ T5600] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5600] <... munmap resumed>) = 0 [pid 5600] close(4) = 0 [pid 5600] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5598] <... futex resumed>) = 0 [pid 5600] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5599] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5599] munmap(0x7f7936b10000, 2097152) = 0 [pid 5599] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5599] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5599] close(5) = 0 [pid 5599] mkdir("./file0", 0777) = 0 [pid 5599] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5599] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5599] chdir("./file0") = 0 [pid 5599] ioctl(4, LOOP_CLR_FD) = 0 [pid 5599] close(4) = 0 [pid 5599] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5598] exit_group(0) = ? [pid 5599] <... futex resumed>) = ? [pid 5599] +++ exited with 0 +++ [pid 5600] <... futex resumed>) = ? [pid 5600] +++ exited with 0 +++ [pid 5598] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5598, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=9 /* 0.09 s */} --- umount2("./186", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./186", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./186/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./186/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./186/binderfs") = 0 umount2("./186/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./186/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./186/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./186/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./186/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./186/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./186") = 0 mkdir("./187", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5601 attached , child_tidptr=0x555555f17690) = 5601 [pid 5601] set_robust_list(0x555555f176a0, 24) = 0 [pid 5601] chdir("./187") = 0 [pid 5601] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5601] setpgid(0, 0) = 0 [pid 5601] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5601] write(3, "1000", 4) = 4 [pid 5601] close(3) = 0 [pid 5601] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5601] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5601] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5601] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5601] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5601] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5601] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5601] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5602]}, 88) = 5602 ./strace-static-x86_64: Process 5602 attached [pid 5601] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5601] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5602] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5602] set_robust_list(0x7f79473519a0, 24 [pid 5601] <... futex resumed>) = 0 [pid 5602] <... set_robust_list resumed>) = 0 [pid 5601] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5602] rt_sigprocmask(SIG_SETMASK, [], [ 139.195028][ T5599] loop0: detected capacity change from 0 to 4096 [ 139.217545][ T5599] ntfs: volume version 12.0. [pid 5601] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5602] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5601] <... mmap resumed>) = 0x7f7947310000 [pid 5601] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5601] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5601] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5602] memfd_create("syzkaller", 0./strace-static-x86_64: Process 5603 attached [pid 5603] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5603] set_robust_list(0x7f79473309a0, 24 [pid 5601] <... clone3 resumed> => {parent_tid=[5603]}, 88) = 5603 [pid 5603] <... set_robust_list resumed>) = 0 [pid 5601] rt_sigprocmask(SIG_SETMASK, [], [pid 5603] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5601] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5603] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5601] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5603] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5602] <... memfd_create resumed>) = 3 [pid 5601] <... futex resumed>) = 0 [pid 5602] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5601] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5603] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5602] munmap(0x7f793ef10000, 138412032) = 0 [pid 5602] close(3 [pid 5603] <... openat resumed>) = 4 [pid 5602] <... close resumed>) = 0 [pid 5602] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5603] write(4, "85", 2 [pid 5602] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5603] <... write resumed>) = 2 [pid 5603] memfd_create("syzkaller", 0) = 3 [pid 5603] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 139.297827][ T5603] FAULT_INJECTION: forcing a failure. [ 139.297827][ T5603] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 139.311259][ T5603] CPU: 1 PID: 5603 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 139.321687][ T5603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 139.331759][ T5603] Call Trace: [ 139.335036][ T5603] [ 139.337961][ T5603] dump_stack_lvl+0x1e7/0x2d0 [ 139.342720][ T5603] ? nf_tcp_handle_invalid+0x650/0x650 [ 139.348171][ T5603] ? panic+0x770/0x770 [ 139.352242][ T5603] should_fail_ex+0x3aa/0x4e0 [ 139.356923][ T5603] prepare_alloc_pages+0x1d9/0x5b0 [ 139.362056][ T5603] __alloc_pages+0x165/0x670 [ 139.366642][ T5603] ? zone_statistics+0x170/0x170 [ 139.371579][ T5603] ? verify_lock_unused+0x140/0x140 [ 139.376777][ T5603] ? handle_mm_fault+0x11d/0x62b0 [ 139.381796][ T5603] ? __lock_acquire+0x7f70/0x7f70 [ 139.386813][ T5603] ? pte_offset_map_nolock+0x137/0x1e0 [ 139.392386][ T5603] __folio_alloc+0x13/0x30 [ 139.396800][ T5603] vma_alloc_folio+0x48a/0x9a0 [ 139.401671][ T5603] handle_mm_fault+0x2376/0x62b0 [ 139.406631][ T5603] ? handle_mm_fault+0x11d/0x62b0 [ 139.411664][ T5603] ? numa_migrate_prep+0x380/0x380 [ 139.416879][ T5603] ? mtree_range_walk+0x6a0/0x7e0 [ 139.421916][ T5603] ? lock_vma_under_rcu+0x187/0x6f0 [ 139.427633][ T5603] ? __lock_acquire+0x7f70/0x7f70 [ 139.432645][ T5603] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 139.437945][ T5603] ? lock_vma_under_rcu+0x5df/0x6f0 [ 139.443150][ T5603] ? lock_vma_under_rcu+0x187/0x6f0 [ 139.448399][ T5603] ? exc_page_fault+0x10f/0x860 [ 139.453266][ T5603] exc_page_fault+0x455/0x860 [ 139.457977][ T5603] asm_exc_page_fault+0x26/0x30 [ 139.462829][ T5603] RIP: 0033:0x7f794735bd00 [ 139.467239][ T5603] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 139.487360][ T5603] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5603] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5603] munmap(0x7f793ef10000, 2097152) = 0 [pid 5603] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 139.493426][ T5603] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 139.501417][ T5603] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 139.509395][ T5603] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 139.517394][ T5603] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 139.525363][ T5603] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 139.533509][ T5603] [ 139.536902][ T5603] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5603] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5603] close(3) = 0 [pid 5603] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5603] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 139.577127][ T5603] loop0: detected capacity change from 0 to 4096 [ 139.597336][ T5603] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 139.604347][ T5603] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5603] ioctl(5, LOOP_CLR_FD) = 0 [pid 5603] close(5) = 0 [pid 5603] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5601] <... futex resumed>) = 0 [pid 5603] <... futex resumed>) = 1 [pid 5601] exit_group(0 [pid 5603] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5602] <... futex resumed>) = ? [pid 5601] <... exit_group resumed>) = ? [pid 5602] +++ exited with 0 +++ [pid 5603] +++ exited with 0 +++ [pid 5601] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5601, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=8 /* 0.08 s */} --- umount2("./187", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./187", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./187/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./187/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./187/binderfs") = 0 umount2("\x2e\x2f\x31\x38\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x38\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x38\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x38\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x38\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./187") = 0 mkdir("./188", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5604 attached , child_tidptr=0x555555f17690) = 5604 [pid 5604] set_robust_list(0x555555f176a0, 24) = 0 [pid 5604] chdir("./188") = 0 [pid 5604] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5604] setpgid(0, 0) = 0 [pid 5604] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5604] write(3, "1000", 4) = 4 [pid 5604] close(3) = 0 [pid 5604] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5604] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5604] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5604] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5604] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5604] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5604] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5604] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5605]}, 88) = 5605 [pid 5604] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5604] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5604] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5604] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5604] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 ./strace-static-x86_64: Process 5605 attached [pid 5604] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5604] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5606 attached [pid 5606] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5606] set_robust_list(0x7f79473309a0, 24 [pid 5604] <... clone3 resumed> => {parent_tid=[5606]}, 88) = 5606 [pid 5606] <... set_robust_list resumed>) = 0 [pid 5606] rt_sigprocmask(SIG_SETMASK, [], [pid 5604] rt_sigprocmask(SIG_SETMASK, [], [pid 5606] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5606] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5604] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5604] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5606] <... futex resumed>) = 0 [pid 5604] <... futex resumed>) = 1 [pid 5606] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5605] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5604] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5606] <... openat resumed>) = 3 [pid 5606] write(3, "85", 2) = 2 [pid 5606] memfd_create("syzkaller", 0) = 4 [pid 5605] <... rseq resumed>) = 0 [pid 5606] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5605] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5605] rt_sigprocmask(SIG_SETMASK, [], [pid 5606] <... mmap resumed>) = 0x7f793ef10000 [pid 5605] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5605] memfd_create("syzkaller", 0) = 5 [ 139.711950][ T5606] FAULT_INJECTION: forcing a failure. [ 139.711950][ T5606] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 139.725346][ T5606] CPU: 1 PID: 5606 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 139.735775][ T5606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 139.745873][ T5606] Call Trace: [ 139.749220][ T5606] [ 139.752144][ T5606] dump_stack_lvl+0x1e7/0x2d0 [ 139.756825][ T5606] ? nf_tcp_handle_invalid+0x650/0x650 [ 139.762276][ T5606] ? panic+0x770/0x770 [ 139.766362][ T5606] should_fail_ex+0x3aa/0x4e0 [ 139.771144][ T5606] prepare_alloc_pages+0x1d9/0x5b0 [ 139.776274][ T5606] __alloc_pages+0x165/0x670 [ 139.780867][ T5606] ? zone_statistics+0x170/0x170 [ 139.785805][ T5606] ? verify_lock_unused+0x140/0x140 [ 139.790994][ T5606] ? handle_mm_fault+0x11d/0x62b0 [ 139.796017][ T5606] ? __lock_acquire+0x7f70/0x7f70 [ 139.801031][ T5606] ? pte_offset_map_nolock+0x137/0x1e0 [ 139.806497][ T5606] __folio_alloc+0x13/0x30 [ 139.810909][ T5606] vma_alloc_folio+0x48a/0x9a0 [ 139.815670][ T5606] handle_mm_fault+0x2376/0x62b0 [ 139.820610][ T5606] ? handle_mm_fault+0x11d/0x62b0 [ 139.825638][ T5606] ? numa_migrate_prep+0x380/0x380 [ 139.830754][ T5606] ? mtree_range_walk+0x6a0/0x7e0 [ 139.835784][ T5606] ? lock_vma_under_rcu+0x187/0x6f0 [ 139.840979][ T5606] ? __lock_acquire+0x7f70/0x7f70 [ 139.846016][ T5606] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 139.851219][ T5606] ? lock_vma_under_rcu+0x5df/0x6f0 [ 139.856416][ T5606] ? lock_vma_under_rcu+0x187/0x6f0 [ 139.861616][ T5606] ? exc_page_fault+0x10f/0x860 [ 139.866463][ T5606] exc_page_fault+0x455/0x860 [ 139.871140][ T5606] asm_exc_page_fault+0x26/0x30 [ 139.875982][ T5606] RIP: 0033:0x7f794735bc53 [ 139.880399][ T5606] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 139.900169][ T5606] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5605] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 139.906233][ T5606] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 139.914197][ T5606] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 139.922162][ T5606] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 139.930123][ T5606] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 139.938099][ T5606] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 139.946078][ T5606] [pid 5606] munmap(0x7f793ef10000, 138412032) = 0 [pid 5606] close(4 [pid 5605] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5606] <... close resumed>) = 0 [pid 5606] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5606] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5604] <... futex resumed>) = 0 [pid 5605] <... write resumed>) = 2097152 [pid 5605] munmap(0x7f7936b10000, 2097152) = 0 [pid 5605] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 139.955894][ T5606] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5605] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5605] close(5) = 0 [pid 5605] mkdir("./file0", 0777) = 0 [ 140.002136][ T5605] loop0: detected capacity change from 0 to 4096 [ 140.013903][ T5605] __ntfs_error: 139 callbacks suppressed [ 140.013914][ T5605] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 140.030483][ T5605] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 140.043524][ T5605] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 140.058688][ T5605] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 140.068357][ T5605] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 140.076399][ T5605] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 140.089430][ T5605] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [pid 5605] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5604] exit_group(0) = ? [pid 5606] <... futex resumed>) = ? [pid 5606] +++ exited with 0 +++ [pid 5605] <... mount resumed>) = ? [pid 5605] +++ exited with 0 +++ [pid 5604] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5604, si_uid=0, si_status=0, si_utime=0, si_stime=19 /* 0.19 s */} --- umount2("./188", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./188", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./188/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./188/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./188/binderfs") = 0 umount2("./188/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./188/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./188/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./188/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./188/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./188/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./188") = 0 mkdir("./189", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5607 attached , child_tidptr=0x555555f17690) = 5607 [pid 5607] set_robust_list(0x555555f176a0, 24) = 0 [pid 5607] chdir("./189") = 0 [pid 5607] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5607] setpgid(0, 0) = 0 [pid 5607] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5607] write(3, "1000", 4) = 4 [pid 5607] close(3) = 0 [pid 5607] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5607] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5607] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5607] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5607] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5607] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5607] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5607] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5608 attached [pid 5608] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5607] <... clone3 resumed> => {parent_tid=[5608]}, 88) = 5608 [pid 5608] <... rseq resumed>) = 0 [pid 5607] rt_sigprocmask(SIG_SETMASK, [], [pid 5608] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5607] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5608] rt_sigprocmask(SIG_SETMASK, [], [pid 5607] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5608] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5607] <... futex resumed>) = 0 [pid 5608] memfd_create("syzkaller", 0 [pid 5607] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5607] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5607] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5607] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5607] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5609 attached [ 140.101445][ T5605] ntfs: volume version 12.0. [ 140.106153][ T5605] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 140.114617][ T5605] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 140.127689][ T5605] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. [pid 5609] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5608] <... memfd_create resumed>) = 3 [pid 5609] set_robust_list(0x7f79473309a0, 24 [pid 5608] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5607] <... clone3 resumed> => {parent_tid=[5609]}, 88) = 5609 [pid 5609] <... set_robust_list resumed>) = 0 [pid 5608] <... mmap resumed>) = 0x7f793ef10000 [pid 5607] rt_sigprocmask(SIG_SETMASK, [], [pid 5609] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5607] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5609] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5607] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5609] <... futex resumed>) = 0 [pid 5607] <... futex resumed>) = 1 [pid 5609] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5607] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5609] write(4, "85", 2) = 2 [pid 5609] memfd_create("syzkaller", 0) = 5 [pid 5609] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5608] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 140.221526][ T5609] FAULT_INJECTION: forcing a failure. [ 140.221526][ T5609] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 140.235818][ T5609] CPU: 1 PID: 5609 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 140.246881][ T5609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 140.256953][ T5609] Call Trace: [ 140.260252][ T5609] [ 140.263203][ T5609] dump_stack_lvl+0x1e7/0x2d0 [ 140.267898][ T5609] ? nf_tcp_handle_invalid+0x650/0x650 [ 140.273435][ T5609] ? panic+0x770/0x770 [ 140.277497][ T5609] should_fail_ex+0x3aa/0x4e0 [ 140.282162][ T5609] prepare_alloc_pages+0x1d9/0x5b0 [ 140.287264][ T5609] __alloc_pages+0x165/0x670 [ 140.291842][ T5609] ? zone_statistics+0x170/0x170 [ 140.296773][ T5609] ? verify_lock_unused+0x140/0x140 [ 140.301961][ T5609] ? handle_mm_fault+0x11d/0x62b0 [ 140.306973][ T5609] ? __lock_acquire+0x7f70/0x7f70 [ 140.311976][ T5609] ? pte_offset_map_nolock+0x137/0x1e0 [ 140.317426][ T5609] __folio_alloc+0x13/0x30 [ 140.321825][ T5609] vma_alloc_folio+0x48a/0x9a0 [ 140.326578][ T5609] handle_mm_fault+0x2376/0x62b0 [ 140.331510][ T5609] ? handle_mm_fault+0x11d/0x62b0 [ 140.336614][ T5609] ? numa_migrate_prep+0x380/0x380 [ 140.341745][ T5609] ? mtree_range_walk+0x6a0/0x7e0 [ 140.346776][ T5609] ? lock_vma_under_rcu+0x187/0x6f0 [ 140.351958][ T5609] ? __lock_acquire+0x7f70/0x7f70 [ 140.356963][ T5609] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 140.362761][ T5609] ? lock_vma_under_rcu+0x5df/0x6f0 [ 140.367945][ T5609] ? lock_vma_under_rcu+0x187/0x6f0 [ 140.373135][ T5609] ? exc_page_fault+0x10f/0x860 [ 140.377973][ T5609] exc_page_fault+0x455/0x860 [ 140.382637][ T5609] asm_exc_page_fault+0x26/0x30 [ 140.387471][ T5609] RIP: 0033:0x7f794735bc53 [ 140.391870][ T5609] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 140.411482][ T5609] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5608] munmap(0x7f793ef10000, 2097152) = 0 [pid 5608] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 140.417547][ T5609] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 140.425512][ T5609] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 140.433473][ T5609] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 140.441426][ T5609] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 140.449388][ T5609] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 140.457460][ T5609] [ 140.460971][ T5609] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5608] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5608] close(3) = 0 [pid 5608] mkdir("./file0", 0777) = 0 [pid 5608] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5609] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5608] <... mount resumed>) = 0 [pid 5608] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5608] chdir("./file0") = 0 [pid 5608] ioctl(6, LOOP_CLR_FD) = 0 [pid 5608] close(6) = 0 [pid 5608] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5608] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5609] <... write resumed>) = 2097152 [pid 5609] munmap(0x7f7936b10000, 2097152) = 0 [pid 5609] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5609] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5609] ioctl(6, LOOP_CLR_FD) = 0 [pid 5609] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5609] close(6) = 0 [ 140.479052][ T5608] loop0: detected capacity change from 0 to 4096 [ 140.498815][ T5608] ntfs: volume version 12.0. [pid 5609] close(5) = 0 [pid 5609] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5607] <... futex resumed>) = 0 [pid 5609] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5607] exit_group(0 [pid 5608] <... futex resumed>) = ? [pid 5608] +++ exited with 0 +++ [pid 5609] <... futex resumed>) = ? [pid 5609] +++ exited with 0 +++ [pid 5607] <... exit_group resumed>) = ? [pid 5607] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5607, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./189", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./189", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./189/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./189/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./189/binderfs") = 0 umount2("./189/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./189/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./189/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./189/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./189/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./189/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./189") = 0 mkdir("./190", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5610 attached , child_tidptr=0x555555f17690) = 5610 [pid 5610] set_robust_list(0x555555f176a0, 24) = 0 [pid 5610] chdir("./190") = 0 [pid 5610] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5610] setpgid(0, 0) = 0 [pid 5610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5610] write(3, "1000", 4) = 4 [pid 5610] close(3) = 0 [pid 5610] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5610] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5610] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5610] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5610] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5610] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5610] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5610] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5611]}, 88) = 5611 [pid 5610] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5610] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5610] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5610] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 ./strace-static-x86_64: Process 5611 attached [pid 5611] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5610] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5611] <... rseq resumed>) = 0 [pid 5611] set_robust_list(0x7f79473519a0, 24 [pid 5610] <... mprotect resumed>) = 0 [pid 5611] <... set_robust_list resumed>) = 0 [pid 5610] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5611] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5610] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5610] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5612]}, 88) = 5612 [pid 5610] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5610] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5610] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5612 attached [pid 5612] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5611] memfd_create("syzkaller", 0 [pid 5612] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5612] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5612] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5612] write(3, "85", 2) = 2 [pid 5612] memfd_create("syzkaller", 0) = 4 [pid 5612] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5611] <... memfd_create resumed>) = 5 [ 140.617279][ T5612] FAULT_INJECTION: forcing a failure. [ 140.617279][ T5612] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 140.630800][ T5612] CPU: 1 PID: 5612 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 140.641228][ T5612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 140.651277][ T5612] Call Trace: [ 140.654647][ T5612] [ 140.657582][ T5612] dump_stack_lvl+0x1e7/0x2d0 [ 140.662255][ T5612] ? nf_tcp_handle_invalid+0x650/0x650 [ 140.667704][ T5612] ? panic+0x770/0x770 [ 140.671769][ T5612] should_fail_ex+0x3aa/0x4e0 [ 140.676440][ T5612] prepare_alloc_pages+0x1d9/0x5b0 [ 140.681548][ T5612] __alloc_pages+0x165/0x670 [ 140.686134][ T5612] ? zone_statistics+0x170/0x170 [ 140.691068][ T5612] ? verify_lock_unused+0x140/0x140 [ 140.696269][ T5612] ? handle_mm_fault+0x11d/0x62b0 [ 140.701301][ T5612] ? __lock_acquire+0x7f70/0x7f70 [ 140.706311][ T5612] ? pte_offset_map_nolock+0x137/0x1e0 [ 140.711767][ T5612] __folio_alloc+0x13/0x30 [ 140.716175][ T5612] vma_alloc_folio+0x48a/0x9a0 [ 140.720970][ T5612] handle_mm_fault+0x2376/0x62b0 [ 140.725905][ T5612] ? handle_mm_fault+0x11d/0x62b0 [ 140.730950][ T5612] ? numa_migrate_prep+0x380/0x380 [ 140.736093][ T5612] ? mtree_range_walk+0x6a0/0x7e0 [ 140.741112][ T5612] ? lock_vma_under_rcu+0x187/0x6f0 [ 140.746310][ T5612] ? __lock_acquire+0x7f70/0x7f70 [ 140.751342][ T5612] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 140.756538][ T5612] ? lock_vma_under_rcu+0x5df/0x6f0 [ 140.761728][ T5612] ? lock_vma_under_rcu+0x187/0x6f0 [ 140.766965][ T5612] ? exc_page_fault+0x10f/0x860 [ 140.771825][ T5612] exc_page_fault+0x455/0x860 [ 140.776589][ T5612] asm_exc_page_fault+0x26/0x30 [ 140.781438][ T5612] RIP: 0033:0x7f794735bc53 [ 140.785861][ T5612] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 140.805457][ T5612] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5611] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5611] munmap(0x7f7936b10000, 138412032) = 0 [pid 5611] close(5) = 0 [pid 5611] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5611] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5612] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5612] munmap(0x7f793ef10000, 2097152) = 0 [pid 5612] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 140.811532][ T5612] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 140.819520][ T5612] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 140.827509][ T5612] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 140.835488][ T5612] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 140.843473][ T5612] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 140.851448][ T5612] [ 140.855934][ T5612] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5612] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5612] close(4) = 0 [pid 5612] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5612] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5612] ioctl(5, LOOP_CLR_FD) = 0 [pid 5612] close(5) = 0 [pid 5612] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5610] <... futex resumed>) = 0 [pid 5610] exit_group(0 [pid 5611] <... futex resumed>) = ? [pid 5610] <... exit_group resumed>) = ? [pid 5612] <... futex resumed>) = ? [ 140.894358][ T5612] loop0: detected capacity change from 0 to 4096 [ 140.913131][ T5612] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 140.920250][ T5612] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5611] +++ exited with 0 +++ [pid 5612] +++ exited with 0 +++ [pid 5610] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5610, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=8 /* 0.08 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./190", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./190", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./190/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./190/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./190/binderfs") = 0 umount2("\x2e\x2f\x31\x39\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x39\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x39\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x39\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x39\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./190") = 0 mkdir("./191", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5613 attached , child_tidptr=0x555555f17690) = 5613 [pid 5613] set_robust_list(0x555555f176a0, 24) = 0 [pid 5613] chdir("./191") = 0 [pid 5613] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5613] setpgid(0, 0) = 0 [pid 5613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5613] write(3, "1000", 4) = 4 [pid 5613] close(3) = 0 [pid 5613] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5613] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5613] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5613] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5613] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5613] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5613] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5613] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5614 attached => {parent_tid=[5614]}, 88) = 5614 [pid 5613] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5613] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5613] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5613] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5613] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5613] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5613] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5615 attached [pid 5615] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5613] <... clone3 resumed> => {parent_tid=[5615]}, 88) = 5615 [pid 5615] set_robust_list(0x7f79473309a0, 24 [pid 5613] rt_sigprocmask(SIG_SETMASK, [], [pid 5615] <... set_robust_list resumed>) = 0 [pid 5615] rt_sigprocmask(SIG_SETMASK, [], [pid 5613] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5615] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5613] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5614] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5613] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5614] <... rseq resumed>) = 0 [pid 5614] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5614] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5615] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5614] memfd_create("syzkaller", 0 [pid 5615] write(3, "85", 2 [pid 5614] <... memfd_create resumed>) = 4 [pid 5615] <... write resumed>) = 2 [pid 5614] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5615] memfd_create("syzkaller", 0) = 5 [pid 5614] <... mmap resumed>) = 0x7f793ef10000 [pid 5615] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 141.041985][ T5615] FAULT_INJECTION: forcing a failure. [ 141.041985][ T5615] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 141.056076][ T5615] CPU: 1 PID: 5615 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 141.066521][ T5615] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 141.076605][ T5615] Call Trace: [ 141.079912][ T5615] [ 141.082841][ T5615] dump_stack_lvl+0x1e7/0x2d0 [ 141.087523][ T5615] ? nf_tcp_handle_invalid+0x650/0x650 [ 141.093036][ T5615] ? panic+0x770/0x770 [ 141.097229][ T5615] should_fail_ex+0x3aa/0x4e0 [ 141.101924][ T5615] prepare_alloc_pages+0x1d9/0x5b0 [ 141.107064][ T5615] __alloc_pages+0x165/0x670 [ 141.111658][ T5615] ? zone_statistics+0x170/0x170 [ 141.116618][ T5615] ? verify_lock_unused+0x140/0x140 [ 141.121899][ T5615] ? handle_mm_fault+0x11d/0x62b0 [ 141.126926][ T5615] ? __lock_acquire+0x7f70/0x7f70 [ 141.131940][ T5615] ? pte_offset_map_nolock+0x137/0x1e0 [ 141.137395][ T5615] __folio_alloc+0x13/0x30 [ 141.141817][ T5615] vma_alloc_folio+0x48a/0x9a0 [ 141.146592][ T5615] handle_mm_fault+0x2376/0x62b0 [ 141.152227][ T5615] ? handle_mm_fault+0x11d/0x62b0 [ 141.157257][ T5615] ? numa_migrate_prep+0x380/0x380 [ 141.162372][ T5615] ? mtree_range_walk+0x6a0/0x7e0 [ 141.167395][ T5615] ? lock_vma_under_rcu+0x187/0x6f0 [ 141.172767][ T5615] ? __lock_acquire+0x7f70/0x7f70 [ 141.177792][ T5615] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 141.182995][ T5615] ? lock_vma_under_rcu+0x5df/0x6f0 [ 141.188187][ T5615] ? lock_vma_under_rcu+0x187/0x6f0 [ 141.193388][ T5615] ? exc_page_fault+0x10f/0x860 [ 141.198237][ T5615] exc_page_fault+0x455/0x860 [ 141.202915][ T5615] asm_exc_page_fault+0x26/0x30 [ 141.207758][ T5615] RIP: 0033:0x7f794735bc53 [ 141.212169][ T5615] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 141.231771][ T5615] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5614] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5615] munmap(0x7f7936b10000, 138412032) = 0 [pid 5615] close(5) = 0 [pid 5615] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5613] <... futex resumed>) = 0 [pid 5615] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5614] <... write resumed>) = 2097152 [pid 5614] munmap(0x7f793ef10000, 2097152) = 0 [pid 5614] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 141.237835][ T5615] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 141.245798][ T5615] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 141.253764][ T5615] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 141.261727][ T5615] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 141.271705][ T5615] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 141.279679][ T5615] [ 141.283549][ T5615] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5614] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5614] close(4) = 0 [pid 5614] mkdir("./file0", 0777) = 0 [pid 5614] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5614] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5614] chdir("./file0") = 0 [pid 5614] ioctl(5, LOOP_CLR_FD) = 0 [pid 5614] close(5) = 0 [pid 5614] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5614] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5613] exit_group(0 [pid 5615] <... futex resumed>) = ? [pid 5615] +++ exited with 0 +++ [pid 5614] <... futex resumed>) = ? [pid 5613] <... exit_group resumed>) = ? [pid 5614] +++ exited with 0 +++ [pid 5613] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5613, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=30 /* 0.30 s */} --- umount2("./191", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./191", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./191/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./191/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./191/binderfs") = 0 [ 141.314599][ T5614] loop0: detected capacity change from 0 to 4096 [ 141.329756][ T5614] ntfs: volume version 12.0. umount2("./191/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./191/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./191/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./191/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./191/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./191/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./191") = 0 mkdir("./192", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5616 attached , child_tidptr=0x555555f17690) = 5616 [pid 5616] set_robust_list(0x555555f176a0, 24) = 0 [pid 5616] chdir("./192") = 0 [pid 5616] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5616] setpgid(0, 0) = 0 [pid 5616] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5616] write(3, "1000", 4) = 4 [pid 5616] close(3) = 0 [pid 5616] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5616] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5616] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5616] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5616] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5616] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5616] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5616] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5617 attached [pid 5617] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5616] <... clone3 resumed> => {parent_tid=[5617]}, 88) = 5617 [pid 5617] <... rseq resumed>) = 0 [pid 5616] rt_sigprocmask(SIG_SETMASK, [], [pid 5617] set_robust_list(0x7f79473519a0, 24 [pid 5616] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5617] <... set_robust_list resumed>) = 0 [pid 5616] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5617] rt_sigprocmask(SIG_SETMASK, [], [pid 5616] <... futex resumed>) = 0 [pid 5617] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5616] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5617] memfd_create("syzkaller", 0 [pid 5616] <... futex resumed>) = 0 [pid 5616] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5616] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5616] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5616] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5618 attached [pid 5617] <... memfd_create resumed>) = 3 [pid 5617] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5618] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5616] <... clone3 resumed> => {parent_tid=[5618]}, 88) = 5618 [pid 5616] rt_sigprocmask(SIG_SETMASK, [], [pid 5618] <... rseq resumed>) = 0 [pid 5616] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5618] set_robust_list(0x7f79473309a0, 24 [pid 5616] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5618] <... set_robust_list resumed>) = 0 [pid 5618] rt_sigprocmask(SIG_SETMASK, [], [pid 5616] <... futex resumed>) = 0 [pid 5616] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5618] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5618] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5617] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777 [pid 5618] write(4, "85", 2) = 2 [pid 5618] memfd_create("syzkaller", 0) = 5 [pid 5618] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5617] <... write resumed>) = 2028777 [ 141.462152][ T5618] FAULT_INJECTION: forcing a failure. [ 141.462152][ T5618] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 141.475673][ T5618] CPU: 1 PID: 5618 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 141.486099][ T5618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 141.496156][ T5618] Call Trace: [ 141.499422][ T5618] [ 141.502362][ T5618] dump_stack_lvl+0x1e7/0x2d0 [ 141.507029][ T5618] ? nf_tcp_handle_invalid+0x650/0x650 [ 141.512469][ T5618] ? panic+0x770/0x770 [ 141.516541][ T5618] should_fail_ex+0x3aa/0x4e0 [ 141.521222][ T5618] prepare_alloc_pages+0x1d9/0x5b0 [ 141.526337][ T5618] __alloc_pages+0x165/0x670 [ 141.530935][ T5618] ? zone_statistics+0x170/0x170 [ 141.535880][ T5618] ? verify_lock_unused+0x140/0x140 [ 141.541074][ T5618] ? handle_mm_fault+0x11d/0x62b0 [ 141.546094][ T5618] ? __lock_acquire+0x7f70/0x7f70 [ 141.551108][ T5618] ? pte_offset_map_nolock+0x137/0x1e0 [ 141.556567][ T5618] __folio_alloc+0x13/0x30 [ 141.560978][ T5618] vma_alloc_folio+0x48a/0x9a0 [ 141.565844][ T5618] handle_mm_fault+0x2376/0x62b0 [ 141.570802][ T5618] ? handle_mm_fault+0x11d/0x62b0 [ 141.575915][ T5618] ? numa_migrate_prep+0x380/0x380 [ 141.581029][ T5618] ? mtree_range_walk+0x6a0/0x7e0 [ 141.586054][ T5618] ? lock_vma_under_rcu+0x187/0x6f0 [ 141.591252][ T5618] ? __lock_acquire+0x7f70/0x7f70 [ 141.596264][ T5618] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 141.601639][ T5618] ? lock_vma_under_rcu+0x5df/0x6f0 [ 141.606923][ T5618] ? lock_vma_under_rcu+0x187/0x6f0 [ 141.612127][ T5618] ? exc_page_fault+0x10f/0x860 [ 141.617023][ T5618] exc_page_fault+0x455/0x860 [ 141.621702][ T5618] asm_exc_page_fault+0x26/0x30 [ 141.626546][ T5618] RIP: 0033:0x7f794735bc53 [ 141.630954][ T5618] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 141.650640][ T5618] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5617] munmap(0x7f793ef10000, 2028777) = 0 [pid 5617] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 141.656701][ T5618] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 141.664751][ T5618] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 141.672714][ T5618] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 141.680763][ T5618] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 141.688723][ T5618] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 141.696696][ T5618] [pid 5617] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5617] close(3) = 0 [pid 5617] mkdir("./file0", 0777) = 0 [pid 5617] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5617] ioctl(6, LOOP_CLR_FD [pid 5618] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5618] munmap(0x7f7936b10000, 2097152) = 0 [pid 5618] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5618] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5618] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [ 141.711599][ T5617] loop0: detected capacity change from 0 to 3962 [pid 5618] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5618] close(3) = 0 [pid 5618] close(5) = 0 [pid 5618] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5616] <... futex resumed>) = 0 [pid 5618] <... futex resumed>) = 1 [pid 5618] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5617] <... ioctl resumed>) = 0 [pid 5617] close(6) = 0 [pid 5617] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5617] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5616] exit_group(0 [pid 5618] <... futex resumed>) = ? [pid 5616] <... exit_group resumed>) = ? [pid 5618] +++ exited with 0 +++ [pid 5617] <... futex resumed>) = ? [pid 5617] +++ exited with 0 +++ [pid 5616] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5616, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./192", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./192", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./192/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./192/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./192/binderfs") = 0 umount2("./192/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./192/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./192/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./192/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./192/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./192") = 0 mkdir("./193", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5619 attached [pid 5619] set_robust_list(0x555555f176a0, 24) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5619 [pid 5619] chdir("./193") = 0 [ 141.776422][ T5238] I/O error, dev loop0, sector 3712 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5619] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5619] setpgid(0, 0) = 0 [pid 5619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5619] write(3, "1000", 4) = 4 [pid 5619] close(3) = 0 [pid 5619] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5619] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5619] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5619] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5619] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5619] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5619] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5619] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5620 attached [pid 5620] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5619] <... clone3 resumed> => {parent_tid=[5620]}, 88) = 5620 [pid 5620] set_robust_list(0x7f79473519a0, 24 [pid 5619] rt_sigprocmask(SIG_SETMASK, [], [pid 5620] <... set_robust_list resumed>) = 0 [pid 5620] rt_sigprocmask(SIG_SETMASK, [], [pid 5619] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5620] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5619] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5620] memfd_create("syzkaller", 0 [pid 5619] <... futex resumed>) = 0 [pid 5619] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5619] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5619] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5619] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5619] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5620] <... memfd_create resumed>) = 3 [pid 5620] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5619] <... clone3 resumed> => {parent_tid=[5621]}, 88) = 5621 [pid 5619] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5621 attached [pid 5619] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5619] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5621] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5621] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5621] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5621] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5621] write(4, "85", 2) = 2 [pid 5621] memfd_create("syzkaller", 0) = 5 [pid 5621] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5620] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 141.877534][ T5621] FAULT_INJECTION: forcing a failure. [ 141.877534][ T5621] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 141.890835][ T5621] CPU: 1 PID: 5621 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 141.901269][ T5621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 141.911327][ T5621] Call Trace: [ 141.914636][ T5621] [ 141.917560][ T5621] dump_stack_lvl+0x1e7/0x2d0 [ 141.922240][ T5621] ? nf_tcp_handle_invalid+0x650/0x650 [ 141.927706][ T5621] ? panic+0x770/0x770 [ 141.931774][ T5621] should_fail_ex+0x3aa/0x4e0 [ 141.936458][ T5621] prepare_alloc_pages+0x1d9/0x5b0 [ 141.941584][ T5621] __alloc_pages+0x165/0x670 [ 141.946190][ T5621] ? zone_statistics+0x170/0x170 [ 141.951173][ T5621] ? verify_lock_unused+0x140/0x140 [ 141.956379][ T5621] ? handle_mm_fault+0x11d/0x62b0 [ 141.961401][ T5621] ? __lock_acquire+0x7f70/0x7f70 [ 141.966428][ T5621] ? pte_offset_map_nolock+0x137/0x1e0 [ 141.971993][ T5621] __folio_alloc+0x13/0x30 [ 141.976423][ T5621] vma_alloc_folio+0x48a/0x9a0 [ 141.981199][ T5621] handle_mm_fault+0x2376/0x62b0 [ 141.986147][ T5621] ? handle_mm_fault+0x11d/0x62b0 [ 141.991173][ T5621] ? numa_migrate_prep+0x380/0x380 [ 141.996286][ T5621] ? mtree_range_walk+0x6a0/0x7e0 [ 142.001403][ T5621] ? lock_vma_under_rcu+0x187/0x6f0 [ 142.006630][ T5621] ? __lock_acquire+0x7f70/0x7f70 [ 142.011659][ T5621] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 142.016862][ T5621] ? lock_vma_under_rcu+0x5df/0x6f0 [ 142.022064][ T5621] ? lock_vma_under_rcu+0x187/0x6f0 [ 142.027288][ T5621] ? exc_page_fault+0x10f/0x860 [ 142.032138][ T5621] exc_page_fault+0x455/0x860 [ 142.037165][ T5621] asm_exc_page_fault+0x26/0x30 [ 142.042012][ T5621] RIP: 0033:0x7f794735bc53 [ 142.046420][ T5621] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 142.066040][ T5621] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5620] munmap(0x7f793ef10000, 2097152) = 0 [pid 5620] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 142.072128][ T5621] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 142.080118][ T5621] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 142.088120][ T5621] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 142.096085][ T5621] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 142.104055][ T5621] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 142.112048][ T5621] [pid 5620] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5620] close(3) = 0 [pid 5620] mkdir("./file0", 0777) = 0 [pid 5620] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5621] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5620] <... mount resumed>) = 0 [pid 5620] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5620] chdir("./file0") = 0 [pid 5620] ioctl(6, LOOP_CLR_FD) = 0 [pid 5620] close(6) = 0 [pid 5620] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5620] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5621] <... write resumed>) = 2097152 [pid 5621] munmap(0x7f7936b10000, 2097152) = 0 [pid 5621] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5621] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5621] ioctl(6, LOOP_CLR_FD) = 0 [pid 5621] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5621] close(6) = 0 [ 142.122902][ T5620] loop0: detected capacity change from 0 to 4096 [ 142.141630][ T5620] ntfs: volume version 12.0. [pid 5621] close(5) = 0 [pid 5621] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5619] <... futex resumed>) = 0 [pid 5621] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5619] exit_group(0) = ? [pid 5621] <... futex resumed>) = ? [pid 5621] +++ exited with 0 +++ [pid 5620] <... futex resumed>) = ? [pid 5620] +++ exited with 0 +++ [pid 5619] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5619, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./193", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./193", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./193/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./193/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./193/binderfs") = 0 umount2("./193/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./193/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./193/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./193/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./193/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./193/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./193") = 0 mkdir("./194", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5622 attached , child_tidptr=0x555555f17690) = 5622 [pid 5622] set_robust_list(0x555555f176a0, 24) = 0 [pid 5622] chdir("./194") = 0 [pid 5622] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5622] setpgid(0, 0) = 0 [pid 5622] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5622] write(3, "1000", 4) = 4 [pid 5622] close(3) = 0 [pid 5622] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5622] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5622] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5622] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5622] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5622] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5622] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5622] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5623]}, 88) = 5623 [pid 5622] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5622] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5622] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5622] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5622] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5622] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5622] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5624 attached [pid 5624] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5622] <... clone3 resumed> => {parent_tid=[5624]}, 88) = 5624 [pid 5624] <... rseq resumed>) = 0 [pid 5622] rt_sigprocmask(SIG_SETMASK, [], [pid 5624] set_robust_list(0x7f79473309a0, 24 [pid 5622] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5623 attached [pid 5624] <... set_robust_list resumed>) = 0 [pid 5622] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5624] rt_sigprocmask(SIG_SETMASK, [], [pid 5622] <... futex resumed>) = 0 [pid 5624] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5623] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5622] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5624] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5623] <... rseq resumed>) = 0 [pid 5623] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5623] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5624] <... openat resumed>) = 3 [pid 5624] write(3, "85", 2) = 2 [pid 5623] memfd_create("syzkaller", 0 [pid 5624] memfd_create("syzkaller", 0) = 4 [pid 5624] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5623] <... memfd_create resumed>) = 5 [pid 5623] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 142.279163][ T5624] FAULT_INJECTION: forcing a failure. [ 142.279163][ T5624] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 142.292535][ T5624] CPU: 0 PID: 5624 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 142.302963][ T5624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 142.313019][ T5624] Call Trace: [ 142.316385][ T5624] [ 142.319308][ T5624] dump_stack_lvl+0x1e7/0x2d0 [ 142.324071][ T5624] ? nf_tcp_handle_invalid+0x650/0x650 [ 142.329528][ T5624] ? panic+0x770/0x770 [ 142.333602][ T5624] should_fail_ex+0x3aa/0x4e0 [ 142.338290][ T5624] prepare_alloc_pages+0x1d9/0x5b0 [ 142.343497][ T5624] __alloc_pages+0x165/0x670 [ 142.348084][ T5624] ? zone_statistics+0x170/0x170 [ 142.353026][ T5624] ? verify_lock_unused+0x140/0x140 [ 142.358222][ T5624] ? handle_mm_fault+0x11d/0x62b0 [ 142.363335][ T5624] ? __lock_acquire+0x7f70/0x7f70 [ 142.368438][ T5624] ? pte_offset_map_nolock+0x137/0x1e0 [ 142.374077][ T5624] __folio_alloc+0x13/0x30 [ 142.378537][ T5624] vma_alloc_folio+0x48a/0x9a0 [ 142.383301][ T5624] handle_mm_fault+0x2376/0x62b0 [ 142.388246][ T5624] ? handle_mm_fault+0x11d/0x62b0 [ 142.393283][ T5624] ? numa_migrate_prep+0x380/0x380 [ 142.398406][ T5624] ? mtree_range_walk+0x6a0/0x7e0 [ 142.403430][ T5624] ? lock_vma_under_rcu+0x187/0x6f0 [ 142.408633][ T5624] ? __lock_acquire+0x7f70/0x7f70 [ 142.413647][ T5624] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 142.418855][ T5624] ? lock_vma_under_rcu+0x5df/0x6f0 [ 142.424065][ T5624] ? lock_vma_under_rcu+0x187/0x6f0 [ 142.429308][ T5624] ? exc_page_fault+0x10f/0x860 [ 142.434158][ T5624] exc_page_fault+0x455/0x860 [ 142.438933][ T5624] asm_exc_page_fault+0x26/0x30 [ 142.443862][ T5624] RIP: 0033:0x7f794735bc53 [ 142.448271][ T5624] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 142.467958][ T5624] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 142.474021][ T5624] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 142.481985][ T5624] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 142.490036][ T5624] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 142.498000][ T5624] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 142.505974][ T5624] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 142.513959][ T5624] [ 142.523216][ T5624] pagefault_out_of_memory: 2 callbacks suppressed [pid 5623] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5624] munmap(0x7f793ef10000, 138412032 [pid 5623] munmap(0x7f7936b10000, 2097152 [pid 5624] <... munmap resumed>) = 0 [pid 5624] close(4) = 0 [pid 5624] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5622] <... futex resumed>) = 0 [pid 5624] <... futex resumed>) = 1 [pid 5624] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5623] <... munmap resumed>) = 0 [pid 5623] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5623] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5623] close(5) = 0 [pid 5623] mkdir("./file0", 0777) = 0 [ 142.523232][ T5624] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 142.564097][ T5623] loop0: detected capacity change from 0 to 4096 [pid 5623] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5623] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5623] chdir("./file0") = 0 [pid 5623] ioctl(4, LOOP_CLR_FD) = 0 [pid 5623] close(4) = 0 [pid 5623] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5623] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5622] exit_group(0 [pid 5624] <... futex resumed>) = ? [pid 5623] <... futex resumed>) = ? [pid 5622] <... exit_group resumed>) = ? [pid 5624] +++ exited with 0 +++ [pid 5623] +++ exited with 0 +++ [pid 5622] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5622, si_uid=0, si_status=0, si_utime=0, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./194", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./194", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./194/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./194/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./194/binderfs") = 0 umount2("./194/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./194/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./194/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./194/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./194/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 [ 142.576903][ T5623] ntfs: volume version 12.0. rmdir("./194/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./194") = 0 mkdir("./195", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5625 ./strace-static-x86_64: Process 5625 attached [pid 5625] set_robust_list(0x555555f176a0, 24) = 0 [pid 5625] chdir("./195") = 0 [pid 5625] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5625] setpgid(0, 0) = 0 [pid 5625] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5625] write(3, "1000", 4) = 4 [pid 5625] close(3) = 0 [pid 5625] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5625] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5625] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5625] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5625] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5625] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5625] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5625] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5626 attached [pid 5626] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5625] <... clone3 resumed> => {parent_tid=[5626]}, 88) = 5626 [pid 5626] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5625] rt_sigprocmask(SIG_SETMASK, [], [pid 5626] rt_sigprocmask(SIG_SETMASK, [], [pid 5625] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5626] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5625] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5626] memfd_create("syzkaller", 0 [pid 5625] <... futex resumed>) = 0 [pid 5626] <... memfd_create resumed>) = 3 [pid 5625] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5626] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5625] <... futex resumed>) = 0 [pid 5625] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5625] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5625] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5625] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0} => {parent_tid=[5627]}, 88) = 5627 [pid 5625] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5625] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5625] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5627 attached [pid 5627] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5627] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5627] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5627] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5627] write(4, "85", 2) = 2 [pid 5627] memfd_create("syzkaller", 0) = 5 [pid 5627] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5626] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 142.692417][ T5627] FAULT_INJECTION: forcing a failure. [ 142.692417][ T5627] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 142.706060][ T5627] CPU: 1 PID: 5627 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 142.716503][ T5627] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 142.726678][ T5627] Call Trace: [ 142.729976][ T5627] [ 142.732911][ T5627] dump_stack_lvl+0x1e7/0x2d0 [ 142.737589][ T5627] ? nf_tcp_handle_invalid+0x650/0x650 [ 142.743046][ T5627] ? panic+0x770/0x770 [ 142.747118][ T5627] should_fail_ex+0x3aa/0x4e0 [ 142.751795][ T5627] prepare_alloc_pages+0x1d9/0x5b0 [ 142.756922][ T5627] __alloc_pages+0x165/0x670 [ 142.761516][ T5627] ? zone_statistics+0x170/0x170 [ 142.766453][ T5627] ? verify_lock_unused+0x140/0x140 [ 142.771643][ T5627] ? handle_mm_fault+0x11d/0x62b0 [ 142.776660][ T5627] ? __lock_acquire+0x7f70/0x7f70 [ 142.781674][ T5627] ? pte_offset_map_nolock+0x137/0x1e0 [ 142.787129][ T5627] __folio_alloc+0x13/0x30 [ 142.791541][ T5627] vma_alloc_folio+0x48a/0x9a0 [ 142.796309][ T5627] handle_mm_fault+0x2376/0x62b0 [ 142.801253][ T5627] ? handle_mm_fault+0x11d/0x62b0 [ 142.806291][ T5627] ? numa_migrate_prep+0x380/0x380 [ 142.811409][ T5627] ? mtree_range_walk+0x6a0/0x7e0 [ 142.816519][ T5627] ? lock_vma_under_rcu+0x187/0x6f0 [ 142.821717][ T5627] ? __lock_acquire+0x7f70/0x7f70 [ 142.826747][ T5627] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 142.831956][ T5627] ? lock_vma_under_rcu+0x5df/0x6f0 [ 142.837166][ T5627] ? lock_vma_under_rcu+0x187/0x6f0 [ 142.842369][ T5627] ? exc_page_fault+0x10f/0x860 [ 142.847213][ T5627] exc_page_fault+0x455/0x860 [ 142.851889][ T5627] asm_exc_page_fault+0x26/0x30 [ 142.856732][ T5627] RIP: 0033:0x7f794735bc53 [ 142.861142][ T5627] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 142.880742][ T5627] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5626] munmap(0x7f793ef31000, 2097152) = 0 [pid 5626] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 142.886807][ T5627] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 142.894859][ T5627] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 142.902834][ T5627] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 142.910833][ T5627] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 142.918802][ T5627] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 142.926777][ T5627] [ 142.934326][ T5627] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5626] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5626] close(3) = 0 [pid 5626] mkdir("./file0", 0777) = 0 [pid 5626] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5627] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5626] <... mount resumed>) = 0 [pid 5626] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5626] chdir("./file0") = 0 [pid 5626] ioctl(6, LOOP_CLR_FD) = 0 [pid 5626] close(6) = 0 [pid 5626] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5626] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5627] <... write resumed>) = 2097152 [pid 5627] munmap(0x7f7936b10000, 2097152) = 0 [pid 5627] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5627] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5627] ioctl(6, LOOP_CLR_FD) = 0 [ 142.942859][ T5626] loop0: detected capacity change from 0 to 4096 [ 142.962206][ T5626] ntfs: volume version 12.0. [pid 5627] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5627] close(6) = 0 [pid 5627] close(5) = 0 [pid 5627] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5625] <... futex resumed>) = 0 [pid 5625] exit_group(0) = ? [pid 5626] <... futex resumed>) = ? [pid 5627] <... futex resumed>) = ? [pid 5626] +++ exited with 0 +++ [pid 5627] +++ exited with 0 +++ [pid 5625] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5625, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./195", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./195", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./195/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./195/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./195/binderfs") = 0 umount2("./195/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./195/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./195/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./195/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./195/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./195/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./195") = 0 mkdir("./196", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5628 ./strace-static-x86_64: Process 5628 attached [pid 5628] set_robust_list(0x555555f176a0, 24) = 0 [pid 5628] chdir("./196") = 0 [pid 5628] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5628] setpgid(0, 0) = 0 [pid 5628] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5628] write(3, "1000", 4) = 4 [pid 5628] close(3) = 0 [pid 5628] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5628] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5628] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5628] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5628] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5628] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5628] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5628] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5629 attached [pid 5629] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5628] <... clone3 resumed> => {parent_tid=[5629]}, 88) = 5629 [pid 5629] <... rseq resumed>) = 0 [pid 5628] rt_sigprocmask(SIG_SETMASK, [], [pid 5629] set_robust_list(0x7f79473519a0, 24 [pid 5628] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5629] <... set_robust_list resumed>) = 0 [pid 5628] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5629] rt_sigprocmask(SIG_SETMASK, [], [pid 5628] <... futex resumed>) = 0 [pid 5629] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5628] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5629] memfd_create("syzkaller", 0 [pid 5628] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5628] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5628] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5628] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5630 attached => {parent_tid=[5630]}, 88) = 5630 [pid 5628] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5628] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5628] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5629] <... memfd_create resumed>) = 3 [pid 5629] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5630] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5630] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5630] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5630] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5630] write(4, "85", 2) = 2 [pid 5630] memfd_create("syzkaller", 0) = 5 [pid 5630] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5629] munmap(0x7f793ef10000, 138412032) = 0 [pid 5629] close(3) = 0 [pid 5629] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 143.102893][ T5630] FAULT_INJECTION: forcing a failure. [ 143.102893][ T5630] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 143.126878][ T5630] CPU: 0 PID: 5630 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 143.137356][ T5630] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 143.147445][ T5630] Call Trace: [ 143.150752][ T5630] [ 143.153678][ T5630] dump_stack_lvl+0x1e7/0x2d0 [ 143.158362][ T5630] ? nf_tcp_handle_invalid+0x650/0x650 [ 143.163839][ T5630] ? panic+0x770/0x770 [ 143.167925][ T5630] should_fail_ex+0x3aa/0x4e0 [ 143.172627][ T5630] prepare_alloc_pages+0x1d9/0x5b0 [ 143.177738][ T5630] __alloc_pages+0x165/0x670 [ 143.182335][ T5630] ? zone_statistics+0x170/0x170 [ 143.187290][ T5630] ? verify_lock_unused+0x140/0x140 [ 143.192500][ T5630] ? handle_mm_fault+0x11d/0x62b0 [ 143.197543][ T5630] ? __lock_acquire+0x7f70/0x7f70 [ 143.202557][ T5630] ? pte_offset_map_nolock+0x137/0x1e0 [ 143.208020][ T5630] __folio_alloc+0x13/0x30 [ 143.212432][ T5630] vma_alloc_folio+0x48a/0x9a0 [ 143.217212][ T5630] handle_mm_fault+0x2376/0x62b0 [ 143.222146][ T5630] ? handle_mm_fault+0x11d/0x62b0 [ 143.227608][ T5630] ? numa_migrate_prep+0x380/0x380 [ 143.232732][ T5630] ? mtree_range_walk+0x6a0/0x7e0 [ 143.237794][ T5630] ? lock_vma_under_rcu+0x187/0x6f0 [ 143.243003][ T5630] ? __lock_acquire+0x7f70/0x7f70 [ 143.248025][ T5630] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 143.253248][ T5630] ? lock_vma_under_rcu+0x5df/0x6f0 [ 143.258459][ T5630] ? lock_vma_under_rcu+0x187/0x6f0 [ 143.263658][ T5630] ? exc_page_fault+0x10f/0x860 [ 143.268503][ T5630] exc_page_fault+0x455/0x860 [ 143.273181][ T5630] asm_exc_page_fault+0x26/0x30 [ 143.278021][ T5630] RIP: 0033:0x7f794735bc53 [ 143.282426][ T5630] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 143.302295][ T5630] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 143.308376][ T5630] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 143.316347][ T5630] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 143.324323][ T5630] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 143.332284][ T5630] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 143.340422][ T5630] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 143.348411][ T5630] [pid 5629] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5630] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5630] munmap(0x7f7936b10000, 2097152) = 0 [pid 5630] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5630] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5630] close(5) = 0 [pid 5630] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [ 143.356294][ T5630] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 143.391475][ T5630] loop0: detected capacity change from 0 to 4096 [pid 5630] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5630] ioctl(3, LOOP_CLR_FD) = 0 [ 143.409083][ T5630] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 143.416149][ T5630] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5630] close(3) = 0 [pid 5630] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5628] <... futex resumed>) = 0 [pid 5630] <... futex resumed>) = 1 [pid 5628] exit_group(0 [pid 5629] <... futex resumed>) = ? [pid 5628] <... exit_group resumed>) = ? [pid 5630] +++ exited with 0 +++ [pid 5629] +++ exited with 0 +++ [pid 5628] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5628, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./196", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./196", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./196/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./196/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./196/binderfs") = 0 umount2("\x2e\x2f\x31\x39\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x39\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x39\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x39\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x39\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./196") = 0 mkdir("./197", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5631 attached , child_tidptr=0x555555f17690) = 5631 [pid 5631] set_robust_list(0x555555f176a0, 24) = 0 [pid 5631] chdir("./197") = 0 [pid 5631] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5631] setpgid(0, 0) = 0 [pid 5631] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5631] write(3, "1000", 4) = 4 [pid 5631] close(3) = 0 [pid 5631] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5631] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5631] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5631] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5631] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5631] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5631] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5631] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5632]}, 88) = 5632 [pid 5631] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5632 attached NULL, 8) = 0 [pid 5631] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5631] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5631] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5631] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5632] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5631] <... mprotect resumed>) = 0 [pid 5632] <... rseq resumed>) = 0 [pid 5632] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5632] rt_sigprocmask(SIG_SETMASK, [], [pid 5631] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5632] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5631] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5631] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5633 attached [pid 5633] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5631] <... clone3 resumed> => {parent_tid=[5633]}, 88) = 5633 [pid 5633] <... rseq resumed>) = 0 [pid 5631] rt_sigprocmask(SIG_SETMASK, [], [pid 5633] set_robust_list(0x7f79473309a0, 24 [pid 5632] memfd_create("syzkaller", 0 [pid 5631] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5633] <... set_robust_list resumed>) = 0 [pid 5631] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5633] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5631] <... futex resumed>) = 0 [pid 5633] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5631] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5633] <... openat resumed>) = 3 [pid 5633] write(3, "85", 2) = 2 [pid 5633] memfd_create("syzkaller", 0) = 4 [pid 5633] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5632] <... memfd_create resumed>) = 5 [ 143.518658][ T5633] FAULT_INJECTION: forcing a failure. [ 143.518658][ T5633] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 143.532229][ T5633] CPU: 0 PID: 5633 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 143.542656][ T5633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 143.552704][ T5633] Call Trace: [ 143.555992][ T5633] [ 143.558908][ T5633] dump_stack_lvl+0x1e7/0x2d0 [ 143.563588][ T5633] ? nf_tcp_handle_invalid+0x650/0x650 [ 143.569043][ T5633] ? panic+0x770/0x770 [ 143.573114][ T5633] should_fail_ex+0x3aa/0x4e0 [ 143.577783][ T5633] prepare_alloc_pages+0x1d9/0x5b0 [ 143.582891][ T5633] __alloc_pages+0x165/0x670 [ 143.587491][ T5633] ? zone_statistics+0x170/0x170 [ 143.592413][ T5633] ? verify_lock_unused+0x140/0x140 [ 143.597595][ T5633] ? handle_mm_fault+0x11d/0x62b0 [ 143.602605][ T5633] ? __lock_acquire+0x7f70/0x7f70 [ 143.607702][ T5633] ? pte_offset_map_nolock+0x137/0x1e0 [ 143.613147][ T5633] __folio_alloc+0x13/0x30 [ 143.617552][ T5633] vma_alloc_folio+0x48a/0x9a0 [ 143.622304][ T5633] handle_mm_fault+0x2376/0x62b0 [ 143.627236][ T5633] ? handle_mm_fault+0x11d/0x62b0 [ 143.632252][ T5633] ? numa_migrate_prep+0x380/0x380 [ 143.637359][ T5633] ? mtree_range_walk+0x6a0/0x7e0 [ 143.642370][ T5633] ? lock_vma_under_rcu+0x187/0x6f0 [ 143.647550][ T5633] ? __lock_acquire+0x7f70/0x7f70 [ 143.652761][ T5633] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 143.657951][ T5633] ? lock_vma_under_rcu+0x5df/0x6f0 [ 143.663135][ T5633] ? lock_vma_under_rcu+0x187/0x6f0 [ 143.668328][ T5633] ? exc_page_fault+0x10f/0x860 [ 143.673166][ T5633] exc_page_fault+0x455/0x860 [ 143.677846][ T5633] asm_exc_page_fault+0x26/0x30 [ 143.682809][ T5633] RIP: 0033:0x7f794735bc53 [ 143.687209][ T5633] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 143.706889][ T5633] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5632] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5632] munmap(0x7f7936b10000, 138412032) = 0 [pid 5632] close(5) = 0 [pid 5632] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5632] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5633] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5633] munmap(0x7f793ef10000, 2097152) = 0 [pid 5633] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 143.712941][ T5633] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 143.720900][ T5633] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 143.729121][ T5633] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 143.737076][ T5633] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 143.745031][ T5633] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 143.753016][ T5633] [ 143.760954][ T5633] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5633] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5633] close(4) = 0 [pid 5633] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5633] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 143.798840][ T5633] loop0: detected capacity change from 0 to 4096 [ 143.814630][ T5633] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 143.821943][ T5633] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5633] ioctl(5, LOOP_CLR_FD) = 0 [pid 5633] close(5) = 0 [pid 5633] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5631] <... futex resumed>) = 0 [pid 5631] exit_group(0 [pid 5632] <... futex resumed>) = ? [pid 5631] <... exit_group resumed>) = ? [pid 5632] +++ exited with 0 +++ [pid 5633] <... futex resumed>) = ? [pid 5633] +++ exited with 0 +++ [pid 5631] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5631, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./197", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./197", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./197/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./197/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./197/binderfs") = 0 umount2("\x2e\x2f\x31\x39\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x39\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x39\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x39\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x39\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./197") = 0 mkdir("./198", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5634 attached , child_tidptr=0x555555f17690) = 5634 [pid 5634] set_robust_list(0x555555f176a0, 24) = 0 [pid 5634] chdir("./198") = 0 [pid 5634] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5634] setpgid(0, 0) = 0 [pid 5634] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5634] write(3, "1000", 4) = 4 [pid 5634] close(3) = 0 [pid 5634] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5634] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5634] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5634] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5634] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5634] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5634] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5634] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5635 attached [pid 5635] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5634] <... clone3 resumed> => {parent_tid=[5635]}, 88) = 5635 [pid 5635] <... rseq resumed>) = 0 [pid 5634] rt_sigprocmask(SIG_SETMASK, [], [pid 5635] set_robust_list(0x7f79473519a0, 24 [pid 5634] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5635] <... set_robust_list resumed>) = 0 [pid 5635] rt_sigprocmask(SIG_SETMASK, [], [pid 5634] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5635] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5634] <... futex resumed>) = 0 [pid 5634] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5634] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5634] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5634] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5634] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5636 attached [pid 5635] memfd_create("syzkaller", 0) = 3 [pid 5634] <... clone3 resumed> => {parent_tid=[5636]}, 88) = 5636 [pid 5636] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5634] rt_sigprocmask(SIG_SETMASK, [], [pid 5636] <... rseq resumed>) = 0 [pid 5636] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5636] rt_sigprocmask(SIG_SETMASK, [], [pid 5635] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5634] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5635] <... mmap resumed>) = 0x7f793ef10000 [pid 5634] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5636] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5634] <... futex resumed>) = 0 [pid 5634] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5636] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5636] write(4, "85", 2) = 2 [pid 5636] memfd_create("syzkaller", 0) = 5 [pid 5636] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5635] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2548928) = 2548928 [ 143.972534][ T5636] FAULT_INJECTION: forcing a failure. [ 143.972534][ T5636] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 143.986155][ T5636] CPU: 1 PID: 5636 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 143.996606][ T5636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 144.006683][ T5636] Call Trace: [ 144.010585][ T5636] [ 144.013532][ T5636] dump_stack_lvl+0x1e7/0x2d0 [ 144.018228][ T5636] ? nf_tcp_handle_invalid+0x650/0x650 [ 144.023690][ T5636] ? panic+0x770/0x770 [ 144.027763][ T5636] should_fail_ex+0x3aa/0x4e0 [ 144.032461][ T5636] prepare_alloc_pages+0x1d9/0x5b0 [ 144.037690][ T5636] __alloc_pages+0x165/0x670 [ 144.042281][ T5636] ? zone_statistics+0x170/0x170 [ 144.047216][ T5636] ? verify_lock_unused+0x140/0x140 [ 144.052405][ T5636] ? handle_mm_fault+0x11d/0x62b0 [ 144.057422][ T5636] ? __lock_acquire+0x7f70/0x7f70 [ 144.062441][ T5636] ? pte_offset_map_nolock+0x137/0x1e0 [ 144.067895][ T5636] __folio_alloc+0x13/0x30 [ 144.072312][ T5636] vma_alloc_folio+0x48a/0x9a0 [ 144.077074][ T5636] handle_mm_fault+0x2376/0x62b0 [ 144.082026][ T5636] ? handle_mm_fault+0x11d/0x62b0 [ 144.087053][ T5636] ? numa_migrate_prep+0x380/0x380 [ 144.092172][ T5636] ? mtree_range_walk+0x6a0/0x7e0 [ 144.097198][ T5636] ? lock_vma_under_rcu+0x187/0x6f0 [ 144.102425][ T5636] ? __lock_acquire+0x7f70/0x7f70 [ 144.107452][ T5636] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 144.112679][ T5636] ? lock_vma_under_rcu+0x5df/0x6f0 [ 144.117887][ T5636] ? lock_vma_under_rcu+0x187/0x6f0 [ 144.123146][ T5636] ? exc_page_fault+0x10f/0x860 [ 144.128005][ T5636] exc_page_fault+0x455/0x860 [ 144.132724][ T5636] asm_exc_page_fault+0x26/0x30 [ 144.137596][ T5636] RIP: 0033:0x7f794735bc53 [ 144.142011][ T5636] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 144.161800][ T5636] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 144.167963][ T5636] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 144.175928][ T5636] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 144.183891][ T5636] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 144.191857][ T5636] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 144.199824][ T5636] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 144.207803][ T5636] [ 144.211509][ T5636] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5635] munmap(0x7f793ef10000, 2548928) = 0 [pid 5635] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5635] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5635] close(3) = 0 [pid 5635] mkdir("./file0", 0777) = 0 [pid 5635] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5635] ioctl(6, LOOP_CLR_FD [pid 5636] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5636] munmap(0x7f7936b10000, 2097152) = 0 [pid 5636] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5636] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5636] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5636] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5636] close(3) = 0 [pid 5636] close(5) = 0 [pid 5636] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5634] <... futex resumed>) = 0 [pid 5636] <... futex resumed>) = 1 [ 144.227343][ T5635] loop0: detected capacity change from 0 to 4978 [pid 5636] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5635] <... ioctl resumed>) = 0 [pid 5635] close(6) = 0 [pid 5635] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5634] exit_group(0 [pid 5635] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5636] <... futex resumed>) = ? [pid 5635] +++ exited with 0 +++ [pid 5634] <... exit_group resumed>) = ? [pid 5636] +++ exited with 0 +++ [pid 5634] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5634, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=17 /* 0.17 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./198", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./198", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./198/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./198/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./198/binderfs") = 0 umount2("./198/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./198/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./198/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./198/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./198/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./198") = 0 mkdir("./199", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5637 attached , child_tidptr=0x555555f17690) = 5637 [pid 5637] set_robust_list(0x555555f176a0, 24) = 0 [pid 5637] chdir("./199") = 0 [pid 5637] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [ 144.290842][ T5238] I/O error, dev loop0, sector 4736 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5637] setpgid(0, 0) = 0 [pid 5637] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5637] write(3, "1000", 4) = 4 [pid 5637] close(3) = 0 [pid 5637] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5637] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5637] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5637] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5637] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5637] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5637] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5637] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5638 attached => {parent_tid=[5638]}, 88) = 5638 [pid 5637] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5637] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5637] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5637] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5638] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5637] <... mmap resumed>) = 0x7f7947310000 [pid 5637] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5637] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5637] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5638] <... rseq resumed>) = 0 [pid 5638] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5637] <... clone3 resumed> => {parent_tid=[5639]}, 88) = 5639 ./strace-static-x86_64: Process 5639 attached [pid 5638] rt_sigprocmask(SIG_SETMASK, [], [pid 5639] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5638] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5637] rt_sigprocmask(SIG_SETMASK, [], [pid 5639] <... rseq resumed>) = 0 [pid 5637] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5637] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5637] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5638] memfd_create("syzkaller", 0 [pid 5639] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5638] <... memfd_create resumed>) = 3 [pid 5638] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5639] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5639] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5639] write(4, "85", 2) = 2 [pid 5639] memfd_create("syzkaller", 0) = 5 [pid 5639] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5638] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 144.390171][ T5639] FAULT_INJECTION: forcing a failure. [ 144.390171][ T5639] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 144.403500][ T5639] CPU: 1 PID: 5639 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 144.413932][ T5639] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 144.424001][ T5639] Call Trace: [ 144.427280][ T5639] [ 144.430203][ T5639] dump_stack_lvl+0x1e7/0x2d0 [ 144.434882][ T5639] ? nf_tcp_handle_invalid+0x650/0x650 [ 144.440367][ T5639] ? panic+0x770/0x770 [ 144.444463][ T5639] should_fail_ex+0x3aa/0x4e0 [ 144.449172][ T5639] prepare_alloc_pages+0x1d9/0x5b0 [ 144.454294][ T5639] __alloc_pages+0x165/0x670 [ 144.458902][ T5639] ? zone_statistics+0x170/0x170 [ 144.463850][ T5639] ? verify_lock_unused+0x140/0x140 [ 144.469042][ T5639] ? handle_mm_fault+0x11d/0x62b0 [ 144.474062][ T5639] ? __lock_acquire+0x7f70/0x7f70 [ 144.479075][ T5639] ? pte_offset_map_nolock+0x137/0x1e0 [ 144.484533][ T5639] __folio_alloc+0x13/0x30 [ 144.488945][ T5639] vma_alloc_folio+0x48a/0x9a0 [ 144.493710][ T5639] handle_mm_fault+0x2376/0x62b0 [ 144.498651][ T5639] ? handle_mm_fault+0x11d/0x62b0 [ 144.503685][ T5639] ? numa_migrate_prep+0x380/0x380 [ 144.508797][ T5639] ? mtree_range_walk+0x6a0/0x7e0 [ 144.513818][ T5639] ? lock_vma_under_rcu+0x187/0x6f0 [ 144.519012][ T5639] ? __lock_acquire+0x7f70/0x7f70 [ 144.524030][ T5639] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 144.529230][ T5639] ? lock_vma_under_rcu+0x5df/0x6f0 [ 144.534422][ T5639] ? lock_vma_under_rcu+0x187/0x6f0 [ 144.539625][ T5639] ? exc_page_fault+0x10f/0x860 [ 144.544476][ T5639] exc_page_fault+0x455/0x860 [ 144.549152][ T5639] asm_exc_page_fault+0x26/0x30 [ 144.554080][ T5639] RIP: 0033:0x7f794735bc53 [ 144.558488][ T5639] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 144.578173][ T5639] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5638] munmap(0x7f793ef10000, 2097152) = 0 [pid 5638] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 144.584321][ T5639] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 144.592457][ T5639] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 144.600420][ T5639] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 144.608484][ T5639] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 144.616466][ T5639] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 144.624467][ T5639] [ 144.627803][ T5639] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5638] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5638] close(3) = 0 [pid 5638] mkdir("./file0", 0777 [pid 5639] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5638] <... mkdir resumed>) = 0 [pid 5638] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5638] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5638] chdir("./file0") = 0 [pid 5638] ioctl(6, LOOP_CLR_FD) = 0 [pid 5638] close(6 [pid 5639] <... write resumed>) = 2097152 [pid 5638] <... close resumed>) = 0 [pid 5639] munmap(0x7f7936b10000, 2097152 [pid 5638] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5638] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5639] <... munmap resumed>) = 0 [pid 5639] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5639] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5639] ioctl(6, LOOP_CLR_FD) = 0 [pid 5639] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5639] close(6) = 0 [ 144.648612][ T5638] loop0: detected capacity change from 0 to 4096 [ 144.668413][ T5638] ntfs: volume version 12.0. [pid 5639] close(5) = 0 [pid 5639] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5639] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5637] <... futex resumed>) = 0 [pid 5637] exit_group(0 [pid 5639] <... futex resumed>) = ? [pid 5638] <... futex resumed>) = ? [pid 5637] <... exit_group resumed>) = ? [pid 5639] +++ exited with 0 +++ [pid 5638] +++ exited with 0 +++ [pid 5637] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5637, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./199", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./199", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./199/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./199/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./199/binderfs") = 0 umount2("./199/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./199/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./199/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./199/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./199/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./199/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./199") = 0 mkdir("./200", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5640 attached , child_tidptr=0x555555f17690) = 5640 [pid 5640] set_robust_list(0x555555f176a0, 24) = 0 [pid 5640] chdir("./200") = 0 [pid 5640] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5640] setpgid(0, 0) = 0 [pid 5640] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5640] write(3, "1000", 4) = 4 [pid 5640] close(3) = 0 [pid 5640] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5640] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5640] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5640] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5640] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5640] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5640] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5640] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5641 attached => {parent_tid=[5641]}, 88) = 5641 [pid 5640] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5640] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5640] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5640] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5640] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5641] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5640] <... mprotect resumed>) = 0 [pid 5641] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5640] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5641] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5640] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5640] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5642 attached [pid 5641] memfd_create("syzkaller", 0 [pid 5642] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5641] <... memfd_create resumed>) = 3 [pid 5642] <... rseq resumed>) = 0 [pid 5640] <... clone3 resumed> => {parent_tid=[5642]}, 88) = 5642 [pid 5641] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5642] set_robust_list(0x7f79473309a0, 24 [pid 5640] rt_sigprocmask(SIG_SETMASK, [], [pid 5642] <... set_robust_list resumed>) = 0 [pid 5641] <... mmap resumed>) = 0x7f793ef10000 [pid 5642] rt_sigprocmask(SIG_SETMASK, [], [pid 5640] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5642] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5640] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5642] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5641] munmap(0x7f793ef10000, 138412032 [pid 5640] <... futex resumed>) = 0 [pid 5642] <... openat resumed>) = 4 [pid 5640] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5642] write(4, "85", 2) = 2 [pid 5642] memfd_create("syzkaller", 0) = 5 [pid 5642] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5641] <... munmap resumed>) = 0 [pid 5642] <... mmap resumed>) = 0x7f793ef10000 [pid 5641] close(3) = 0 [pid 5641] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 144.810682][ T5642] FAULT_INJECTION: forcing a failure. [ 144.810682][ T5642] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 144.824309][ T5642] CPU: 0 PID: 5642 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 144.834755][ T5642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 144.844840][ T5642] Call Trace: [ 144.848121][ T5642] [ 144.851044][ T5642] dump_stack_lvl+0x1e7/0x2d0 [ 144.855731][ T5642] ? nf_tcp_handle_invalid+0x650/0x650 [ 144.861218][ T5642] ? panic+0x770/0x770 [ 144.865312][ T5642] should_fail_ex+0x3aa/0x4e0 [ 144.870016][ T5642] prepare_alloc_pages+0x1d9/0x5b0 [ 144.875224][ T5642] __alloc_pages+0x165/0x670 [ 144.879837][ T5642] ? zone_statistics+0x170/0x170 [ 144.884784][ T5642] ? verify_lock_unused+0x140/0x140 [ 144.889981][ T5642] ? handle_mm_fault+0x11d/0x62b0 [ 144.895008][ T5642] ? __lock_acquire+0x7f70/0x7f70 [ 144.900024][ T5642] ? pte_offset_map_nolock+0x137/0x1e0 [ 144.905480][ T5642] __folio_alloc+0x13/0x30 [ 144.909894][ T5642] vma_alloc_folio+0x48a/0x9a0 [ 144.914664][ T5642] handle_mm_fault+0x2376/0x62b0 [ 144.920907][ T5642] ? handle_mm_fault+0x11d/0x62b0 [ 144.925935][ T5642] ? numa_migrate_prep+0x380/0x380 [ 144.931066][ T5642] ? mtree_range_walk+0x6a0/0x7e0 [ 144.936099][ T5642] ? lock_vma_under_rcu+0x187/0x6f0 [ 144.941302][ T5642] ? __lock_acquire+0x7f70/0x7f70 [ 144.946330][ T5642] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 144.951546][ T5642] ? lock_vma_under_rcu+0x5df/0x6f0 [ 144.956743][ T5642] ? lock_vma_under_rcu+0x187/0x6f0 [ 144.961953][ T5642] ? exc_page_fault+0x10f/0x860 [ 144.966888][ T5642] exc_page_fault+0x455/0x860 [ 144.971569][ T5642] asm_exc_page_fault+0x26/0x30 [ 144.976412][ T5642] RIP: 0033:0x7f794735bd00 [ 144.980821][ T5642] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 145.000511][ T5642] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5641] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5642] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5642] munmap(0x7f793ef10000, 2097152) = 0 [pid 5642] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 145.006578][ T5642] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 145.014539][ T5642] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 145.022502][ T5642] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 145.030470][ T5642] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 145.038430][ T5642] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 145.046408][ T5642] [ 145.051724][ T5642] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5642] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5642] close(5) = 0 [pid 5642] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5642] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 145.089554][ T5642] loop0: detected capacity change from 0 to 4096 [ 145.107964][ T5642] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 145.115016][ T5642] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5642] ioctl(3, LOOP_CLR_FD) = 0 [pid 5642] close(3) = 0 [pid 5642] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5640] <... futex resumed>) = 0 [pid 5642] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5640] exit_group(0) = ? [pid 5641] <... futex resumed>) = ? [pid 5641] +++ exited with 0 +++ [pid 5642] <... futex resumed>) = ? [pid 5642] +++ exited with 0 +++ [pid 5640] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5640, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./200", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./200", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./200/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./200/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./200/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./200") = 0 mkdir("./201", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5643 attached , child_tidptr=0x555555f17690) = 5643 [pid 5643] set_robust_list(0x555555f176a0, 24) = 0 [pid 5643] chdir("./201") = 0 [pid 5643] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5643] setpgid(0, 0) = 0 [pid 5643] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5643] write(3, "1000", 4) = 4 [pid 5643] close(3) = 0 [pid 5643] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5643] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5643] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5643] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5643] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5643] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5643] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5643] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5644]}, 88) = 5644 [pid 5643] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5644 attached [pid 5644] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5644] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5643] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5644] rt_sigprocmask(SIG_SETMASK, [], [pid 5643] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5644] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5643] <... futex resumed>) = 0 [pid 5643] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5643] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5643] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5644] memfd_create("syzkaller", 0 [pid 5643] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5643] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5645 attached => {parent_tid=[5645]}, 88) = 5645 [pid 5645] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5643] rt_sigprocmask(SIG_SETMASK, [], [pid 5645] <... rseq resumed>) = 0 [pid 5643] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5643] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5645] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5643] <... futex resumed>) = 0 [pid 5645] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5643] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5645] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5644] <... memfd_create resumed>) = 3 [pid 5644] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5644] munmap(0x7f793ef10000, 138412032 [pid 5645] <... openat resumed>) = 4 [pid 5644] <... munmap resumed>) = 0 [pid 5644] close(3 [pid 5645] write(4, "85", 2 [pid 5644] <... close resumed>) = 0 [pid 5644] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5645] <... write resumed>) = 2 [pid 5645] memfd_create("syzkaller", 0) = 3 [pid 5645] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5644] <... futex resumed>) = 0 [ 145.247610][ T5645] FAULT_INJECTION: forcing a failure. [ 145.247610][ T5645] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 145.260967][ T5645] CPU: 1 PID: 5645 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 145.271501][ T5645] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 145.281572][ T5645] Call Trace: [ 145.284852][ T5645] [ 145.287790][ T5645] dump_stack_lvl+0x1e7/0x2d0 [ 145.292460][ T5645] ? nf_tcp_handle_invalid+0x650/0x650 [ 145.297913][ T5645] ? panic+0x770/0x770 [ 145.302009][ T5645] should_fail_ex+0x3aa/0x4e0 [ 145.306681][ T5645] prepare_alloc_pages+0x1d9/0x5b0 [ 145.311789][ T5645] __alloc_pages+0x165/0x670 [ 145.316382][ T5645] ? zone_statistics+0x170/0x170 [ 145.321322][ T5645] ? verify_lock_unused+0x140/0x140 [ 145.326517][ T5645] ? handle_mm_fault+0x11d/0x62b0 [ 145.331673][ T5645] ? __lock_acquire+0x7f70/0x7f70 [ 145.336692][ T5645] ? pte_offset_map_nolock+0x137/0x1e0 [ 145.342149][ T5645] __folio_alloc+0x13/0x30 [ 145.346573][ T5645] vma_alloc_folio+0x48a/0x9a0 [ 145.351434][ T5645] handle_mm_fault+0x2376/0x62b0 [ 145.356643][ T5645] ? handle_mm_fault+0x11d/0x62b0 [ 145.361672][ T5645] ? numa_migrate_prep+0x380/0x380 [ 145.366788][ T5645] ? mtree_range_walk+0x6a0/0x7e0 [ 145.371808][ T5645] ? lock_vma_under_rcu+0x187/0x6f0 [ 145.377016][ T5645] ? __lock_acquire+0x7f70/0x7f70 [ 145.382030][ T5645] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 145.387234][ T5645] ? lock_vma_under_rcu+0x5df/0x6f0 [ 145.392429][ T5645] ? lock_vma_under_rcu+0x187/0x6f0 [ 145.397631][ T5645] ? exc_page_fault+0x10f/0x860 [ 145.402477][ T5645] exc_page_fault+0x455/0x860 [ 145.407160][ T5645] asm_exc_page_fault+0x26/0x30 [ 145.412003][ T5645] RIP: 0033:0x7f794735bd00 [ 145.416497][ T5645] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 145.436099][ T5645] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5644] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5645] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5645] munmap(0x7f793ef10000, 2097152) = 0 [pid 5645] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 145.442163][ T5645] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 145.450214][ T5645] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 145.458176][ T5645] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 145.466142][ T5645] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 145.474108][ T5645] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 145.482253][ T5645] [ 145.485616][ T5645] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5645] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5645] close(3) = 0 [pid 5645] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5645] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 145.527390][ T5645] loop0: detected capacity change from 0 to 4096 [ 145.546443][ T5645] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 145.553473][ T5645] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5645] ioctl(5, LOOP_CLR_FD) = 0 [pid 5645] close(5) = 0 [pid 5645] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5643] <... futex resumed>) = 0 [pid 5643] exit_group(0) = ? [pid 5645] <... futex resumed>) = ? [pid 5645] +++ exited with 0 +++ [pid 5644] <... futex resumed>) = ? [pid 5644] +++ exited with 0 +++ [pid 5643] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5643, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./201", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./201", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./201/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./201/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./201/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./201") = 0 mkdir("./202", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5646 attached , child_tidptr=0x555555f17690) = 5646 [pid 5646] set_robust_list(0x555555f176a0, 24) = 0 [pid 5646] chdir("./202") = 0 [pid 5646] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5646] setpgid(0, 0) = 0 [pid 5646] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5646] write(3, "1000", 4) = 4 [pid 5646] close(3) = 0 [pid 5646] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5646] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5646] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5646] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5646] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5646] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5646] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5646] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5647 attached => {parent_tid=[5647]}, 88) = 5647 [pid 5647] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5647] set_robust_list(0x7f79473519a0, 24 [pid 5646] rt_sigprocmask(SIG_SETMASK, [], [pid 5647] <... set_robust_list resumed>) = 0 [pid 5646] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5647] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5647] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5646] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5647] <... futex resumed>) = 0 [pid 5646] <... futex resumed>) = 1 [pid 5647] memfd_create("syzkaller", 0 [pid 5646] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5647] <... memfd_create resumed>) = 3 [pid 5647] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5646] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5646] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5646] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5646] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5648 attached [pid 5648] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5646] <... clone3 resumed> => {parent_tid=[5648]}, 88) = 5648 [pid 5648] set_robust_list(0x7f793ef309a0, 24 [pid 5646] rt_sigprocmask(SIG_SETMASK, [], [pid 5648] <... set_robust_list resumed>) = 0 [pid 5646] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5648] rt_sigprocmask(SIG_SETMASK, [], [pid 5646] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5648] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5646] <... futex resumed>) = 0 [pid 5648] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5646] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5648] <... openat resumed>) = 4 [pid 5648] write(4, "85", 2) = 2 [pid 5648] memfd_create("syzkaller", 0) = 5 [pid 5648] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5647] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 145.687015][ T5648] FAULT_INJECTION: forcing a failure. [ 145.687015][ T5648] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 145.700844][ T5648] CPU: 1 PID: 5648 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 145.711279][ T5648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 145.721367][ T5648] Call Trace: [ 145.725875][ T5648] [ 145.728802][ T5648] dump_stack_lvl+0x1e7/0x2d0 [ 145.733602][ T5648] ? nf_tcp_handle_invalid+0x650/0x650 [ 145.739061][ T5648] ? panic+0x770/0x770 [ 145.743145][ T5648] should_fail_ex+0x3aa/0x4e0 [ 145.747826][ T5648] prepare_alloc_pages+0x1d9/0x5b0 [ 145.752941][ T5648] __alloc_pages+0x165/0x670 [ 145.757533][ T5648] ? zone_statistics+0x170/0x170 [ 145.762475][ T5648] ? verify_lock_unused+0x140/0x140 [ 145.767667][ T5648] ? handle_mm_fault+0x11d/0x62b0 [ 145.772687][ T5648] ? __lock_acquire+0x7f70/0x7f70 [ 145.777700][ T5648] ? pte_offset_map_nolock+0x137/0x1e0 [ 145.783155][ T5648] __folio_alloc+0x13/0x30 [ 145.787589][ T5648] vma_alloc_folio+0x48a/0x9a0 [ 145.792358][ T5648] handle_mm_fault+0x2376/0x62b0 [ 145.797383][ T5648] ? handle_mm_fault+0x11d/0x62b0 [ 145.802431][ T5648] ? numa_migrate_prep+0x380/0x380 [ 145.807546][ T5648] ? mtree_range_walk+0x6a0/0x7e0 [ 145.812773][ T5648] ? lock_vma_under_rcu+0x187/0x6f0 [ 145.817967][ T5648] ? __lock_acquire+0x7f70/0x7f70 [ 145.823006][ T5648] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 145.828210][ T5648] ? lock_vma_under_rcu+0x5df/0x6f0 [ 145.833401][ T5648] ? lock_vma_under_rcu+0x187/0x6f0 [ 145.838604][ T5648] ? exc_page_fault+0x10f/0x860 [ 145.843447][ T5648] exc_page_fault+0x455/0x860 [ 145.848121][ T5648] asm_exc_page_fault+0x26/0x30 [ 145.852964][ T5648] RIP: 0033:0x7f794735bc53 [ 145.857373][ T5648] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 145.877066][ T5648] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5647] munmap(0x7f793ef31000, 2097152) = 0 [pid 5647] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 145.883133][ T5648] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 145.891198][ T5648] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 145.899179][ T5648] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 145.907154][ T5648] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 145.915124][ T5648] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 145.923101][ T5648] [pid 5647] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5647] close(3) = 0 [pid 5647] mkdir("./file0", 0777) = 0 [ 145.933093][ T5647] loop0: detected capacity change from 0 to 4096 [ 145.933189][ T5648] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 145.949555][ T5647] __ntfs_error: 145 callbacks suppressed [ 145.949571][ T5647] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 145.966439][ T5647] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5647] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5648] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5648] munmap(0x7f7936b10000, 2097152) = 0 [pid 5648] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5648] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5648] ioctl(3, LOOP_CLR_FD) = 0 [pid 5648] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5648] close(3) = 0 [ 145.980018][ T5647] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 145.996300][ T5647] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 146.006074][ T5647] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 146.014068][ T5647] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5648] close(5) = 0 [pid 5648] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5646] <... futex resumed>) = 0 [pid 5648] <... futex resumed>) = 1 [ 146.028508][ T5647] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 146.043947][ T5647] ntfs: volume version 12.0. [ 146.051990][ T5647] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 146.062144][ T5647] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [pid 5648] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5647] <... mount resumed>) = 0 [pid 5647] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5647] chdir("./file0") = 0 [pid 5647] ioctl(6, LOOP_CLR_FD) = 0 [pid 5647] close(6) = 0 [pid 5647] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5647] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5646] exit_group(0 [pid 5648] <... futex resumed>) = ? [pid 5646] <... exit_group resumed>) = ? [pid 5647] <... futex resumed>) = ? [pid 5648] +++ exited with 0 +++ [pid 5647] +++ exited with 0 +++ [pid 5646] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5646, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=49 /* 0.49 s */} --- umount2("./202", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./202", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./202/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./202/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./202/binderfs") = 0 umount2("./202/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 [ 146.076303][ T5647] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./202/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./202/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./202/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./202/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./202/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./202") = 0 mkdir("./203", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5649 attached , child_tidptr=0x555555f17690) = 5649 [pid 5649] set_robust_list(0x555555f176a0, 24) = 0 [pid 5649] chdir("./203") = 0 [pid 5649] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5649] setpgid(0, 0) = 0 [pid 5649] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5649] write(3, "1000", 4) = 4 [pid 5649] close(3) = 0 [pid 5649] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5649] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5649] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5649] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5649] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5649] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5649] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5649] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5650]}, 88) = 5650 [pid 5649] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5649] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5649] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5650 attached ) = 0 [pid 5649] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5649] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5650] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5649] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5650] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5649] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5650] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5649] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5651 attached [pid 5651] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5651] set_robust_list(0x7f79473309a0, 24 [pid 5649] <... clone3 resumed> => {parent_tid=[5651]}, 88) = 5651 [pid 5651] <... set_robust_list resumed>) = 0 [pid 5651] rt_sigprocmask(SIG_SETMASK, [], [pid 5650] memfd_create("syzkaller", 0 [pid 5649] rt_sigprocmask(SIG_SETMASK, [], [pid 5651] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5649] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5651] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5649] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5651] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5649] <... futex resumed>) = 0 [pid 5649] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5650] <... memfd_create resumed>) = 4 [pid 5650] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5651] <... openat resumed>) = 3 [pid 5650] munmap(0x7f793ef10000, 138412032 [pid 5651] write(3, "85", 2) = 2 [pid 5651] memfd_create("syzkaller", 0) = 5 [pid 5651] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5650] <... munmap resumed>) = 0 [pid 5650] close(4 [pid 5651] <... mmap resumed>) = 0x7f793ef10000 [pid 5650] <... close resumed>) = 0 [pid 5650] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 146.181121][ T5651] FAULT_INJECTION: forcing a failure. [ 146.181121][ T5651] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 146.194497][ T5651] CPU: 0 PID: 5651 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 146.204939][ T5651] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 146.214995][ T5651] Call Trace: [ 146.218273][ T5651] [ 146.221199][ T5651] dump_stack_lvl+0x1e7/0x2d0 [ 146.225887][ T5651] ? nf_tcp_handle_invalid+0x650/0x650 [ 146.231378][ T5651] ? panic+0x770/0x770 [ 146.235531][ T5651] should_fail_ex+0x3aa/0x4e0 [ 146.240753][ T5651] prepare_alloc_pages+0x1d9/0x5b0 [ 146.245869][ T5651] __alloc_pages+0x165/0x670 [ 146.250452][ T5651] ? zone_statistics+0x170/0x170 [ 146.255400][ T5651] ? verify_lock_unused+0x140/0x140 [ 146.260610][ T5651] ? handle_mm_fault+0x11d/0x62b0 [ 146.265633][ T5651] ? __lock_acquire+0x7f70/0x7f70 [ 146.270657][ T5651] ? pte_offset_map_nolock+0x137/0x1e0 [ 146.276117][ T5651] __folio_alloc+0x13/0x30 [ 146.280543][ T5651] vma_alloc_folio+0x48a/0x9a0 [ 146.285321][ T5651] handle_mm_fault+0x2376/0x62b0 [ 146.290269][ T5651] ? handle_mm_fault+0x11d/0x62b0 [ 146.295296][ T5651] ? numa_migrate_prep+0x380/0x380 [ 146.300409][ T5651] ? mtree_range_walk+0x6a0/0x7e0 [ 146.305433][ T5651] ? lock_vma_under_rcu+0x187/0x6f0 [ 146.310626][ T5651] ? __lock_acquire+0x7f70/0x7f70 [ 146.315639][ T5651] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 146.320934][ T5651] ? lock_vma_under_rcu+0x5df/0x6f0 [ 146.326128][ T5651] ? lock_vma_under_rcu+0x187/0x6f0 [ 146.331328][ T5651] ? exc_page_fault+0x10f/0x860 [ 146.336175][ T5651] exc_page_fault+0x455/0x860 [ 146.340940][ T5651] asm_exc_page_fault+0x26/0x30 [ 146.345789][ T5651] RIP: 0033:0x7f794735bd00 [ 146.350202][ T5651] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 146.370078][ T5651] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5650] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5651] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5651] munmap(0x7f793ef10000, 2097152) = 0 [pid 5651] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 146.376237][ T5651] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 146.384322][ T5651] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 146.392325][ T5651] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 146.400496][ T5651] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 146.408492][ T5651] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 146.416484][ T5651] [ 146.419955][ T5651] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5651] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5651] close(5) = 0 [pid 5651] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5651] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 146.456250][ T5651] loop0: detected capacity change from 0 to 4096 [ 146.474025][ T5651] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 146.481215][ T5651] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5651] ioctl(4, LOOP_CLR_FD) = 0 [pid 5651] close(4) = 0 [pid 5651] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5649] <... futex resumed>) = 0 [pid 5651] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5649] exit_group(0 [pid 5651] <... futex resumed>) = ? [pid 5650] <... futex resumed>) = ? [pid 5649] <... exit_group resumed>) = ? [pid 5651] +++ exited with 0 +++ [pid 5650] +++ exited with 0 +++ [pid 5649] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5649, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./203", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./203", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./203/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./203/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./203/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./203") = 0 mkdir("./204", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5652 attached , child_tidptr=0x555555f17690) = 5652 [pid 5652] set_robust_list(0x555555f176a0, 24) = 0 [pid 5652] chdir("./204") = 0 [pid 5652] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5652] setpgid(0, 0) = 0 [pid 5652] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5652] write(3, "1000", 4) = 4 [pid 5652] close(3) = 0 [pid 5652] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5652] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5652] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5652] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5652] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5652] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5652] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5652] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5653]}, 88) = 5653 [pid 5652] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5652] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5652] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5652] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5652] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5652] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5652] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5654 attached => {parent_tid=[5654]}, 88) = 5654 [pid 5654] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5652] rt_sigprocmask(SIG_SETMASK, [], [pid 5654] set_robust_list(0x7f79473309a0, 24 [pid 5652] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5654] <... set_robust_list resumed>) = 0 [pid 5652] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5654] rt_sigprocmask(SIG_SETMASK, [], [pid 5652] <... futex resumed>) = 0 [pid 5654] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5652] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5654] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR./strace-static-x86_64: Process 5653 attached [pid 5653] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5654] <... openat resumed>) = 3 [pid 5653] <... rseq resumed>) = 0 [pid 5653] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5653] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5654] write(3, "85", 2) = 2 [pid 5654] memfd_create("syzkaller", 0) = 4 [pid 5654] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5653] memfd_create("syzkaller", 0 [pid 5654] <... mmap resumed>) = 0x7f793ef10000 [pid 5653] <... memfd_create resumed>) = 5 [ 146.600331][ T5654] FAULT_INJECTION: forcing a failure. [ 146.600331][ T5654] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 146.613938][ T5654] CPU: 1 PID: 5654 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 146.624366][ T5654] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 146.634552][ T5654] Call Trace: [ 146.637828][ T5654] [ 146.640769][ T5654] dump_stack_lvl+0x1e7/0x2d0 [ 146.645455][ T5654] ? nf_tcp_handle_invalid+0x650/0x650 [ 146.650936][ T5654] ? panic+0x770/0x770 [ 146.655021][ T5654] should_fail_ex+0x3aa/0x4e0 [ 146.659695][ T5654] prepare_alloc_pages+0x1d9/0x5b0 [ 146.664812][ T5654] __alloc_pages+0x165/0x670 [ 146.669411][ T5654] ? zone_statistics+0x170/0x170 [ 146.674344][ T5654] ? verify_lock_unused+0x140/0x140 [ 146.679537][ T5654] ? handle_mm_fault+0x11d/0x62b0 [ 146.684567][ T5654] ? __lock_acquire+0x7f70/0x7f70 [ 146.689598][ T5654] ? pte_offset_map_nolock+0x137/0x1e0 [ 146.695052][ T5654] __folio_alloc+0x13/0x30 [ 146.699460][ T5654] vma_alloc_folio+0x48a/0x9a0 [ 146.704231][ T5654] handle_mm_fault+0x2376/0x62b0 [ 146.709184][ T5654] ? handle_mm_fault+0x11d/0x62b0 [ 146.714214][ T5654] ? numa_migrate_prep+0x380/0x380 [ 146.719345][ T5654] ? mtree_range_walk+0x6a0/0x7e0 [ 146.724388][ T5654] ? lock_vma_under_rcu+0x187/0x6f0 [ 146.729666][ T5654] ? __lock_acquire+0x7f70/0x7f70 [ 146.734685][ T5654] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 146.739898][ T5654] ? lock_vma_under_rcu+0x5df/0x6f0 [ 146.745090][ T5654] ? lock_vma_under_rcu+0x187/0x6f0 [ 146.750294][ T5654] ? exc_page_fault+0x10f/0x860 [ 146.755234][ T5654] exc_page_fault+0x455/0x860 [ 146.760273][ T5654] asm_exc_page_fault+0x26/0x30 [ 146.765176][ T5654] RIP: 0033:0x7f794735bc53 [ 146.769607][ T5654] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 146.789244][ T5654] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5653] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5654] munmap(0x7f793ef10000, 138412032) = 0 [pid 5654] close(4) = 0 [pid 5654] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5652] <... futex resumed>) = 0 [pid 5654] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 146.795332][ T5654] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 146.803305][ T5654] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 146.811283][ T5654] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 146.819256][ T5654] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 146.827401][ T5654] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 146.835383][ T5654] [pid 5653] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5653] munmap(0x7f7936b10000, 2097152) = 0 [pid 5653] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5653] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5653] close(5) = 0 [pid 5653] mkdir("./file0", 0777) = 0 [pid 5653] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5653] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5653] chdir("./file0") = 0 [pid 5653] ioctl(4, LOOP_CLR_FD) = 0 [pid 5653] close(4) = 0 [pid 5653] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5653] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5652] exit_group(0 [pid 5654] <... futex resumed>) = ? [pid 5653] <... futex resumed>) = ? [pid 5652] <... exit_group resumed>) = ? [pid 5654] +++ exited with 0 +++ [pid 5653] +++ exited with 0 +++ [pid 5652] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5652, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./204", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./204", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./204/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./204/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./204/binderfs") = 0 umount2("./204/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./204/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./204/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./204/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./204/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./204/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./204") = 0 mkdir("./205", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [ 146.886911][ T5653] loop0: detected capacity change from 0 to 4096 [ 146.899304][ T5653] ntfs: volume version 12.0. close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5655 ./strace-static-x86_64: Process 5655 attached [pid 5655] set_robust_list(0x555555f176a0, 24) = 0 [pid 5655] chdir("./205") = 0 [pid 5655] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5655] setpgid(0, 0) = 0 [pid 5655] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5655] write(3, "1000", 4) = 4 [pid 5655] close(3) = 0 [pid 5655] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5655] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5655] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5655] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5655] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5655] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5655] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5655] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5656]}, 88) = 5656 [pid 5655] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5656 attached NULL, 8) = 0 [pid 5656] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5655] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5656] <... rseq resumed>) = 0 [pid 5655] <... futex resumed>) = 0 [pid 5655] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5656] set_robust_list(0x7f79473519a0, 24 [pid 5655] <... futex resumed>) = 0 [pid 5656] <... set_robust_list resumed>) = 0 [pid 5655] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5656] rt_sigprocmask(SIG_SETMASK, [], [pid 5655] <... mmap resumed>) = 0x7f7947310000 [pid 5656] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5655] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5655] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5655] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5657]}, 88) = 5657 [pid 5655] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5655] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5657 attached [pid 5656] memfd_create("syzkaller", 0 [pid 5655] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5657] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5657] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5656] <... memfd_create resumed>) = 3 [pid 5657] rt_sigprocmask(SIG_SETMASK, [], [pid 5656] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5657] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5657] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5656] <... mmap resumed>) = 0x7f793ef10000 [pid 5656] munmap(0x7f793ef10000, 138412032) = 0 [pid 5657] <... openat resumed>) = 4 [pid 5656] close(3 [pid 5657] write(4, "85", 2 [pid 5656] <... close resumed>) = 0 [pid 5657] <... write resumed>) = 2 [pid 5656] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5657] memfd_create("syzkaller", 0 [pid 5656] <... futex resumed>) = 0 [pid 5657] <... memfd_create resumed>) = 3 [pid 5656] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5657] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 147.000532][ T5657] FAULT_INJECTION: forcing a failure. [ 147.000532][ T5657] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 147.013861][ T5657] CPU: 1 PID: 5657 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 147.024292][ T5657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 147.034343][ T5657] Call Trace: [ 147.037617][ T5657] [ 147.040545][ T5657] dump_stack_lvl+0x1e7/0x2d0 [ 147.045237][ T5657] ? nf_tcp_handle_invalid+0x650/0x650 [ 147.050686][ T5657] ? panic+0x770/0x770 [ 147.054767][ T5657] should_fail_ex+0x3aa/0x4e0 [ 147.059552][ T5657] prepare_alloc_pages+0x1d9/0x5b0 [ 147.064662][ T5657] __alloc_pages+0x165/0x670 [ 147.069274][ T5657] ? zone_statistics+0x170/0x170 [ 147.074226][ T5657] ? verify_lock_unused+0x140/0x140 [ 147.079429][ T5657] ? handle_mm_fault+0x11d/0x62b0 [ 147.084465][ T5657] ? __lock_acquire+0x7f70/0x7f70 [ 147.089494][ T5657] ? pte_offset_map_nolock+0x137/0x1e0 [ 147.094984][ T5657] __folio_alloc+0x13/0x30 [ 147.099436][ T5657] vma_alloc_folio+0x48a/0x9a0 [ 147.105105][ T5657] handle_mm_fault+0x2376/0x62b0 [ 147.110147][ T5657] ? handle_mm_fault+0x11d/0x62b0 [ 147.115182][ T5657] ? numa_migrate_prep+0x380/0x380 [ 147.120311][ T5657] ? mtree_range_walk+0x6a0/0x7e0 [ 147.125337][ T5657] ? lock_vma_under_rcu+0x187/0x6f0 [ 147.130535][ T5657] ? __lock_acquire+0x7f70/0x7f70 [ 147.135559][ T5657] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 147.140768][ T5657] ? lock_vma_under_rcu+0x5df/0x6f0 [ 147.145963][ T5657] ? lock_vma_under_rcu+0x187/0x6f0 [ 147.151173][ T5657] ? exc_page_fault+0x10f/0x860 [ 147.156017][ T5657] exc_page_fault+0x455/0x860 [ 147.160786][ T5657] asm_exc_page_fault+0x26/0x30 [ 147.165630][ T5657] RIP: 0033:0x7f794735bd00 [ 147.170058][ T5657] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 147.189672][ T5657] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5657] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5657] munmap(0x7f793ef10000, 2097152) = 0 [pid 5657] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 147.195742][ T5657] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 147.203708][ T5657] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 147.211676][ T5657] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 147.219642][ T5657] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 147.227608][ T5657] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 147.235763][ T5657] [pid 5657] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5657] close(3) = 0 [pid 5657] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5657] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 147.276035][ T5657] loop0: detected capacity change from 0 to 4096 [ 147.294819][ T5657] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 147.302131][ T5657] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5657] ioctl(5, LOOP_CLR_FD) = 0 [pid 5657] close(5) = 0 [pid 5657] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5655] <... futex resumed>) = 0 [pid 5657] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5655] exit_group(0 [pid 5657] <... futex resumed>) = ? [pid 5656] <... futex resumed>) = ? [pid 5655] <... exit_group resumed>) = ? [pid 5657] +++ exited with 0 +++ [pid 5656] +++ exited with 0 +++ [pid 5655] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5655, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=6 /* 0.06 s */} --- umount2("./205", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./205", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./205/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./205/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./205/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./205") = 0 mkdir("./206", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5658 attached , child_tidptr=0x555555f17690) = 5658 [pid 5658] set_robust_list(0x555555f176a0, 24) = 0 [pid 5658] chdir("./206") = 0 [pid 5658] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5658] setpgid(0, 0) = 0 [pid 5658] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5658] write(3, "1000", 4) = 4 [pid 5658] close(3) = 0 [pid 5658] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5658] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5658] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5658] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5658] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5658] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5658] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5658] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5659 attached => {parent_tid=[5659]}, 88) = 5659 [pid 5658] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5658] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5658] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5658] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5658] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5659] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5659] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5658] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5659] rt_sigprocmask(SIG_SETMASK, [], [pid 5658] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5659] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5660 attached [pid 5658] <... clone3 resumed> => {parent_tid=[5660]}, 88) = 5660 [pid 5660] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5658] rt_sigprocmask(SIG_SETMASK, [], [pid 5660] set_robust_list(0x7f79473309a0, 24 [pid 5658] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5660] <... set_robust_list resumed>) = 0 [pid 5660] rt_sigprocmask(SIG_SETMASK, [], [pid 5658] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5660] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5658] <... futex resumed>) = 0 [pid 5660] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5659] memfd_create("syzkaller", 0 [pid 5658] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5660] <... openat resumed>) = 3 [pid 5660] write(3, "85", 2) = 2 [pid 5660] memfd_create("syzkaller", 0) = 4 [pid 5660] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5659] <... memfd_create resumed>) = 5 [pid 5659] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 147.416861][ T5660] FAULT_INJECTION: forcing a failure. [ 147.416861][ T5660] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 147.430183][ T5660] CPU: 1 PID: 5660 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 147.440606][ T5660] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 147.450682][ T5660] Call Trace: [ 147.453963][ T5660] [ 147.456886][ T5660] dump_stack_lvl+0x1e7/0x2d0 [ 147.461567][ T5660] ? nf_tcp_handle_invalid+0x650/0x650 [ 147.467024][ T5660] ? panic+0x770/0x770 [ 147.471110][ T5660] should_fail_ex+0x3aa/0x4e0 [ 147.475805][ T5660] prepare_alloc_pages+0x1d9/0x5b0 [ 147.480932][ T5660] __alloc_pages+0x165/0x670 [ 147.485561][ T5660] ? zone_statistics+0x170/0x170 [ 147.490523][ T5660] ? verify_lock_unused+0x140/0x140 [ 147.495919][ T5660] ? handle_mm_fault+0x11d/0x62b0 [ 147.500965][ T5660] ? __lock_acquire+0x7f70/0x7f70 [ 147.505998][ T5660] ? pte_offset_map_nolock+0x137/0x1e0 [ 147.511497][ T5660] __folio_alloc+0x13/0x30 [ 147.515917][ T5660] vma_alloc_folio+0x48a/0x9a0 [ 147.520691][ T5660] handle_mm_fault+0x2376/0x62b0 [ 147.525647][ T5660] ? handle_mm_fault+0x11d/0x62b0 [ 147.530679][ T5660] ? numa_migrate_prep+0x380/0x380 [ 147.535819][ T5660] ? mtree_range_walk+0x6a0/0x7e0 [ 147.540862][ T5660] ? lock_vma_under_rcu+0x187/0x6f0 [ 147.546056][ T5660] ? __lock_acquire+0x7f70/0x7f70 [ 147.551083][ T5660] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 147.556311][ T5660] ? lock_vma_under_rcu+0x5df/0x6f0 [ 147.561525][ T5660] ? lock_vma_under_rcu+0x187/0x6f0 [ 147.566728][ T5660] ? exc_page_fault+0x10f/0x860 [ 147.571599][ T5660] exc_page_fault+0x455/0x860 [ 147.576304][ T5660] asm_exc_page_fault+0x26/0x30 [ 147.581163][ T5660] RIP: 0033:0x7f794735bc53 [ 147.585674][ T5660] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 147.605312][ T5660] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5659] munmap(0x7f7936b10000, 138412032) = 0 [pid 5659] close(5) = 0 [pid 5659] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 147.611401][ T5660] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 147.619378][ T5660] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 147.627365][ T5660] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 147.635348][ T5660] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 147.643314][ T5660] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 147.651317][ T5660] [ 147.655297][ T5660] pagefault_out_of_memory: 2 callbacks suppressed [pid 5659] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5660] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5660] munmap(0x7f793ef10000, 2097152) = 0 [pid 5660] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 147.655310][ T5660] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5660] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5660] close(4) = 0 [pid 5660] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5660] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 147.700103][ T5660] loop0: detected capacity change from 0 to 4096 [ 147.715870][ T5660] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 147.722933][ T5660] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5660] ioctl(5, LOOP_CLR_FD) = 0 [pid 5660] close(5) = 0 [pid 5660] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5658] <... futex resumed>) = 0 [pid 5658] exit_group(0) = ? [pid 5659] <... futex resumed>) = ? [pid 5660] <... futex resumed>) = ? [pid 5660] +++ exited with 0 +++ [pid 5659] +++ exited with 0 +++ [pid 5658] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5658, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=7 /* 0.07 s */} --- umount2("./206", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./206", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./206/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./206/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./206/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./206") = 0 mkdir("./207", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5661 attached , child_tidptr=0x555555f17690) = 5661 [pid 5661] set_robust_list(0x555555f176a0, 24) = 0 [pid 5661] chdir("./207") = 0 [pid 5661] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5661] setpgid(0, 0) = 0 [pid 5661] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5661] write(3, "1000", 4) = 4 [pid 5661] close(3) = 0 [pid 5661] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5661] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5661] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5661] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5661] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5661] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5661] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5661] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5662]}, 88) = 5662 [pid 5661] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5662 attached [pid 5662] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5662] set_robust_list(0x7f79473519a0, 24 [pid 5661] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5662] <... set_robust_list resumed>) = 0 [pid 5661] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5662] rt_sigprocmask(SIG_SETMASK, [], [pid 5661] <... futex resumed>) = 0 [pid 5662] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5661] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5661] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5661] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5661] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5661] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5663]}, 88) = 5663 [pid 5661] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5661] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5661] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5663 attached [pid 5662] memfd_create("syzkaller", 0 [pid 5663] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5662] <... memfd_create resumed>) = 3 [pid 5663] <... rseq resumed>) = 0 [pid 5663] set_robust_list(0x7f79473309a0, 24 [pid 5662] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5663] <... set_robust_list resumed>) = 0 [pid 5662] <... mmap resumed>) = 0x7f793ef10000 [pid 5663] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5663] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5663] write(4, "85", 2) = 2 [pid 5663] memfd_create("syzkaller", 0) = 5 [pid 5663] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5662] munmap(0x7f793ef10000, 138412032) = 0 [pid 5662] close(3) = 0 [pid 5662] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 147.861612][ T5663] FAULT_INJECTION: forcing a failure. [ 147.861612][ T5663] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 147.875476][ T5663] CPU: 0 PID: 5663 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 147.885913][ T5663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 147.895988][ T5663] Call Trace: [ 147.899310][ T5663] [ 147.902264][ T5663] dump_stack_lvl+0x1e7/0x2d0 [ 147.907037][ T5663] ? nf_tcp_handle_invalid+0x650/0x650 [ 147.912510][ T5663] ? panic+0x770/0x770 [ 147.916601][ T5663] should_fail_ex+0x3aa/0x4e0 [ 147.921297][ T5663] prepare_alloc_pages+0x1d9/0x5b0 [ 147.926417][ T5663] __alloc_pages+0x165/0x670 [ 147.931099][ T5663] ? zone_statistics+0x170/0x170 [ 147.936039][ T5663] ? verify_lock_unused+0x140/0x140 [ 147.941236][ T5663] ? handle_mm_fault+0x11d/0x62b0 [ 147.946263][ T5663] ? __lock_acquire+0x7f70/0x7f70 [ 147.952408][ T5663] ? pte_offset_map_nolock+0x137/0x1e0 [ 147.957869][ T5663] __folio_alloc+0x13/0x30 [ 147.962284][ T5663] vma_alloc_folio+0x48a/0x9a0 [ 147.967058][ T5663] handle_mm_fault+0x2376/0x62b0 [ 147.972006][ T5663] ? handle_mm_fault+0x11d/0x62b0 [ 147.977036][ T5663] ? numa_migrate_prep+0x380/0x380 [ 147.982153][ T5663] ? mtree_range_walk+0x6a0/0x7e0 [ 147.987191][ T5663] ? lock_vma_under_rcu+0x187/0x6f0 [ 147.992821][ T5663] ? __lock_acquire+0x7f70/0x7f70 [ 147.997839][ T5663] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 148.003048][ T5663] ? lock_vma_under_rcu+0x5df/0x6f0 [ 148.008333][ T5663] ? lock_vma_under_rcu+0x187/0x6f0 [ 148.013629][ T5663] ? exc_page_fault+0x10f/0x860 [ 148.018480][ T5663] exc_page_fault+0x455/0x860 [ 148.023179][ T5663] asm_exc_page_fault+0x26/0x30 [ 148.028025][ T5663] RIP: 0033:0x7f794735bc53 [ 148.032546][ T5663] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 148.052147][ T5663] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5662] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5663] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5663] munmap(0x7f7936b10000, 2097152) = 0 [pid 5663] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 148.058221][ T5663] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 148.066379][ T5663] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 148.074358][ T5663] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 148.082428][ T5663] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 148.090414][ T5663] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 148.098401][ T5663] [ 148.102423][ T5663] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5663] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5663] close(5) = 0 [pid 5663] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5663] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 148.140020][ T5663] loop0: detected capacity change from 0 to 4096 [ 148.157989][ T5663] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 148.165070][ T5663] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5663] ioctl(3, LOOP_CLR_FD) = 0 [pid 5663] close(3) = 0 [pid 5663] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5661] <... futex resumed>) = 0 [pid 5663] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5661] exit_group(0 [pid 5663] <... futex resumed>) = ? [pid 5661] <... exit_group resumed>) = ? [pid 5663] +++ exited with 0 +++ [pid 5662] <... futex resumed>) = ? [pid 5662] +++ exited with 0 +++ [pid 5661] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5661, si_uid=0, si_status=0, si_utime=0, si_stime=13 /* 0.13 s */} --- umount2("./207", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./207", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./207/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./207/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./207/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./207") = 0 mkdir("./208", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5664 attached , child_tidptr=0x555555f17690) = 5664 [pid 5664] set_robust_list(0x555555f176a0, 24) = 0 [pid 5664] chdir("./208") = 0 [pid 5664] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5664] setpgid(0, 0) = 0 [pid 5664] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5664] write(3, "1000", 4) = 4 [pid 5664] close(3) = 0 [pid 5664] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5664] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5664] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5664] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5664] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5664] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5664] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5664] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5665]}, 88) = 5665 [pid 5664] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5664] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5664] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5664] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5664] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5664] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5664] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5665 attached ./strace-static-x86_64: Process 5666 attached [pid 5665] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5666] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5665] <... rseq resumed>) = 0 [pid 5664] <... clone3 resumed> => {parent_tid=[5666]}, 88) = 5666 [pid 5666] set_robust_list(0x7f79473309a0, 24 [pid 5665] set_robust_list(0x7f79473519a0, 24 [pid 5664] rt_sigprocmask(SIG_SETMASK, [], [pid 5666] <... set_robust_list resumed>) = 0 [pid 5665] <... set_robust_list resumed>) = 0 [pid 5664] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5666] rt_sigprocmask(SIG_SETMASK, [], [pid 5665] rt_sigprocmask(SIG_SETMASK, [], [pid 5664] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5666] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5665] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5664] <... futex resumed>) = 0 [pid 5664] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5665] memfd_create("syzkaller", 0) = 3 [pid 5665] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5666] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5665] <... mmap resumed>) = 0x7f793ef10000 [pid 5665] munmap(0x7f793ef10000, 138412032 [pid 5666] <... openat resumed>) = 4 [pid 5665] <... munmap resumed>) = 0 [pid 5665] close(3) = 0 [pid 5665] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5666] write(4, "85", 2) = 2 [pid 5665] <... futex resumed>) = 0 [pid 5665] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5666] memfd_create("syzkaller", 0) = 3 [pid 5666] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 148.304486][ T5666] FAULT_INJECTION: forcing a failure. [ 148.304486][ T5666] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 148.318823][ T5666] CPU: 1 PID: 5666 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 148.329244][ T5666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 148.339311][ T5666] Call Trace: [ 148.342591][ T5666] [ 148.345514][ T5666] dump_stack_lvl+0x1e7/0x2d0 [ 148.350204][ T5666] ? nf_tcp_handle_invalid+0x650/0x650 [ 148.355687][ T5666] ? panic+0x770/0x770 [ 148.359787][ T5666] should_fail_ex+0x3aa/0x4e0 [ 148.364491][ T5666] prepare_alloc_pages+0x1d9/0x5b0 [ 148.369702][ T5666] __alloc_pages+0x165/0x670 [ 148.374299][ T5666] ? zone_statistics+0x170/0x170 [ 148.379253][ T5666] ? verify_lock_unused+0x140/0x140 [ 148.384597][ T5666] ? handle_mm_fault+0x11d/0x62b0 [ 148.389717][ T5666] ? __lock_acquire+0x7f70/0x7f70 [ 148.394752][ T5666] ? pte_offset_map_nolock+0x137/0x1e0 [ 148.400277][ T5666] __folio_alloc+0x13/0x30 [ 148.404890][ T5666] vma_alloc_folio+0x48a/0x9a0 [ 148.409687][ T5666] handle_mm_fault+0x2376/0x62b0 [ 148.414647][ T5666] ? handle_mm_fault+0x11d/0x62b0 [ 148.419680][ T5666] ? numa_migrate_prep+0x380/0x380 [ 148.424796][ T5666] ? mtree_range_walk+0x6a0/0x7e0 [ 148.429906][ T5666] ? lock_vma_under_rcu+0x187/0x6f0 [ 148.435138][ T5666] ? __lock_acquire+0x7f70/0x7f70 [ 148.440260][ T5666] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 148.445492][ T5666] ? lock_vma_under_rcu+0x5df/0x6f0 [ 148.450702][ T5666] ? lock_vma_under_rcu+0x187/0x6f0 [ 148.455930][ T5666] ? exc_page_fault+0x10f/0x860 [ 148.460784][ T5666] exc_page_fault+0x455/0x860 [ 148.465462][ T5666] asm_exc_page_fault+0x26/0x30 [ 148.470326][ T5666] RIP: 0033:0x7f794735bd00 [ 148.474770][ T5666] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 148.494479][ T5666] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5666] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5666] munmap(0x7f793ef10000, 2097152) = 0 [pid 5666] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 148.500552][ T5666] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 148.508524][ T5666] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 148.516635][ T5666] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 148.524622][ T5666] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 148.532611][ T5666] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 148.540639][ T5666] [ 148.544029][ T5666] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5666] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5666] close(3) = 0 [pid 5666] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5666] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 148.583629][ T5666] loop0: detected capacity change from 0 to 4096 [ 148.602264][ T5666] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 148.609514][ T5666] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5666] ioctl(5, LOOP_CLR_FD) = 0 [pid 5666] close(5) = 0 [pid 5666] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5666] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5664] <... futex resumed>) = 0 [pid 5664] exit_group(0) = ? [pid 5665] <... futex resumed>) = ? [pid 5666] <... futex resumed>) = ? [pid 5665] +++ exited with 0 +++ [pid 5666] +++ exited with 0 +++ [pid 5664] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5664, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./208", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./208", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./208/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./208/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./208/binderfs") = 0 umount2("\x2e\x2f\x32\x30\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x30\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x30\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x30\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x30\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./208") = 0 mkdir("./209", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5667 ./strace-static-x86_64: Process 5667 attached [pid 5667] set_robust_list(0x555555f176a0, 24) = 0 [pid 5667] chdir("./209") = 0 [pid 5667] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5667] setpgid(0, 0) = 0 [pid 5667] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5667] write(3, "1000", 4) = 4 [pid 5667] close(3) = 0 [pid 5667] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5667] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5667] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5667] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5667] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5667] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5667] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5667] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5668 attached [pid 5668] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5667] <... clone3 resumed> => {parent_tid=[5668]}, 88) = 5668 [pid 5668] set_robust_list(0x7f79473519a0, 24 [pid 5667] rt_sigprocmask(SIG_SETMASK, [], [pid 5668] <... set_robust_list resumed>) = 0 [pid 5667] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5668] rt_sigprocmask(SIG_SETMASK, [], [pid 5667] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5668] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5667] <... futex resumed>) = 0 [pid 5667] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5667] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5668] memfd_create("syzkaller", 0) = 3 [pid 5667] <... mmap resumed>) = 0x7f7947310000 [pid 5668] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5667] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5668] <... mmap resumed>) = 0x7f793ef10000 [pid 5667] <... mprotect resumed>) = 0 [pid 5667] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5667] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5669 attached => {parent_tid=[5669]}, 88) = 5669 [pid 5667] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5667] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5667] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5669] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5669] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5669] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5669] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5669] write(4, "85", 2) = 2 [pid 5669] memfd_create("syzkaller", 0) = 5 [pid 5669] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 148.753080][ T5669] FAULT_INJECTION: forcing a failure. [ 148.753080][ T5669] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 148.767126][ T5669] CPU: 0 PID: 5669 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 148.777582][ T5669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 148.787653][ T5669] Call Trace: [ 148.790933][ T5669] [ 148.793860][ T5669] dump_stack_lvl+0x1e7/0x2d0 [ 148.798541][ T5669] ? nf_tcp_handle_invalid+0x650/0x650 [ 148.804016][ T5669] ? panic+0x770/0x770 [ 148.808214][ T5669] should_fail_ex+0x3aa/0x4e0 [ 148.812906][ T5669] prepare_alloc_pages+0x1d9/0x5b0 [ 148.818118][ T5669] __alloc_pages+0x165/0x670 [ 148.822734][ T5669] ? zone_statistics+0x170/0x170 [ 148.827687][ T5669] ? verify_lock_unused+0x140/0x140 [ 148.832887][ T5669] ? handle_mm_fault+0x11d/0x62b0 [ 148.837933][ T5669] ? __lock_acquire+0x7f70/0x7f70 [ 148.842951][ T5669] ? pte_offset_map_nolock+0x137/0x1e0 [ 148.848427][ T5669] __folio_alloc+0x13/0x30 [ 148.853104][ T5669] vma_alloc_folio+0x48a/0x9a0 [ 148.857964][ T5669] handle_mm_fault+0x2376/0x62b0 [ 148.863005][ T5669] ? handle_mm_fault+0x11d/0x62b0 [ 148.868039][ T5669] ? numa_migrate_prep+0x380/0x380 [ 148.873151][ T5669] ? mtree_range_walk+0x6a0/0x7e0 [ 148.878173][ T5669] ? lock_vma_under_rcu+0x187/0x6f0 [ 148.883364][ T5669] ? __lock_acquire+0x7f70/0x7f70 [ 148.888380][ T5669] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 148.893584][ T5669] ? lock_vma_under_rcu+0x5df/0x6f0 [ 148.898777][ T5669] ? lock_vma_under_rcu+0x187/0x6f0 [ 148.903981][ T5669] ? exc_page_fault+0x10f/0x860 [ 148.908835][ T5669] exc_page_fault+0x455/0x860 [ 148.913510][ T5669] asm_exc_page_fault+0x26/0x30 [ 148.918364][ T5669] RIP: 0033:0x7f794735bc53 [ 148.922771][ T5669] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 148.942395][ T5669] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5668] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5668] munmap(0x7f793ef10000, 2097152) = 0 [pid 5668] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 148.948457][ T5669] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 148.956432][ T5669] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 148.964396][ T5669] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 148.972410][ T5669] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 148.980374][ T5669] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 148.988346][ T5669] [ 148.996509][ T5668] loop0: detected capacity change from 0 to 4096 [pid 5668] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5668] close(3) = 0 [pid 5668] mkdir("./file0", 0777) = 0 [pid 5668] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5668] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5668] chdir("./file0") = 0 [pid 5668] ioctl(6, LOOP_CLR_FD) = 0 [pid 5668] close(6) = 0 [pid 5668] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5668] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5669] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5669] munmap(0x7f7936b10000, 2097152) = 0 [pid 5669] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 149.000357][ T5669] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 149.014907][ T5668] ntfs: volume version 12.0. [pid 5669] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5669] ioctl(6, LOOP_CLR_FD) = 0 [pid 5669] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5669] close(6) = 0 [pid 5669] close(5) = 0 [pid 5669] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5669] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5667] <... futex resumed>) = 0 [pid 5667] exit_group(0) = ? [pid 5668] <... futex resumed>) = ? [pid 5669] <... futex resumed>) = ? [pid 5668] +++ exited with 0 +++ [pid 5669] +++ exited with 0 +++ [pid 5667] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5667, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./209", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./209", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./209/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./209/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./209/binderfs") = 0 umount2("./209/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./209/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./209/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./209/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./209/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./209/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./209") = 0 mkdir("./210", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5670 attached , child_tidptr=0x555555f17690) = 5670 [pid 5670] set_robust_list(0x555555f176a0, 24) = 0 [pid 5670] chdir("./210") = 0 [pid 5670] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5670] setpgid(0, 0) = 0 [pid 5670] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5670] write(3, "1000", 4) = 4 [pid 5670] close(3) = 0 [pid 5670] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5670] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5670] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5670] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5670] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5670] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5670] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5670] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5671 attached => {parent_tid=[5671]}, 88) = 5671 [pid 5670] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5670] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5671] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5670] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5671] <... rseq resumed>) = 0 [pid 5670] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5671] set_robust_list(0x7f79473519a0, 24 [pid 5670] <... mmap resumed>) = 0x7f7947310000 [pid 5671] <... set_robust_list resumed>) = 0 [pid 5670] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5671] rt_sigprocmask(SIG_SETMASK, [], [pid 5670] <... mprotect resumed>) = 0 [pid 5670] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5670] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5671] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5672 attached [pid 5670] <... clone3 resumed> => {parent_tid=[5672]}, 88) = 5672 [pid 5672] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5670] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5670] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5672] <... rseq resumed>) = 0 [pid 5670] <... futex resumed>) = 0 [pid 5672] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5670] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5672] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5672] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5672] write(3, "85", 2) = 2 [pid 5672] memfd_create("syzkaller", 0) = 4 [pid 5672] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5671] memfd_create("syzkaller", 0) = 5 [pid 5671] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5671] munmap(0x7f7936b10000, 138412032) = 0 [pid 5671] close(5) = 0 [pid 5671] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 149.143580][ T5672] FAULT_INJECTION: forcing a failure. [ 149.143580][ T5672] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 149.157279][ T5672] CPU: 0 PID: 5672 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 149.167712][ T5672] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 149.177780][ T5672] Call Trace: [ 149.181084][ T5672] [ 149.184006][ T5672] dump_stack_lvl+0x1e7/0x2d0 [ 149.188678][ T5672] ? nf_tcp_handle_invalid+0x650/0x650 [ 149.194143][ T5672] ? panic+0x770/0x770 [ 149.198227][ T5672] should_fail_ex+0x3aa/0x4e0 [ 149.202916][ T5672] prepare_alloc_pages+0x1d9/0x5b0 [ 149.208055][ T5672] __alloc_pages+0x165/0x670 [ 149.212646][ T5672] ? zone_statistics+0x170/0x170 [ 149.217675][ T5672] ? verify_lock_unused+0x140/0x140 [ 149.222869][ T5672] ? handle_mm_fault+0x11d/0x62b0 [ 149.227891][ T5672] ? __lock_acquire+0x7f70/0x7f70 [ 149.232906][ T5672] ? pte_offset_map_nolock+0x137/0x1e0 [ 149.238360][ T5672] __folio_alloc+0x13/0x30 [ 149.242771][ T5672] vma_alloc_folio+0x48a/0x9a0 [ 149.247622][ T5672] handle_mm_fault+0x2376/0x62b0 [ 149.252563][ T5672] ? handle_mm_fault+0x11d/0x62b0 [ 149.257591][ T5672] ? numa_migrate_prep+0x380/0x380 [ 149.262705][ T5672] ? mtree_range_walk+0x6a0/0x7e0 [ 149.267747][ T5672] ? lock_vma_under_rcu+0x187/0x6f0 [ 149.272939][ T5672] ? __lock_acquire+0x7f70/0x7f70 [ 149.277956][ T5672] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 149.283178][ T5672] ? lock_vma_under_rcu+0x5df/0x6f0 [ 149.288377][ T5672] ? lock_vma_under_rcu+0x187/0x6f0 [ 149.293581][ T5672] ? exc_page_fault+0x10f/0x860 [ 149.298426][ T5672] exc_page_fault+0x455/0x860 [ 149.303102][ T5672] asm_exc_page_fault+0x26/0x30 [ 149.307948][ T5672] RIP: 0033:0x7f794735bc53 [ 149.312363][ T5672] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 149.332047][ T5672] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5671] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5672] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5672] munmap(0x7f793ef10000, 2106600) = 0 [pid 5672] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 149.338541][ T5672] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 149.346515][ T5672] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 149.354483][ T5672] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 149.362445][ T5672] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 149.370498][ T5672] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 149.378485][ T5672] [ 149.381942][ T5672] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5672] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5672] close(4) = 0 [pid 5672] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5672] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 149.417835][ T5672] loop0: detected capacity change from 0 to 4114 [ 149.434434][ T5672] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5672] ioctl(5, LOOP_CLR_FD) = 0 [pid 5672] close(5) = 0 [pid 5672] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5670] <... futex resumed>) = 0 [pid 5670] exit_group(0 [pid 5672] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5671] <... futex resumed>) = ? [pid 5670] <... exit_group resumed>) = ? [pid 5671] +++ exited with 0 +++ [pid 5672] <... futex resumed>) = ? [pid 5672] +++ exited with 0 +++ [pid 5670] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5670, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- umount2("./210", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./210", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./210/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./210/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./210/binderfs") = 0 umount2("\x2e\x2f\x32\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x31\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./210") = 0 mkdir("./211", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5673 attached , child_tidptr=0x555555f17690) = 5673 [pid 5673] set_robust_list(0x555555f176a0, 24) = 0 [pid 5673] chdir("./211") = 0 [pid 5673] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5673] setpgid(0, 0) = 0 [pid 5673] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5673] write(3, "1000", 4) = 4 [pid 5673] close(3) = 0 [pid 5673] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5673] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5673] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5673] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5673] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5673] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5673] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5673] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5674]}, 88) = 5674 ./strace-static-x86_64: Process 5674 attached [pid 5674] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5673] rt_sigprocmask(SIG_SETMASK, [], [pid 5674] <... rseq resumed>) = 0 [pid 5673] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5673] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5673] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5673] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5673] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5674] set_robust_list(0x7f79473519a0, 24 [pid 5673] <... mprotect resumed>) = 0 [pid 5673] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5673] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5675 attached [pid 5675] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5673] <... clone3 resumed> => {parent_tid=[5675]}, 88) = 5675 [pid 5675] <... rseq resumed>) = 0 [pid 5673] rt_sigprocmask(SIG_SETMASK, [], [pid 5675] set_robust_list(0x7f79473309a0, 24 [pid 5673] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5675] <... set_robust_list resumed>) = 0 [pid 5673] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5675] rt_sigprocmask(SIG_SETMASK, [], [pid 5673] <... futex resumed>) = 0 [pid 5675] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5673] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5675] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5675] write(3, "85", 2 [pid 5674] <... set_robust_list resumed>) = 0 [pid 5675] <... write resumed>) = 2 [pid 5675] memfd_create("syzkaller", 0 [pid 5674] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5675] <... memfd_create resumed>) = 4 [pid 5675] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5674] memfd_create("syzkaller", 0) = 5 [pid 5674] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 149.541018][ T5675] FAULT_INJECTION: forcing a failure. [ 149.541018][ T5675] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 149.554893][ T5675] CPU: 0 PID: 5675 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 149.566634][ T5675] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 149.576695][ T5675] Call Trace: [ 149.579963][ T5675] [ 149.582886][ T5675] dump_stack_lvl+0x1e7/0x2d0 [ 149.587559][ T5675] ? nf_tcp_handle_invalid+0x650/0x650 [ 149.593031][ T5675] ? panic+0x770/0x770 [ 149.597117][ T5675] should_fail_ex+0x3aa/0x4e0 [ 149.601803][ T5675] prepare_alloc_pages+0x1d9/0x5b0 [ 149.606934][ T5675] __alloc_pages+0x165/0x670 [ 149.611527][ T5675] ? zone_statistics+0x170/0x170 [ 149.616464][ T5675] ? do_wp_page+0x96b/0x4190 [ 149.621074][ T5675] ? do_wp_page+0x115c/0x4190 [ 149.625748][ T5675] ? __lock_acquire+0x7f70/0x7f70 [ 149.630771][ T5675] __folio_alloc+0x13/0x30 [ 149.635182][ T5675] vma_alloc_folio+0x48a/0x9a0 [ 149.639979][ T5675] do_wp_page+0x1424/0x4190 [ 149.644503][ T5675] ? folio_put+0xc0/0xc0 [ 149.648748][ T5675] ? read_lock_is_recursive+0x20/0x20 [ 149.654127][ T5675] ? do_raw_spin_lock+0x14d/0x3a0 [ 149.659172][ T5675] handle_mm_fault+0x1b45/0x62b0 [ 149.664120][ T5675] ? handle_mm_fault+0x11d/0x62b0 [ 149.669164][ T5675] ? numa_migrate_prep+0x380/0x380 [ 149.674315][ T5675] ? mtree_range_walk+0x6a0/0x7e0 [ 149.679337][ T5675] ? lock_vma_under_rcu+0x187/0x6f0 [ 149.684533][ T5675] ? __lock_acquire+0x7f70/0x7f70 [ 149.689548][ T5675] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 149.694757][ T5675] ? lock_vma_under_rcu+0x5df/0x6f0 [ 149.699954][ T5675] ? lock_vma_under_rcu+0x187/0x6f0 [ 149.705156][ T5675] ? exc_page_fault+0x10f/0x860 [ 149.710007][ T5675] exc_page_fault+0x455/0x860 [ 149.714684][ T5675] asm_exc_page_fault+0x26/0x30 [ 149.719530][ T5675] RIP: 0033:0x7f794735bd00 [ 149.723936][ T5675] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 149.743535][ T5675] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 149.749611][ T5675] RAX: 0000000000044c14 RBX: 00007f794732f750 RCX: 000000000000000b [ 149.757574][ T5675] RDX: 000000000001a7ab RSI: 0000000000000fac RDI: 00007f794732f7f0 [ 149.765535][ T5675] RBP: 000000000000000c R08: 00007f793ef10000 R09: 0000000000000001 [ 149.773516][ T5675] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 149.781498][ T5675] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [pid 5674] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5674] munmap(0x7f7936b10000, 2097152) = 0 [pid 5674] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5674] ioctl(6, LOOP_SET_FD, 5 [pid 5675] munmap(0x7f793ef10000, 138412032 [pid 5674] <... ioctl resumed>) = 0 [pid 5674] close(5) = 0 [pid 5674] mkdir("./file0", 0777) = 0 [pid 5674] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5675] <... munmap resumed>) = 0 [pid 5675] close(4) = 0 [pid 5675] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5673] <... futex resumed>) = 0 [pid 5675] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5674] <... mount resumed>) = 0 [pid 5674] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5674] chdir("./file0") = 0 [pid 5674] ioctl(6, LOOP_CLR_FD) = 0 [pid 5674] close(6) = 0 [pid 5674] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5674] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5673] exit_group(0 [pid 5675] <... futex resumed>) = ? [pid 5674] <... futex resumed>) = ? [pid 5673] <... exit_group resumed>) = ? [pid 5675] +++ exited with 0 +++ [pid 5674] +++ exited with 0 +++ [pid 5673] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5673, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./211", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./211", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./211/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./211/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./211/binderfs") = 0 umount2("./211/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./211/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./211/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./211/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./211/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./211/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 [ 149.789485][ T5675] [ 149.794159][ T5675] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 149.818639][ T5674] loop0: detected capacity change from 0 to 4096 [ 149.833619][ T5674] ntfs: volume version 12.0. close(3) = 0 rmdir("./211") = 0 mkdir("./212", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5676 ./strace-static-x86_64: Process 5676 attached [pid 5676] set_robust_list(0x555555f176a0, 24) = 0 [pid 5676] chdir("./212") = 0 [pid 5676] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5676] setpgid(0, 0) = 0 [pid 5676] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5676] write(3, "1000", 4) = 4 [pid 5676] close(3) = 0 [pid 5676] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5676] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5676] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5676] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5676] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5676] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5676] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5676] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5677 attached [pid 5677] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5676] <... clone3 resumed> => {parent_tid=[5677]}, 88) = 5677 [pid 5677] <... rseq resumed>) = 0 [pid 5676] rt_sigprocmask(SIG_SETMASK, [], [pid 5677] set_robust_list(0x7f79473519a0, 24 [pid 5676] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5677] <... set_robust_list resumed>) = 0 [pid 5677] rt_sigprocmask(SIG_SETMASK, [], [pid 5676] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5677] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5676] <... futex resumed>) = 0 [pid 5676] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5676] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5677] memfd_create("syzkaller", 0 [pid 5676] <... mmap resumed>) = 0x7f7947310000 [pid 5677] <... memfd_create resumed>) = 3 [pid 5676] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5677] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5676] <... mprotect resumed>) = 0 [pid 5676] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5676] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5678 attached => {parent_tid=[5678]}, 88) = 5678 [pid 5676] rt_sigprocmask(SIG_SETMASK, [], [pid 5678] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5676] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5676] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5676] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5678] <... rseq resumed>) = 0 [pid 5678] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5678] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5678] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5677] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5678] write(4, "85", 2) = 2 [pid 5678] memfd_create("syzkaller", 0) = 5 [pid 5678] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5677] <... write resumed>) = 2097152 [ 149.965096][ T5678] FAULT_INJECTION: forcing a failure. [ 149.965096][ T5678] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 149.979141][ T5678] CPU: 0 PID: 5678 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 149.989579][ T5678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 149.999634][ T5678] Call Trace: [ 150.002920][ T5678] [ 150.005875][ T5678] dump_stack_lvl+0x1e7/0x2d0 [ 150.010575][ T5678] ? nf_tcp_handle_invalid+0x650/0x650 [ 150.016047][ T5678] ? panic+0x770/0x770 [ 150.020158][ T5678] should_fail_ex+0x3aa/0x4e0 [ 150.024851][ T5678] prepare_alloc_pages+0x1d9/0x5b0 [ 150.029975][ T5678] __alloc_pages+0x165/0x670 [ 150.034584][ T5678] ? zone_statistics+0x170/0x170 [ 150.039519][ T5678] ? verify_lock_unused+0x140/0x140 [ 150.044715][ T5678] ? handle_mm_fault+0x11d/0x62b0 [ 150.049746][ T5678] ? __lock_acquire+0x7f70/0x7f70 [ 150.054803][ T5678] ? pte_offset_map_nolock+0x137/0x1e0 [ 150.060264][ T5678] __folio_alloc+0x13/0x30 [ 150.064676][ T5678] vma_alloc_folio+0x48a/0x9a0 [ 150.069438][ T5678] handle_mm_fault+0x2376/0x62b0 [ 150.074375][ T5678] ? handle_mm_fault+0x11d/0x62b0 [ 150.079419][ T5678] ? numa_migrate_prep+0x380/0x380 [ 150.084546][ T5678] ? mtree_range_walk+0x6a0/0x7e0 [ 150.089566][ T5678] ? lock_vma_under_rcu+0x187/0x6f0 [ 150.094769][ T5678] ? __lock_acquire+0x7f70/0x7f70 [ 150.099885][ T5678] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 150.105083][ T5678] ? lock_vma_under_rcu+0x5df/0x6f0 [ 150.110281][ T5678] ? lock_vma_under_rcu+0x187/0x6f0 [ 150.115493][ T5678] ? exc_page_fault+0x10f/0x860 [ 150.120358][ T5678] exc_page_fault+0x455/0x860 [ 150.125061][ T5678] asm_exc_page_fault+0x26/0x30 [ 150.129921][ T5678] RIP: 0033:0x7f794735bc53 [ 150.134357][ T5678] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 150.153966][ T5678] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5677] munmap(0x7f793ef10000, 2097152) = 0 [pid 5677] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 150.160028][ T5678] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 150.168086][ T5678] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 150.176063][ T5678] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 150.184039][ T5678] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 150.191997][ T5678] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 150.200076][ T5678] [ 150.203928][ T5678] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5677] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5677] close(3) = 0 [pid 5677] mkdir("./file0", 0777) = 0 [pid 5678] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5677] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5678] <... write resumed>) = 2097152 [pid 5678] munmap(0x7f7936b10000, 2097152 [pid 5677] <... mount resumed>) = 0 [pid 5677] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5677] chdir("./file0") = 0 [pid 5677] ioctl(6, LOOP_CLR_FD [pid 5678] <... munmap resumed>) = 0 [pid 5677] <... ioctl resumed>) = 0 [pid 5678] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5677] close(6 [pid 5678] <... openat resumed>) = 7 [pid 5678] ioctl(7, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5678] ioctl(7, LOOP_CLR_FD) = 0 [pid 5677] <... close resumed>) = 0 [pid 5678] ioctl(7, LOOP_SET_FD, 5 [pid 5677] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5678] <... ioctl resumed>) = -1 EBUSY (Device or resource busy) [pid 5677] <... futex resumed>) = 0 [pid 5677] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5678] close(7) = 0 [pid 5678] close(5) = 0 [pid 5678] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5676] <... futex resumed>) = 0 [pid 5676] exit_group(0) = ? [pid 5677] <... futex resumed>) = ? [pid 5677] +++ exited with 0 +++ [pid 5678] <... futex resumed>) = ? [ 150.222445][ T5677] loop0: detected capacity change from 0 to 4096 [ 150.240932][ T5677] ntfs: volume version 12.0. [pid 5678] +++ exited with 0 +++ [pid 5676] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5676, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- umount2("./212", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./212", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./212/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./212/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./212/binderfs") = 0 umount2("./212/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./212/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./212/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./212/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./212/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./212/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./212") = 0 mkdir("./213", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5679 attached , child_tidptr=0x555555f17690) = 5679 [pid 5679] set_robust_list(0x555555f176a0, 24) = 0 [pid 5679] chdir("./213") = 0 [pid 5679] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5679] setpgid(0, 0) = 0 [pid 5679] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5679] write(3, "1000", 4) = 4 [pid 5679] close(3) = 0 [pid 5679] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5679] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5679] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5679] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5679] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5679] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5679] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5679] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5680 attached => {parent_tid=[5680]}, 88) = 5680 [pid 5679] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5679] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5679] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5679] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5680] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5680] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5680] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5679] <... mmap resumed>) = 0x7f7947310000 [pid 5679] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5680] memfd_create("syzkaller", 0 [pid 5679] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5679] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5681 attached [pid 5681] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5679] <... clone3 resumed> => {parent_tid=[5681]}, 88) = 5681 [pid 5681] <... rseq resumed>) = 0 [pid 5679] rt_sigprocmask(SIG_SETMASK, [], [pid 5681] set_robust_list(0x7f79473309a0, 24 [pid 5679] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5681] <... set_robust_list resumed>) = 0 [pid 5679] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5681] rt_sigprocmask(SIG_SETMASK, [], [pid 5680] <... memfd_create resumed>) = 3 [pid 5681] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5680] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5679] <... futex resumed>) = 0 [pid 5681] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5680] <... mmap resumed>) = 0x7f793ef10000 [pid 5679] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5680] munmap(0x7f793ef10000, 138412032) = 0 [pid 5680] close(3) = 0 [pid 5680] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5680] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5681] <... openat resumed>) = 3 [pid 5681] write(3, "85", 2) = 2 [pid 5681] memfd_create("syzkaller", 0) = 4 [pid 5681] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 150.356816][ T5681] FAULT_INJECTION: forcing a failure. [ 150.356816][ T5681] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 150.370325][ T5681] CPU: 1 PID: 5681 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 150.380750][ T5681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 150.390810][ T5681] Call Trace: [ 150.394081][ T5681] [ 150.397018][ T5681] dump_stack_lvl+0x1e7/0x2d0 [ 150.401711][ T5681] ? nf_tcp_handle_invalid+0x650/0x650 [ 150.407160][ T5681] ? panic+0x770/0x770 [ 150.411244][ T5681] should_fail_ex+0x3aa/0x4e0 [ 150.415938][ T5681] prepare_alloc_pages+0x1d9/0x5b0 [ 150.421064][ T5681] __alloc_pages+0x165/0x670 [ 150.425651][ T5681] ? zone_statistics+0x170/0x170 [ 150.430589][ T5681] ? verify_lock_unused+0x140/0x140 [ 150.435785][ T5681] ? handle_mm_fault+0x11d/0x62b0 [ 150.440806][ T5681] ? __lock_acquire+0x7f70/0x7f70 [ 150.445822][ T5681] ? pte_offset_map_nolock+0x137/0x1e0 [ 150.451283][ T5681] __folio_alloc+0x13/0x30 [ 150.455694][ T5681] vma_alloc_folio+0x48a/0x9a0 [ 150.460459][ T5681] handle_mm_fault+0x2376/0x62b0 [ 150.465401][ T5681] ? handle_mm_fault+0x11d/0x62b0 [ 150.470431][ T5681] ? numa_migrate_prep+0x380/0x380 [ 150.475549][ T5681] ? mtree_range_walk+0x6a0/0x7e0 [ 150.480571][ T5681] ? lock_vma_under_rcu+0x187/0x6f0 [ 150.485765][ T5681] ? __lock_acquire+0x7f70/0x7f70 [ 150.490781][ T5681] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 150.495989][ T5681] ? lock_vma_under_rcu+0x5df/0x6f0 [ 150.501191][ T5681] ? lock_vma_under_rcu+0x187/0x6f0 [ 150.506392][ T5681] ? exc_page_fault+0x10f/0x860 [ 150.511252][ T5681] exc_page_fault+0x455/0x860 [ 150.516019][ T5681] asm_exc_page_fault+0x26/0x30 [ 150.520885][ T5681] RIP: 0033:0x7f794735bd00 [ 150.525381][ T5681] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 150.544995][ T5681] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5681] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5681] munmap(0x7f793ef10000, 2097152) = 0 [pid 5681] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 150.551096][ T5681] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 150.559058][ T5681] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 150.567020][ T5681] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 150.575070][ T5681] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 150.583037][ T5681] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 150.591015][ T5681] [ 150.594344][ T5681] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5681] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5681] close(4) = 0 [pid 5681] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5681] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5681] ioctl(5, LOOP_CLR_FD) = 0 [pid 5681] close(5) = 0 [pid 5681] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5679] <... futex resumed>) = 0 [pid 5681] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5679] exit_group(0 [pid 5680] <... futex resumed>) = ? [pid 5679] <... exit_group resumed>) = ? [pid 5681] <... futex resumed>) = ? [pid 5680] +++ exited with 0 +++ [ 150.631645][ T5681] loop0: detected capacity change from 0 to 4096 [ 150.648568][ T5681] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 150.655622][ T5681] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5681] +++ exited with 0 +++ [pid 5679] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5679, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./213", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./213", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./213/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./213/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./213/binderfs") = 0 umount2("\x2e\x2f\x32\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x31\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./213") = 0 mkdir("./214", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5682 attached , child_tidptr=0x555555f17690) = 5682 [pid 5682] set_robust_list(0x555555f176a0, 24) = 0 [pid 5682] chdir("./214") = 0 [pid 5682] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5682] setpgid(0, 0) = 0 [pid 5682] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5682] write(3, "1000", 4) = 4 [pid 5682] close(3) = 0 [pid 5682] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5682] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5682] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5682] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5682] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5682] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5682] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5682] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5683 attached [pid 5683] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5683] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5683] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5683] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5682] <... clone3 resumed> => {parent_tid=[5683]}, 88) = 5683 [pid 5682] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5682] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5683] <... futex resumed>) = 0 [pid 5682] <... futex resumed>) = 1 [pid 5683] memfd_create("syzkaller", 0 [pid 5682] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5682] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5683] <... memfd_create resumed>) = 3 [pid 5682] <... mmap resumed>) = 0x7f7947310000 [pid 5683] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5682] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5682] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5682] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5684 attached => {parent_tid=[5684]}, 88) = 5684 [pid 5684] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5682] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5684] <... rseq resumed>) = 0 [pid 5682] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5684] set_robust_list(0x7f79473309a0, 24 [pid 5682] <... futex resumed>) = 0 [pid 5684] <... set_robust_list resumed>) = 0 [pid 5682] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5684] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5684] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5684] write(4, "85", 2) = 2 [pid 5684] memfd_create("syzkaller", 0) = 5 [pid 5684] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5683] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 150.787510][ T5684] FAULT_INJECTION: forcing a failure. [ 150.787510][ T5684] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 150.800797][ T5684] CPU: 0 PID: 5684 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 150.811261][ T5684] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 150.821338][ T5684] Call Trace: [ 150.824628][ T5684] [ 150.827552][ T5684] dump_stack_lvl+0x1e7/0x2d0 [ 150.832233][ T5684] ? nf_tcp_handle_invalid+0x650/0x650 [ 150.837690][ T5684] ? panic+0x770/0x770 [ 150.841761][ T5684] should_fail_ex+0x3aa/0x4e0 [ 150.846452][ T5684] prepare_alloc_pages+0x1d9/0x5b0 [ 150.851565][ T5684] __alloc_pages+0x165/0x670 [ 150.856168][ T5684] ? zone_statistics+0x170/0x170 [ 150.861125][ T5684] ? verify_lock_unused+0x140/0x140 [ 150.866339][ T5684] ? handle_mm_fault+0x11d/0x62b0 [ 150.871384][ T5684] ? __lock_acquire+0x7f70/0x7f70 [ 150.876415][ T5684] ? pte_offset_map_nolock+0x137/0x1e0 [ 150.881899][ T5684] __folio_alloc+0x13/0x30 [ 150.886344][ T5684] vma_alloc_folio+0x48a/0x9a0 [ 150.891115][ T5684] handle_mm_fault+0x2376/0x62b0 [ 150.896072][ T5684] ? handle_mm_fault+0x11d/0x62b0 [ 150.901113][ T5684] ? numa_migrate_prep+0x380/0x380 [ 150.906225][ T5684] ? mtree_range_walk+0x6a0/0x7e0 [ 150.911252][ T5684] ? lock_vma_under_rcu+0x187/0x6f0 [ 150.916463][ T5684] ? __lock_acquire+0x7f70/0x7f70 [ 150.921475][ T5684] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 150.926699][ T5684] ? lock_vma_under_rcu+0x5df/0x6f0 [ 150.932437][ T5684] ? lock_vma_under_rcu+0x187/0x6f0 [ 150.937649][ T5684] ? exc_page_fault+0x10f/0x860 [ 150.942518][ T5684] exc_page_fault+0x455/0x860 [ 150.947200][ T5684] asm_exc_page_fault+0x26/0x30 [ 150.952048][ T5684] RIP: 0033:0x7f794735bc53 [ 150.956453][ T5684] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 150.976070][ T5684] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5683] munmap(0x7f793ef10000, 2097152) = 0 [pid 5683] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5684] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5683] <... openat resumed>) = 6 [ 150.982138][ T5684] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 150.990110][ T5684] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 150.998264][ T5684] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 151.006264][ T5684] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 151.014234][ T5684] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 151.022228][ T5684] [ 151.025531][ T5684] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5683] ioctl(6, LOOP_SET_FD, 3 [pid 5684] <... write resumed>) = 2097152 [pid 5684] munmap(0x7f7936b10000, 2097152 [pid 5683] <... ioctl resumed>) = 0 [pid 5683] close(3) = 0 [pid 5683] mkdir("./file0", 0777 [pid 5684] <... munmap resumed>) = 0 [pid 5683] <... mkdir resumed>) = 0 [pid 5684] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5683] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5684] <... openat resumed>) = 3 [pid 5684] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5684] ioctl(3, LOOP_CLR_FD) = 0 [pid 5684] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5684] close(3) = 0 [pid 5684] close(5) = 0 [pid 5684] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5682] <... futex resumed>) = 0 [pid 5684] <... futex resumed>) = 1 [ 151.056618][ T5683] loop0: detected capacity change from 0 to 4096 [ 151.070671][ T5683] __ntfs_error: 95 callbacks suppressed [ 151.070687][ T5683] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 151.091314][ T5683] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 151.105029][ T5683] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 151.120399][ T5683] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 151.130447][ T5683] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 151.138758][ T5683] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5684] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5683] <... mount resumed>) = 0 [pid 5683] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5683] chdir("./file0") = 0 [pid 5683] ioctl(6, LOOP_CLR_FD) = 0 [pid 5683] close(6) = 0 [pid 5683] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5683] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5682] exit_group(0) = ? [pid 5684] <... futex resumed>) = ? [pid 5683] <... futex resumed>) = ? [pid 5683] +++ exited with 0 +++ [pid 5684] +++ exited with 0 +++ [pid 5682] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5682, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=23 /* 0.23 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./214", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./214", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./214/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./214/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./214/binderfs") = 0 [ 151.152304][ T5683] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 151.164515][ T5683] ntfs: volume version 12.0. [ 151.169613][ T5683] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 151.178491][ T5683] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [ 151.191906][ T5683] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./214/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./214/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./214/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./214/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./214/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./214/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./214") = 0 mkdir("./215", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5685 attached , child_tidptr=0x555555f17690) = 5685 [pid 5685] set_robust_list(0x555555f176a0, 24) = 0 [pid 5685] chdir("./215") = 0 [pid 5685] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5685] setpgid(0, 0) = 0 [pid 5685] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5685] write(3, "1000", 4) = 4 [pid 5685] close(3) = 0 [pid 5685] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5685] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5685] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5685] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5685] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5685] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5685] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5685] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5686]}, 88) = 5686 [pid 5685] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5685] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5685] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5685] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5685] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE./strace-static-x86_64: Process 5686 attached [pid 5686] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5685] <... mprotect resumed>) = 0 [pid 5686] <... rseq resumed>) = 0 [pid 5686] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5685] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5686] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5685] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5685] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5687 attached [pid 5686] memfd_create("syzkaller", 0 [pid 5685] <... clone3 resumed> => {parent_tid=[5687]}, 88) = 5687 [pid 5687] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5686] <... memfd_create resumed>) = 3 [pid 5686] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5685] rt_sigprocmask(SIG_SETMASK, [], [pid 5686] <... mmap resumed>) = 0x7f793ef10000 [pid 5685] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5687] <... rseq resumed>) = 0 [pid 5687] set_robust_list(0x7f79473309a0, 24 [pid 5685] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5687] <... set_robust_list resumed>) = 0 [pid 5685] <... futex resumed>) = 0 [pid 5687] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5685] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5687] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5686] munmap(0x7f793ef10000, 138412032 [pid 5687] <... openat resumed>) = 4 [pid 5687] write(4, "85", 2) = 2 [pid 5687] memfd_create("syzkaller", 0 [pid 5686] <... munmap resumed>) = 0 [pid 5687] <... memfd_create resumed>) = 5 [pid 5687] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5686] close(3 [pid 5687] <... mmap resumed>) = 0x7f793ef10000 [pid 5686] <... close resumed>) = 0 [pid 5686] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 151.307641][ T5687] FAULT_INJECTION: forcing a failure. [ 151.307641][ T5687] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 151.321452][ T5687] CPU: 0 PID: 5687 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 151.331883][ T5687] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 151.341948][ T5687] Call Trace: [ 151.345214][ T5687] [ 151.348138][ T5687] dump_stack_lvl+0x1e7/0x2d0 [ 151.352928][ T5687] ? nf_tcp_handle_invalid+0x650/0x650 [ 151.358374][ T5687] ? panic+0x770/0x770 [ 151.362437][ T5687] should_fail_ex+0x3aa/0x4e0 [ 151.367143][ T5687] prepare_alloc_pages+0x1d9/0x5b0 [ 151.372273][ T5687] __alloc_pages+0x165/0x670 [ 151.376876][ T5687] ? zone_statistics+0x170/0x170 [ 151.381917][ T5687] ? verify_lock_unused+0x140/0x140 [ 151.387130][ T5687] ? handle_mm_fault+0x11d/0x62b0 [ 151.392164][ T5687] ? __lock_acquire+0x7f70/0x7f70 [ 151.397189][ T5687] ? pte_offset_map_nolock+0x137/0x1e0 [ 151.402652][ T5687] __folio_alloc+0x13/0x30 [ 151.407169][ T5687] vma_alloc_folio+0x48a/0x9a0 [ 151.411936][ T5687] handle_mm_fault+0x2376/0x62b0 [ 151.416878][ T5687] ? handle_mm_fault+0x11d/0x62b0 [ 151.421910][ T5687] ? numa_migrate_prep+0x380/0x380 [ 151.427028][ T5687] ? mtree_range_walk+0x6a0/0x7e0 [ 151.432053][ T5687] ? lock_vma_under_rcu+0x187/0x6f0 [ 151.437336][ T5687] ? __lock_acquire+0x7f70/0x7f70 [ 151.442353][ T5687] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 151.447561][ T5687] ? lock_vma_under_rcu+0x5df/0x6f0 [ 151.452757][ T5687] ? lock_vma_under_rcu+0x187/0x6f0 [ 151.457964][ T5687] ? exc_page_fault+0x10f/0x860 [ 151.462813][ T5687] exc_page_fault+0x455/0x860 [ 151.467497][ T5687] asm_exc_page_fault+0x26/0x30 [ 151.472342][ T5687] RIP: 0033:0x7f794735bd00 [ 151.476754][ T5687] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 151.496358][ T5687] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5686] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5687] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5687] munmap(0x7f793ef10000, 2097152) = 0 [pid 5687] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 151.502426][ T5687] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 151.510392][ T5687] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 151.518358][ T5687] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 151.526323][ T5687] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 151.534289][ T5687] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 151.542275][ T5687] [ 151.545698][ T5687] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5687] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5687] close(5) = 0 [pid 5687] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5687] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 151.584396][ T5687] loop0: detected capacity change from 0 to 4096 [ 151.603795][ T5687] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 151.610988][ T5687] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5687] ioctl(3, LOOP_CLR_FD) = 0 [pid 5687] close(3) = 0 [pid 5687] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5685] <... futex resumed>) = 0 [pid 5687] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5685] exit_group(0 [pid 5687] <... futex resumed>) = ? [pid 5686] <... futex resumed>) = ? [pid 5685] <... exit_group resumed>) = ? [pid 5687] +++ exited with 0 +++ [pid 5686] +++ exited with 0 +++ [pid 5685] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5685, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=8 /* 0.08 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./215", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./215", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./215/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./215/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./215/binderfs") = 0 umount2("\x2e\x2f\x32\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x31\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./215") = 0 mkdir("./216", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5688 attached , child_tidptr=0x555555f17690) = 5688 [pid 5688] set_robust_list(0x555555f176a0, 24) = 0 [pid 5688] chdir("./216") = 0 [pid 5688] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5688] setpgid(0, 0) = 0 [pid 5688] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5688] write(3, "1000", 4) = 4 [pid 5688] close(3) = 0 [pid 5688] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5688] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5688] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5688] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5688] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5688] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5688] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5688] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5689]}, 88) = 5689 [pid 5688] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5688] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5688] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5688] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5688] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5688] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5688] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5690 attached [pid 5690] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5688] <... clone3 resumed> => {parent_tid=[5690]}, 88) = 5690 [pid 5690] set_robust_list(0x7f79473309a0, 24 [pid 5688] rt_sigprocmask(SIG_SETMASK, [], [pid 5690] <... set_robust_list resumed>) = 0 [pid 5688] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5690] rt_sigprocmask(SIG_SETMASK, [], [pid 5688] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5690] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5688] <... futex resumed>) = 0 ./strace-static-x86_64: Process 5689 attached [pid 5690] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5688] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5690] <... openat resumed>) = 3 [pid 5689] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5690] write(3, "85", 2) = 2 [pid 5690] memfd_create("syzkaller", 0) = 4 [pid 5690] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5689] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5689] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5689] memfd_create("syzkaller", 0) = 5 [pid 5689] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 151.732045][ T5690] FAULT_INJECTION: forcing a failure. [ 151.732045][ T5690] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 151.746398][ T5690] CPU: 0 PID: 5690 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 151.756934][ T5690] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 151.766990][ T5690] Call Trace: [ 151.770264][ T5690] [ 151.773190][ T5690] dump_stack_lvl+0x1e7/0x2d0 [ 151.777866][ T5690] ? nf_tcp_handle_invalid+0x650/0x650 [ 151.783328][ T5690] ? panic+0x770/0x770 [ 151.787401][ T5690] should_fail_ex+0x3aa/0x4e0 [ 151.792080][ T5690] prepare_alloc_pages+0x1d9/0x5b0 [ 151.797197][ T5690] __alloc_pages+0x165/0x670 [ 151.801787][ T5690] ? zone_statistics+0x170/0x170 [ 151.806726][ T5690] ? verify_lock_unused+0x140/0x140 [ 151.811920][ T5690] ? handle_mm_fault+0x11d/0x62b0 [ 151.816941][ T5690] ? __lock_acquire+0x7f70/0x7f70 [ 151.821957][ T5690] ? pte_offset_map_nolock+0x137/0x1e0 [ 151.827415][ T5690] __folio_alloc+0x13/0x30 [ 151.831832][ T5690] vma_alloc_folio+0x48a/0x9a0 [ 151.836598][ T5690] handle_mm_fault+0x2376/0x62b0 [ 151.841545][ T5690] ? handle_mm_fault+0x11d/0x62b0 [ 151.846577][ T5690] ? numa_migrate_prep+0x380/0x380 [ 151.851692][ T5690] ? mtree_range_walk+0x6a0/0x7e0 [ 151.856716][ T5690] ? lock_vma_under_rcu+0x187/0x6f0 [ 151.861917][ T5690] ? __lock_acquire+0x7f70/0x7f70 [ 151.867023][ T5690] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 151.872232][ T5690] ? lock_vma_under_rcu+0x5df/0x6f0 [ 151.877430][ T5690] ? lock_vma_under_rcu+0x187/0x6f0 [ 151.882637][ T5690] ? exc_page_fault+0x10f/0x860 [ 151.887751][ T5690] exc_page_fault+0x455/0x860 [ 151.892516][ T5690] asm_exc_page_fault+0x26/0x30 [ 151.897363][ T5690] RIP: 0033:0x7f794735bc53 [ 151.901773][ T5690] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 151.921387][ T5690] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5690] munmap(0x7f793ef10000, 138412032) = 0 [pid 5690] close(4) = 0 [pid 5690] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5688] <... futex resumed>) = 0 [pid 5690] <... futex resumed>) = 1 [pid 5690] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5689] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5689] munmap(0x7f7936b10000, 2097152) = 0 [pid 5689] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 151.927465][ T5690] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 151.935447][ T5690] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 151.943627][ T5690] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 151.951598][ T5690] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 151.959570][ T5690] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 151.967560][ T5690] [pid 5689] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5689] close(5) = 0 [pid 5689] mkdir("./file0", 0777) = 0 [pid 5689] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5689] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5689] chdir("./file0") = 0 [pid 5689] ioctl(4, LOOP_CLR_FD) = 0 [pid 5689] close(4) = 0 [pid 5689] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5688] exit_group(0 [pid 5689] <... futex resumed>) = 0 [pid 5689] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5688] <... exit_group resumed>) = ? [pid 5690] <... futex resumed>) = ? [pid 5689] +++ exited with 0 +++ [pid 5690] +++ exited with 0 +++ [pid 5688] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5688, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./216", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./216", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./216/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./216/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./216/binderfs") = 0 umount2("./216/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./216/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./216/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./216/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./216/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 [ 152.014804][ T5689] loop0: detected capacity change from 0 to 4096 [ 152.028581][ T5689] ntfs: volume version 12.0. close(4) = 0 rmdir("./216/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./216") = 0 mkdir("./217", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5691 attached , child_tidptr=0x555555f17690) = 5691 [pid 5691] set_robust_list(0x555555f176a0, 24) = 0 [pid 5691] chdir("./217") = 0 [pid 5691] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5691] setpgid(0, 0) = 0 [pid 5691] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5691] write(3, "1000", 4) = 4 [pid 5691] close(3) = 0 [pid 5691] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5691] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5691] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5691] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5691] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5691] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5691] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5691] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5692 attached => {parent_tid=[5692]}, 88) = 5692 [pid 5692] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5692] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5692] rt_sigprocmask(SIG_SETMASK, [], [pid 5691] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5691] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5692] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5691] <... futex resumed>) = 0 [pid 5691] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5691] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5691] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5691] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5691] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5693 attached => {parent_tid=[5693]}, 88) = 5693 [pid 5693] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5691] rt_sigprocmask(SIG_SETMASK, [], [pid 5693] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5691] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5693] rt_sigprocmask(SIG_SETMASK, [], [pid 5691] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5693] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5691] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5693] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5692] memfd_create("syzkaller", 0) = 4 [pid 5692] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5693] <... openat resumed>) = 3 [pid 5693] write(3, "85", 2) = 2 [pid 5693] memfd_create("syzkaller", 0 [pid 5692] <... mmap resumed>) = 0x7f793ef10000 [pid 5693] <... memfd_create resumed>) = 5 [pid 5692] munmap(0x7f793ef10000, 138412032 [pid 5693] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5692] <... munmap resumed>) = 0 [pid 5692] close(4) = 0 [pid 5692] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5692] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5693] <... mmap resumed>) = 0x7f793ef10000 [ 152.142721][ T5693] FAULT_INJECTION: forcing a failure. [ 152.142721][ T5693] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 152.156321][ T5693] CPU: 1 PID: 5693 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 152.166796][ T5693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 152.176847][ T5693] Call Trace: [ 152.180165][ T5693] [ 152.183081][ T5693] dump_stack_lvl+0x1e7/0x2d0 [ 152.187750][ T5693] ? nf_tcp_handle_invalid+0x650/0x650 [ 152.193197][ T5693] ? panic+0x770/0x770 [ 152.197258][ T5693] should_fail_ex+0x3aa/0x4e0 [ 152.201926][ T5693] prepare_alloc_pages+0x1d9/0x5b0 [ 152.207038][ T5693] __alloc_pages+0x165/0x670 [ 152.211636][ T5693] ? zone_statistics+0x170/0x170 [ 152.216573][ T5693] ? verify_lock_unused+0x140/0x140 [ 152.221768][ T5693] ? handle_mm_fault+0x11d/0x62b0 [ 152.226793][ T5693] ? __lock_acquire+0x7f70/0x7f70 [ 152.231811][ T5693] ? pte_offset_map_nolock+0x137/0x1e0 [ 152.237271][ T5693] __folio_alloc+0x13/0x30 [ 152.241688][ T5693] vma_alloc_folio+0x48a/0x9a0 [ 152.246454][ T5693] handle_mm_fault+0x2376/0x62b0 [ 152.251571][ T5693] ? handle_mm_fault+0x11d/0x62b0 [ 152.256605][ T5693] ? numa_migrate_prep+0x380/0x380 [ 152.261723][ T5693] ? mtree_range_walk+0x6a0/0x7e0 [ 152.266748][ T5693] ? lock_vma_under_rcu+0x187/0x6f0 [ 152.271943][ T5693] ? __lock_acquire+0x7f70/0x7f70 [ 152.276964][ T5693] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 152.282343][ T5693] ? lock_vma_under_rcu+0x5df/0x6f0 [ 152.287542][ T5693] ? lock_vma_under_rcu+0x187/0x6f0 [ 152.292833][ T5693] ? exc_page_fault+0x10f/0x860 [ 152.297680][ T5693] exc_page_fault+0x455/0x860 [ 152.302360][ T5693] asm_exc_page_fault+0x26/0x30 [ 152.307291][ T5693] RIP: 0033:0x7f794735bd00 [ 152.311708][ T5693] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 152.331311][ T5693] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5693] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5693] munmap(0x7f793ef10000, 2106600) = 0 [pid 5693] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 152.337397][ T5693] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 152.345361][ T5693] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 152.353325][ T5693] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 152.361488][ T5693] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 152.369453][ T5693] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 152.377432][ T5693] [pid 5693] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5693] close(5) = 0 [pid 5693] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5693] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 152.413458][ T5693] loop0: detected capacity change from 0 to 4114 [ 152.430332][ T5693] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5693] ioctl(4, LOOP_CLR_FD) = 0 [pid 5693] close(4) = 0 [pid 5693] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5691] <... futex resumed>) = 0 [pid 5693] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5691] exit_group(0 [pid 5692] <... futex resumed>) = ? [pid 5692] +++ exited with 0 +++ [pid 5693] <... futex resumed>) = ? [pid 5693] +++ exited with 0 +++ [pid 5691] <... exit_group resumed>) = ? [pid 5691] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5691, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./217", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./217", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./217/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./217/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./217/binderfs") = 0 umount2("\x2e\x2f\x32\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x31\x37\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./217") = 0 mkdir("./218", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5694 attached , child_tidptr=0x555555f17690) = 5694 [pid 5694] set_robust_list(0x555555f176a0, 24) = 0 [pid 5694] chdir("./218") = 0 [pid 5694] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5694] setpgid(0, 0) = 0 [pid 5694] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5694] write(3, "1000", 4) = 4 [pid 5694] close(3) = 0 [pid 5694] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5694] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5694] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5694] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5694] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5694] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5694] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5694] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5695 attached [pid 5695] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5694] <... clone3 resumed> => {parent_tid=[5695]}, 88) = 5695 [pid 5695] <... rseq resumed>) = 0 [pid 5695] set_robust_list(0x7f79473519a0, 24 [pid 5694] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5694] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5694] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5694] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5694] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5694] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5694] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5696 attached [pid 5696] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5694] <... clone3 resumed> => {parent_tid=[5696]}, 88) = 5696 [pid 5696] <... rseq resumed>) = 0 [pid 5694] rt_sigprocmask(SIG_SETMASK, [], [pid 5696] set_robust_list(0x7f79473309a0, 24 [pid 5694] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5696] <... set_robust_list resumed>) = 0 [pid 5694] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5696] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5694] <... futex resumed>) = 0 [pid 5695] <... set_robust_list resumed>) = 0 [pid 5694] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5695] rt_sigprocmask(SIG_SETMASK, [], [pid 5696] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5695] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5696] <... openat resumed>) = 3 [pid 5696] write(3, "85", 2) = 2 [pid 5695] memfd_create("syzkaller", 0 [pid 5696] memfd_create("syzkaller", 0) = 5 [pid 5695] <... memfd_create resumed>) = 4 [pid 5696] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5695] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 152.551101][ T5696] FAULT_INJECTION: forcing a failure. [ 152.551101][ T5696] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 152.564811][ T5696] CPU: 0 PID: 5696 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 152.575255][ T5696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 152.585337][ T5696] Call Trace: [ 152.588623][ T5696] [ 152.591551][ T5696] dump_stack_lvl+0x1e7/0x2d0 [ 152.596232][ T5696] ? nf_tcp_handle_invalid+0x650/0x650 [ 152.601691][ T5696] ? panic+0x770/0x770 [ 152.605774][ T5696] should_fail_ex+0x3aa/0x4e0 [ 152.610459][ T5696] prepare_alloc_pages+0x1d9/0x5b0 [ 152.615572][ T5696] __alloc_pages+0x165/0x670 [ 152.620231][ T5696] ? zone_statistics+0x170/0x170 [ 152.625172][ T5696] ? verify_lock_unused+0x140/0x140 [ 152.630369][ T5696] ? handle_mm_fault+0x11d/0x62b0 [ 152.635394][ T5696] ? __lock_acquire+0x7f70/0x7f70 [ 152.640412][ T5696] ? pte_offset_map_nolock+0x137/0x1e0 [ 152.645868][ T5696] __folio_alloc+0x13/0x30 [ 152.650397][ T5696] vma_alloc_folio+0x48a/0x9a0 [ 152.655163][ T5696] handle_mm_fault+0x2376/0x62b0 [ 152.660106][ T5696] ? handle_mm_fault+0x11d/0x62b0 [ 152.665147][ T5696] ? numa_migrate_prep+0x380/0x380 [ 152.670269][ T5696] ? mtree_range_walk+0x6a0/0x7e0 [ 152.675384][ T5696] ? lock_vma_under_rcu+0x187/0x6f0 [ 152.680579][ T5696] ? __lock_acquire+0x7f70/0x7f70 [ 152.685684][ T5696] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 152.690891][ T5696] ? lock_vma_under_rcu+0x5df/0x6f0 [ 152.696091][ T5696] ? lock_vma_under_rcu+0x187/0x6f0 [ 152.701302][ T5696] ? exc_page_fault+0x10f/0x860 [ 152.706150][ T5696] exc_page_fault+0x455/0x860 [ 152.710831][ T5696] asm_exc_page_fault+0x26/0x30 [ 152.715678][ T5696] RIP: 0033:0x7f794735bc53 [ 152.720087][ T5696] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 152.739715][ T5696] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 152.745811][ T5696] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 152.753780][ T5696] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 152.761759][ T5696] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 152.769898][ T5696] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 152.777872][ T5696] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 152.785850][ T5696] [ 152.789639][ T5696] pagefault_out_of_memory: 2 callbacks suppressed [pid 5695] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5695] munmap(0x7f7936b10000, 2097152) = 0 [pid 5696] munmap(0x7f793ef10000, 138412032 [pid 5695] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5695] ioctl(6, LOOP_SET_FD, 4 [pid 5696] <... munmap resumed>) = 0 [pid 5696] close(5) = 0 [ 152.789652][ T5696] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5696] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5694] <... futex resumed>) = 0 [pid 5696] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5695] <... ioctl resumed>) = 0 [pid 5695] close(4) = 0 [pid 5695] mkdir("./file0", 0777) = 0 [pid 5695] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5695] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5695] chdir("./file0") = 0 [pid 5695] ioctl(6, LOOP_CLR_FD) = 0 [pid 5695] close(6) = 0 [pid 5695] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5695] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5694] exit_group(0 [pid 5696] <... futex resumed>) = ? [pid 5696] +++ exited with 0 +++ [pid 5695] <... futex resumed>) = ? [pid 5694] <... exit_group resumed>) = ? [pid 5695] +++ exited with 0 +++ [pid 5694] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5694, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./218", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./218", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./218/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./218/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./218/binderfs") = 0 umount2("./218/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./218/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./218/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./218/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./218/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./218/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./218") = 0 mkdir("./219", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 [ 152.831785][ T5695] loop0: detected capacity change from 0 to 4096 [ 152.844690][ T5695] ntfs: volume version 12.0. clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5697 attached , child_tidptr=0x555555f17690) = 5697 [pid 5697] set_robust_list(0x555555f176a0, 24) = 0 [pid 5697] chdir("./219") = 0 [pid 5697] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5697] setpgid(0, 0) = 0 [pid 5697] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5697] write(3, "1000", 4) = 4 [pid 5697] close(3) = 0 [pid 5697] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5697] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5697] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5697] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5697] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5697] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5697] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5697] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5698]}, 88) = 5698 [pid 5697] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5697] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5697] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5697] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5697] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 ./strace-static-x86_64: Process 5698 attached [pid 5698] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5697] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5698] <... rseq resumed>) = 0 [pid 5698] set_robust_list(0x7f79473519a0, 24 [pid 5697] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5698] <... set_robust_list resumed>) = 0 [pid 5698] rt_sigprocmask(SIG_SETMASK, [], [pid 5697] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5699 attached [pid 5698] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5697] <... clone3 resumed> => {parent_tid=[5699]}, 88) = 5699 [pid 5697] rt_sigprocmask(SIG_SETMASK, [], [pid 5698] memfd_create("syzkaller", 0 [pid 5697] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5699] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5697] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5697] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5699] <... rseq resumed>) = 0 [pid 5698] <... memfd_create resumed>) = 3 [pid 5698] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5699] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5699] rt_sigprocmask(SIG_SETMASK, [], [pid 5698] <... mmap resumed>) = 0x7f793ef10000 [pid 5699] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5699] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5698] munmap(0x7f793ef10000, 138412032 [pid 5699] <... openat resumed>) = 4 [pid 5699] write(4, "85", 2) = 2 [pid 5699] memfd_create("syzkaller", 0) = 5 [pid 5699] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5698] <... munmap resumed>) = 0 [pid 5699] <... mmap resumed>) = 0x7f793ef10000 [pid 5698] close(3) = 0 [pid 5698] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 152.936954][ T5699] FAULT_INJECTION: forcing a failure. [ 152.936954][ T5699] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 152.951296][ T5699] CPU: 1 PID: 5699 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 152.961736][ T5699] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 152.971782][ T5699] Call Trace: [ 152.975053][ T5699] [ 152.977973][ T5699] dump_stack_lvl+0x1e7/0x2d0 [ 152.982644][ T5699] ? nf_tcp_handle_invalid+0x650/0x650 [ 152.988106][ T5699] ? panic+0x770/0x770 [ 152.992167][ T5699] should_fail_ex+0x3aa/0x4e0 [ 152.996834][ T5699] prepare_alloc_pages+0x1d9/0x5b0 [ 153.001955][ T5699] __alloc_pages+0x165/0x670 [ 153.006551][ T5699] ? zone_statistics+0x170/0x170 [ 153.011512][ T5699] ? verify_lock_unused+0x140/0x140 [ 153.016714][ T5699] ? handle_mm_fault+0x11d/0x62b0 [ 153.021730][ T5699] ? __lock_acquire+0x7f70/0x7f70 [ 153.026736][ T5699] ? pte_offset_map_nolock+0x137/0x1e0 [ 153.032182][ T5699] __folio_alloc+0x13/0x30 [ 153.036588][ T5699] vma_alloc_folio+0x48a/0x9a0 [ 153.041360][ T5699] handle_mm_fault+0x2376/0x62b0 [ 153.046293][ T5699] ? handle_mm_fault+0x11d/0x62b0 [ 153.051317][ T5699] ? numa_migrate_prep+0x380/0x380 [ 153.056430][ T5699] ? mtree_range_walk+0x6a0/0x7e0 [ 153.061478][ T5699] ? lock_vma_under_rcu+0x187/0x6f0 [ 153.066751][ T5699] ? __lock_acquire+0x7f70/0x7f70 [ 153.071780][ T5699] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 153.076990][ T5699] ? lock_vma_under_rcu+0x5df/0x6f0 [ 153.082287][ T5699] ? lock_vma_under_rcu+0x187/0x6f0 [ 153.087499][ T5699] ? exc_page_fault+0x10f/0x860 [ 153.092349][ T5699] exc_page_fault+0x455/0x860 [ 153.097059][ T5699] asm_exc_page_fault+0x26/0x30 [ 153.101906][ T5699] RIP: 0033:0x7f794735bd00 [ 153.106317][ T5699] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 153.125935][ T5699] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5698] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5699] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5699] munmap(0x7f793ef10000, 2097152) = 0 [pid 5699] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 153.132008][ T5699] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 153.139987][ T5699] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 153.147974][ T5699] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 153.155960][ T5699] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 153.163959][ T5699] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 153.171957][ T5699] [ 153.176065][ T5699] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5699] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5699] close(5) = 0 [pid 5699] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5699] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5699] ioctl(3, LOOP_CLR_FD) = 0 [pid 5699] close(3) = 0 [pid 5699] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5697] <... futex resumed>) = 0 [pid 5699] <... futex resumed>) = 1 [pid 5697] exit_group(0 [pid 5698] <... futex resumed>) = ? [pid 5697] <... exit_group resumed>) = ? [pid 5699] +++ exited with 0 +++ [pid 5698] +++ exited with 0 +++ [ 153.215547][ T5699] loop0: detected capacity change from 0 to 4096 [ 153.234038][ T5699] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 153.241305][ T5699] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5697] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5697, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./219", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./219", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./219/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./219/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./219/binderfs") = 0 umount2("\x2e\x2f\x32\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x31\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./219") = 0 mkdir("./220", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5700 ./strace-static-x86_64: Process 5700 attached [pid 5700] set_robust_list(0x555555f176a0, 24) = 0 [pid 5700] chdir("./220") = 0 [pid 5700] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5700] setpgid(0, 0) = 0 [pid 5700] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5700] write(3, "1000", 4) = 4 [pid 5700] close(3) = 0 [pid 5700] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5700] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5700] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5700] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5700] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5700] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5700] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5700] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5701 attached [pid 5701] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5700] <... clone3 resumed> => {parent_tid=[5701]}, 88) = 5701 [pid 5701] <... rseq resumed>) = 0 [pid 5700] rt_sigprocmask(SIG_SETMASK, [], [pid 5701] set_robust_list(0x7f79473519a0, 24 [pid 5700] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5701] <... set_robust_list resumed>) = 0 [pid 5701] rt_sigprocmask(SIG_SETMASK, [], [pid 5700] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5701] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5700] <... futex resumed>) = 0 [pid 5701] memfd_create("syzkaller", 0 [pid 5700] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5700] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5700] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5700] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5701] <... memfd_create resumed>) = 3 [pid 5700] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5701] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5700] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5702 attached [pid 5701] <... mmap resumed>) = 0x7f793ef10000 [pid 5702] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5702] set_robust_list(0x7f79473309a0, 24 [pid 5700] <... clone3 resumed> => {parent_tid=[5702]}, 88) = 5702 [pid 5702] <... set_robust_list resumed>) = 0 [pid 5700] rt_sigprocmask(SIG_SETMASK, [], [pid 5702] rt_sigprocmask(SIG_SETMASK, [], [pid 5700] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5702] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5700] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5702] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5702] write(4, "85", 2) = 2 [pid 5702] memfd_create("syzkaller", 0) = 5 [pid 5702] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5700] <... futex resumed>) = 0 [pid 5702] <... mmap resumed>) = 0x7f7936b10000 [pid 5700] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5701] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 153.373569][ T5702] FAULT_INJECTION: forcing a failure. [ 153.373569][ T5702] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 153.387826][ T5702] CPU: 1 PID: 5702 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 153.398535][ T5702] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 153.408775][ T5702] Call Trace: [ 153.412096][ T5702] [ 153.415042][ T5702] dump_stack_lvl+0x1e7/0x2d0 [ 153.419829][ T5702] ? nf_tcp_handle_invalid+0x650/0x650 [ 153.425324][ T5702] ? panic+0x770/0x770 [ 153.429435][ T5702] should_fail_ex+0x3aa/0x4e0 [ 153.434133][ T5702] prepare_alloc_pages+0x1d9/0x5b0 [ 153.439262][ T5702] __alloc_pages+0x165/0x670 [ 153.443956][ T5702] ? zone_statistics+0x170/0x170 [ 153.448985][ T5702] ? verify_lock_unused+0x140/0x140 [ 153.454182][ T5702] ? handle_mm_fault+0x11d/0x62b0 [ 153.459206][ T5702] ? __lock_acquire+0x7f70/0x7f70 [ 153.464283][ T5702] ? pte_offset_map_nolock+0x137/0x1e0 [ 153.469742][ T5702] __folio_alloc+0x13/0x30 [ 153.474158][ T5702] vma_alloc_folio+0x48a/0x9a0 [ 153.478928][ T5702] handle_mm_fault+0x2376/0x62b0 [ 153.483875][ T5702] ? handle_mm_fault+0x11d/0x62b0 [ 153.488907][ T5702] ? numa_migrate_prep+0x380/0x380 [ 153.494109][ T5702] ? mtree_range_walk+0x6a0/0x7e0 [ 153.499159][ T5702] ? lock_vma_under_rcu+0x187/0x6f0 [ 153.504440][ T5702] ? __lock_acquire+0x7f70/0x7f70 [ 153.509457][ T5702] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 153.514664][ T5702] ? lock_vma_under_rcu+0x5df/0x6f0 [ 153.519863][ T5702] ? lock_vma_under_rcu+0x187/0x6f0 [ 153.525067][ T5702] ? exc_page_fault+0x10f/0x860 [ 153.529915][ T5702] exc_page_fault+0x455/0x860 [ 153.534593][ T5702] asm_exc_page_fault+0x26/0x30 [ 153.539437][ T5702] RIP: 0033:0x7f794735bc53 [ 153.543876][ T5702] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 153.563485][ T5702] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5701] munmap(0x7f793ef10000, 2097152) = 0 [pid 5701] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 153.569551][ T5702] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 153.577525][ T5702] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 153.585582][ T5702] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 153.593571][ T5702] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 153.601728][ T5702] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 153.609708][ T5702] [ 153.613245][ T5702] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5701] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5701] close(3) = 0 [pid 5701] mkdir("./file0", 0777) = 0 [pid 5701] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5702] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5701] <... mount resumed>) = 0 [pid 5701] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5701] chdir("./file0") = 0 [pid 5701] ioctl(6, LOOP_CLR_FD) = 0 [pid 5701] close(6) = 0 [pid 5701] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5701] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5702] <... write resumed>) = 2097152 [pid 5702] munmap(0x7f7936b10000, 2097152) = 0 [pid 5702] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5702] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5702] ioctl(6, LOOP_CLR_FD) = 0 [pid 5702] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5702] close(6) = 0 [pid 5702] close(5) = 0 [ 153.628394][ T5701] loop0: detected capacity change from 0 to 4096 [ 153.646153][ T5701] ntfs: volume version 12.0. [pid 5702] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5700] <... futex resumed>) = 0 [pid 5700] exit_group(0) = ? [pid 5701] <... futex resumed>) = ? [pid 5701] +++ exited with 0 +++ [pid 5702] <... futex resumed>) = ? [pid 5702] +++ exited with 0 +++ [pid 5700] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5700, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=12 /* 0.12 s */} --- umount2("./220", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./220", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./220/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./220/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./220/binderfs") = 0 umount2("./220/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./220/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./220/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./220/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./220/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./220/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./220") = 0 mkdir("./221", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5703 attached , child_tidptr=0x555555f17690) = 5703 [pid 5703] set_robust_list(0x555555f176a0, 24) = 0 [pid 5703] chdir("./221") = 0 [pid 5703] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5703] setpgid(0, 0) = 0 [pid 5703] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5703] write(3, "1000", 4) = 4 [pid 5703] close(3) = 0 [pid 5703] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5703] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5703] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5703] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5703] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5703] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5703] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5703] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5704 attached [pid 5704] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5704] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5704] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5704] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5703] <... clone3 resumed> => {parent_tid=[5704]}, 88) = 5704 [pid 5703] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5703] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5704] <... futex resumed>) = 0 [pid 5703] <... futex resumed>) = 1 [pid 5703] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5704] memfd_create("syzkaller", 0 [pid 5703] <... futex resumed>) = 0 [pid 5703] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5704] <... memfd_create resumed>) = 3 [pid 5703] <... mmap resumed>) = 0x7f7947310000 [pid 5704] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5703] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5703] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5703] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5705 attached => {parent_tid=[5705]}, 88) = 5705 [pid 5705] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5703] rt_sigprocmask(SIG_SETMASK, [], [pid 5705] set_robust_list(0x7f79473309a0, 24 [pid 5703] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5705] <... set_robust_list resumed>) = 0 [pid 5705] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5703] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5703] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5705] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5705] write(4, "85", 2) = 2 [pid 5705] memfd_create("syzkaller", 0) = 5 [pid 5705] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5704] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 153.782971][ T5705] FAULT_INJECTION: forcing a failure. [ 153.782971][ T5705] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 153.797276][ T5705] CPU: 1 PID: 5705 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 153.807727][ T5705] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 153.817800][ T5705] Call Trace: [ 153.821092][ T5705] [ 153.824040][ T5705] dump_stack_lvl+0x1e7/0x2d0 [ 153.828725][ T5705] ? nf_tcp_handle_invalid+0x650/0x650 [ 153.834186][ T5705] ? panic+0x770/0x770 [ 153.838254][ T5705] should_fail_ex+0x3aa/0x4e0 [ 153.842937][ T5705] prepare_alloc_pages+0x1d9/0x5b0 [ 153.848052][ T5705] __alloc_pages+0x165/0x670 [ 153.853091][ T5705] ? zone_statistics+0x170/0x170 [ 153.858051][ T5705] ? verify_lock_unused+0x140/0x140 [ 153.863248][ T5705] ? handle_mm_fault+0x11d/0x62b0 [ 153.868271][ T5705] ? __lock_acquire+0x7f70/0x7f70 [ 153.873288][ T5705] ? pte_offset_map_nolock+0x137/0x1e0 [ 153.878744][ T5705] __folio_alloc+0x13/0x30 [ 153.883158][ T5705] vma_alloc_folio+0x48a/0x9a0 [ 153.888096][ T5705] handle_mm_fault+0x2376/0x62b0 [ 153.893040][ T5705] ? handle_mm_fault+0x11d/0x62b0 [ 153.898075][ T5705] ? numa_migrate_prep+0x380/0x380 [ 153.903194][ T5705] ? mtree_range_walk+0x6a0/0x7e0 [ 153.908219][ T5705] ? lock_vma_under_rcu+0x187/0x6f0 [ 153.913413][ T5705] ? __lock_acquire+0x7f70/0x7f70 [ 153.918429][ T5705] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 153.923637][ T5705] ? lock_vma_under_rcu+0x5df/0x6f0 [ 153.928832][ T5705] ? lock_vma_under_rcu+0x187/0x6f0 [ 153.934050][ T5705] ? exc_page_fault+0x10f/0x860 [ 153.938898][ T5705] exc_page_fault+0x455/0x860 [ 153.943575][ T5705] asm_exc_page_fault+0x26/0x30 [ 153.948508][ T5705] RIP: 0033:0x7f794735bc53 [ 153.952925][ T5705] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 153.972536][ T5705] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5704] munmap(0x7f793ef10000, 2097152) = 0 [pid 5704] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 153.978600][ T5705] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 153.986566][ T5705] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 153.994617][ T5705] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 154.002581][ T5705] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 154.010555][ T5705] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 154.018555][ T5705] [ 154.022316][ T5705] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5704] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5704] close(3) = 0 [pid 5704] mkdir("./file0", 0777) = 0 [pid 5704] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5705] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5704] <... mount resumed>) = 0 [pid 5704] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5704] chdir("./file0") = 0 [pid 5704] ioctl(6, LOOP_CLR_FD) = 0 [pid 5704] close(6) = 0 [pid 5704] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5704] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5705] <... write resumed>) = 2097152 [pid 5705] munmap(0x7f7936b10000, 2097152) = 0 [pid 5705] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5705] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5705] ioctl(6, LOOP_CLR_FD) = 0 [pid 5705] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5705] close(6) = 0 [ 154.036087][ T5704] loop0: detected capacity change from 0 to 4096 [ 154.054170][ T5704] ntfs: volume version 12.0. [pid 5705] close(5) = 0 [pid 5705] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5703] <... futex resumed>) = 0 [pid 5705] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5703] exit_group(0 [pid 5705] <... futex resumed>) = ? [pid 5704] <... futex resumed>) = ? [pid 5703] <... exit_group resumed>) = ? [pid 5705] +++ exited with 0 +++ [pid 5704] +++ exited with 0 +++ [pid 5703] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5703, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=11 /* 0.11 s */} --- umount2("./221", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./221", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./221/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./221/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./221/binderfs") = 0 umount2("./221/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./221/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./221/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./221/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./221/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./221/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./221") = 0 mkdir("./222", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5706 ./strace-static-x86_64: Process 5706 attached [pid 5706] set_robust_list(0x555555f176a0, 24) = 0 [pid 5706] chdir("./222") = 0 [pid 5706] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5706] setpgid(0, 0) = 0 [pid 5706] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5706] write(3, "1000", 4) = 4 [pid 5706] close(3) = 0 [pid 5706] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5706] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5706] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5706] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5706] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5706] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5706] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5706] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5707 attached => {parent_tid=[5707]}, 88) = 5707 [pid 5707] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5706] rt_sigprocmask(SIG_SETMASK, [], [pid 5707] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5706] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5707] rt_sigprocmask(SIG_SETMASK, [], [pid 5706] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5707] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5706] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5706] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5706] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5706] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5706] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5708 attached => {parent_tid=[5708]}, 88) = 5708 [pid 5708] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5706] rt_sigprocmask(SIG_SETMASK, [], [pid 5707] memfd_create("syzkaller", 0 [pid 5708] set_robust_list(0x7f79473309a0, 24 [pid 5706] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5708] <... set_robust_list resumed>) = 0 [pid 5706] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5707] <... memfd_create resumed>) = 3 [pid 5708] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5706] <... futex resumed>) = 0 [pid 5708] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5707] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5706] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5707] <... mmap resumed>) = 0x7f793ef10000 [pid 5708] <... openat resumed>) = 4 [pid 5707] munmap(0x7f793ef10000, 138412032 [pid 5708] write(4, "85", 2) = 2 [pid 5708] memfd_create("syzkaller", 0 [pid 5707] <... munmap resumed>) = 0 [pid 5708] <... memfd_create resumed>) = 5 [pid 5708] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5707] close(3) = 0 [pid 5707] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 154.184526][ T5708] FAULT_INJECTION: forcing a failure. [ 154.184526][ T5708] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 154.197981][ T5708] CPU: 1 PID: 5708 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 154.208414][ T5708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 154.218455][ T5708] Call Trace: [ 154.221720][ T5708] [ 154.224636][ T5708] dump_stack_lvl+0x1e7/0x2d0 [ 154.229305][ T5708] ? nf_tcp_handle_invalid+0x650/0x650 [ 154.234747][ T5708] ? panic+0x770/0x770 [ 154.238809][ T5708] should_fail_ex+0x3aa/0x4e0 [ 154.243478][ T5708] prepare_alloc_pages+0x1d9/0x5b0 [ 154.248590][ T5708] __alloc_pages+0x165/0x670 [ 154.253183][ T5708] ? zone_statistics+0x170/0x170 [ 154.258120][ T5708] ? verify_lock_unused+0x140/0x140 [ 154.263311][ T5708] ? handle_mm_fault+0x11d/0x62b0 [ 154.268333][ T5708] ? __lock_acquire+0x7f70/0x7f70 [ 154.273385][ T5708] ? pte_offset_map_nolock+0x137/0x1e0 [ 154.278843][ T5708] __folio_alloc+0x13/0x30 [ 154.283256][ T5708] vma_alloc_folio+0x48a/0x9a0 [ 154.288023][ T5708] handle_mm_fault+0x2376/0x62b0 [ 154.292972][ T5708] ? handle_mm_fault+0x11d/0x62b0 [ 154.298037][ T5708] ? numa_migrate_prep+0x380/0x380 [ 154.303156][ T5708] ? mtree_range_walk+0x6a0/0x7e0 [ 154.308194][ T5708] ? lock_vma_under_rcu+0x187/0x6f0 [ 154.313393][ T5708] ? __lock_acquire+0x7f70/0x7f70 [ 154.318411][ T5708] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 154.323617][ T5708] ? lock_vma_under_rcu+0x5df/0x6f0 [ 154.328814][ T5708] ? lock_vma_under_rcu+0x187/0x6f0 [ 154.334019][ T5708] ? exc_page_fault+0x10f/0x860 [ 154.338869][ T5708] exc_page_fault+0x455/0x860 [ 154.343551][ T5708] asm_exc_page_fault+0x26/0x30 [ 154.348438][ T5708] RIP: 0033:0x7f794735bd00 [ 154.352852][ T5708] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 154.372480][ T5708] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5707] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5708] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5708] munmap(0x7f793ef10000, 2097152) = 0 [pid 5708] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 154.378551][ T5708] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 154.386525][ T5708] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 154.394493][ T5708] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 154.402458][ T5708] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 154.410421][ T5708] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 154.418398][ T5708] [ 154.421988][ T5708] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5708] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5708] close(5) = 0 [pid 5708] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5708] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5708] ioctl(3, LOOP_CLR_FD) = 0 [pid 5708] close(3) = 0 [pid 5708] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5708] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5706] <... futex resumed>) = 0 [pid 5706] exit_group(0 [pid 5707] <... futex resumed>) = ? [pid 5706] <... exit_group resumed>) = ? [pid 5707] +++ exited with 0 +++ [ 154.460113][ T5708] loop0: detected capacity change from 0 to 4096 [ 154.478908][ T5708] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 154.486056][ T5708] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5708] <... futex resumed>) = ? [pid 5708] +++ exited with 0 +++ [pid 5706] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5706, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./222", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./222", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./222/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./222/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./222/binderfs") = 0 umount2("\x2e\x2f\x32\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x32\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./222") = 0 mkdir("./223", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5709 attached , child_tidptr=0x555555f17690) = 5709 [pid 5709] set_robust_list(0x555555f176a0, 24) = 0 [pid 5709] chdir("./223") = 0 [pid 5709] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5709] setpgid(0, 0) = 0 [pid 5709] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5709] write(3, "1000", 4) = 4 [pid 5709] close(3) = 0 [pid 5709] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5709] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5709] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5709] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5709] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5709] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5709] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5709] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5710 attached [pid 5710] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5710] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5710] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5709] <... clone3 resumed> => {parent_tid=[5710]}, 88) = 5710 [pid 5710] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5709] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5709] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5710] <... futex resumed>) = 0 [pid 5709] <... futex resumed>) = 1 [pid 5709] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5709] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5710] memfd_create("syzkaller", 0 [pid 5709] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5710] <... memfd_create resumed>) = 3 [pid 5710] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5709] <... mprotect resumed>) = 0 [pid 5709] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5709] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5710] <... mmap resumed>) = 0x7f793ef10000 ./strace-static-x86_64: Process 5711 attached [pid 5709] <... clone3 resumed> => {parent_tid=[5711]}, 88) = 5711 [pid 5711] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5709] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5711] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5711] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5709] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5709] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5711] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5711] write(4, "85", 2) = 2 [pid 5711] memfd_create("syzkaller", 0) = 5 [pid 5711] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5710] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5711] <... mmap resumed>) = 0x7f7936b10000 [pid 5710] <... write resumed>) = 2097152 [ 154.621096][ T5711] FAULT_INJECTION: forcing a failure. [ 154.621096][ T5711] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 154.634855][ T5711] CPU: 0 PID: 5711 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 154.645314][ T5711] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 154.655356][ T5711] Call Trace: [ 154.658628][ T5711] [ 154.661543][ T5711] dump_stack_lvl+0x1e7/0x2d0 [ 154.666209][ T5711] ? nf_tcp_handle_invalid+0x650/0x650 [ 154.671746][ T5711] ? panic+0x770/0x770 [ 154.675819][ T5711] should_fail_ex+0x3aa/0x4e0 [ 154.680514][ T5711] prepare_alloc_pages+0x1d9/0x5b0 [ 154.685627][ T5711] __alloc_pages+0x165/0x670 [ 154.690206][ T5711] ? zone_statistics+0x170/0x170 [ 154.695140][ T5711] ? verify_lock_unused+0x140/0x140 [ 154.700324][ T5711] ? handle_mm_fault+0x11d/0x62b0 [ 154.705421][ T5711] ? __lock_acquire+0x7f70/0x7f70 [ 154.710429][ T5711] ? pte_offset_map_nolock+0x137/0x1e0 [ 154.715876][ T5711] __folio_alloc+0x13/0x30 [ 154.720283][ T5711] vma_alloc_folio+0x48a/0x9a0 [ 154.725043][ T5711] handle_mm_fault+0x2376/0x62b0 [ 154.729985][ T5711] ? handle_mm_fault+0x11d/0x62b0 [ 154.735004][ T5711] ? numa_migrate_prep+0x380/0x380 [ 154.740117][ T5711] ? mtree_range_walk+0x6a0/0x7e0 [ 154.745133][ T5711] ? lock_vma_under_rcu+0x187/0x6f0 [ 154.750355][ T5711] ? __lock_acquire+0x7f70/0x7f70 [ 154.755364][ T5711] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 154.760573][ T5711] ? lock_vma_under_rcu+0x5df/0x6f0 [ 154.765866][ T5711] ? lock_vma_under_rcu+0x187/0x6f0 [ 154.771070][ T5711] ? exc_page_fault+0x10f/0x860 [ 154.776172][ T5711] exc_page_fault+0x455/0x860 [ 154.780839][ T5711] asm_exc_page_fault+0x26/0x30 [ 154.785798][ T5711] RIP: 0033:0x7f794735bc53 [ 154.790221][ T5711] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 154.809823][ T5711] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5710] munmap(0x7f793ef10000, 2097152) = 0 [pid 5710] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 154.815881][ T5711] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 154.823835][ T5711] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 154.831789][ T5711] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 154.839752][ T5711] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 154.847706][ T5711] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 154.855679][ T5711] [ 154.860146][ T5711] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5710] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5710] close(3) = 0 [pid 5710] mkdir("./file0", 0777) = 0 [pid 5710] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5711] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5710] <... mount resumed>) = 0 [pid 5710] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5710] chdir("./file0") = 0 [pid 5710] ioctl(6, LOOP_CLR_FD) = 0 [pid 5710] close(6) = 0 [pid 5710] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5710] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5711] <... write resumed>) = 2097152 [pid 5711] munmap(0x7f7936b10000, 2097152) = 0 [pid 5711] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5711] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5711] ioctl(6, LOOP_CLR_FD) = 0 [pid 5711] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5711] close(6) = 0 [ 154.875882][ T5710] loop0: detected capacity change from 0 to 4096 [ 154.889830][ T5710] ntfs: volume version 12.0. [pid 5711] close(5) = 0 [pid 5711] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5709] <... futex resumed>) = 0 [pid 5709] exit_group(0) = ? [pid 5711] <... futex resumed>) = ? [pid 5711] +++ exited with 0 +++ [pid 5710] <... futex resumed>) = ? [pid 5710] +++ exited with 0 +++ [pid 5709] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5709, si_uid=0, si_status=0, si_utime=0, si_stime=16 /* 0.16 s */} --- umount2("./223", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./223", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./223/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./223/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./223/binderfs") = 0 umount2("./223/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./223/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./223/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./223/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./223/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./223/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./223") = 0 mkdir("./224", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5712 attached [pid 5712] set_robust_list(0x555555f176a0, 24) = 0 [pid 5712] chdir("./224") = 0 [pid 5712] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5712 [pid 5712] setpgid(0, 0) = 0 [pid 5712] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5712] write(3, "1000", 4) = 4 [pid 5712] close(3) = 0 [pid 5712] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5712] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5712] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5712] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5712] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5712] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5712] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5712] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5713]}, 88) = 5713 ./strace-static-x86_64: Process 5713 attached [pid 5712] rt_sigprocmask(SIG_SETMASK, [], [pid 5713] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5712] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5713] set_robust_list(0x7f79473519a0, 24 [pid 5712] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5713] <... set_robust_list resumed>) = 0 [pid 5712] <... futex resumed>) = 0 [pid 5713] rt_sigprocmask(SIG_SETMASK, [], [pid 5712] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5713] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5712] <... futex resumed>) = 0 [pid 5712] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5713] memfd_create("syzkaller", 0) = 3 [pid 5712] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5713] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5712] <... mprotect resumed>) = 0 [pid 5712] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5712] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5714 attached => {parent_tid=[5714]}, 88) = 5714 [pid 5712] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5712] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5712] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5714] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5714] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5714] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5714] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5714] write(4, "85", 2) = 2 [pid 5714] memfd_create("syzkaller", 0) = 5 [pid 5714] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5713] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 155.023216][ T5714] FAULT_INJECTION: forcing a failure. [ 155.023216][ T5714] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 155.036683][ T5714] CPU: 1 PID: 5714 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 155.047123][ T5714] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 155.057301][ T5714] Call Trace: [ 155.060597][ T5714] [ 155.063525][ T5714] dump_stack_lvl+0x1e7/0x2d0 [ 155.068204][ T5714] ? nf_tcp_handle_invalid+0x650/0x650 [ 155.073658][ T5714] ? panic+0x770/0x770 [ 155.077744][ T5714] should_fail_ex+0x3aa/0x4e0 [ 155.082431][ T5714] prepare_alloc_pages+0x1d9/0x5b0 [ 155.087555][ T5714] __alloc_pages+0x165/0x670 [ 155.092146][ T5714] ? zone_statistics+0x170/0x170 [ 155.097081][ T5714] ? verify_lock_unused+0x140/0x140 [ 155.102275][ T5714] ? handle_mm_fault+0x11d/0x62b0 [ 155.107323][ T5714] ? __lock_acquire+0x7f70/0x7f70 [ 155.112354][ T5714] ? pte_offset_map_nolock+0x137/0x1e0 [ 155.117929][ T5714] __folio_alloc+0x13/0x30 [ 155.122356][ T5714] vma_alloc_folio+0x48a/0x9a0 [ 155.127126][ T5714] handle_mm_fault+0x2376/0x62b0 [ 155.132075][ T5714] ? handle_mm_fault+0x11d/0x62b0 [ 155.137109][ T5714] ? numa_migrate_prep+0x380/0x380 [ 155.142230][ T5714] ? mtree_range_walk+0x6a0/0x7e0 [ 155.147261][ T5714] ? lock_vma_under_rcu+0x187/0x6f0 [ 155.152457][ T5714] ? __lock_acquire+0x7f70/0x7f70 [ 155.157563][ T5714] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 155.162764][ T5714] ? lock_vma_under_rcu+0x5df/0x6f0 [ 155.167962][ T5714] ? lock_vma_under_rcu+0x187/0x6f0 [ 155.173166][ T5714] ? exc_page_fault+0x10f/0x860 [ 155.178013][ T5714] exc_page_fault+0x455/0x860 [ 155.182690][ T5714] asm_exc_page_fault+0x26/0x30 [ 155.187538][ T5714] RIP: 0033:0x7f794735bc53 [ 155.191946][ T5714] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 155.211548][ T5714] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 155.217611][ T5714] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 155.225574][ T5714] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 155.233541][ T5714] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 155.241504][ T5714] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 155.249470][ T5714] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 155.257449][ T5714] [ 155.260831][ T5714] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5713] munmap(0x7f793ef10000, 2097152) = 0 [pid 5713] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5713] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5713] close(3) = 0 [pid 5713] mkdir("./file0", 0777) = 0 [pid 5713] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5714] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5713] <... mount resumed>) = 0 [pid 5713] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5713] chdir("./file0") = 0 [pid 5713] ioctl(6, LOOP_CLR_FD) = 0 [pid 5713] close(6) = 0 [pid 5714] <... write resumed>) = 2097152 [pid 5713] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5713] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5714] munmap(0x7f7936b10000, 2097152) = 0 [pid 5714] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5714] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5714] ioctl(6, LOOP_CLR_FD) = 0 [pid 5714] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5714] close(6) = 0 [ 155.274827][ T5713] loop0: detected capacity change from 0 to 4096 [ 155.292233][ T5713] ntfs: volume version 12.0. [pid 5714] close(5) = 0 [pid 5714] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5712] <... futex resumed>) = 0 [pid 5714] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5712] exit_group(0 [pid 5714] <... futex resumed>) = ? [pid 5713] <... futex resumed>) = ? [pid 5712] <... exit_group resumed>) = ? [pid 5714] +++ exited with 0 +++ [pid 5713] +++ exited with 0 +++ [pid 5712] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5712, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./224", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./224", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./224/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./224/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./224/binderfs") = 0 umount2("./224/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./224/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./224/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./224/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./224/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./224/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./224") = 0 mkdir("./225", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5715 attached [pid 5715] set_robust_list(0x555555f176a0, 24) = 0 [pid 5715] chdir("./225") = 0 [pid 5715] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5715] setpgid(0, 0) = 0 [pid 5715] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5715] write(3, "1000", 4) = 4 [pid 5715] close(3) = 0 [pid 5715] symlink("/dev/binderfs", "./binderfs" [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5715 [pid 5715] <... symlink resumed>) = 0 [pid 5715] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5715] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5715] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5715] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5715] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5715] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5715] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5716 attached => {parent_tid=[5716]}, 88) = 5716 [pid 5716] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5715] rt_sigprocmask(SIG_SETMASK, [], [pid 5716] set_robust_list(0x7f79473519a0, 24 [pid 5715] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5716] <... set_robust_list resumed>) = 0 [pid 5715] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5716] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5715] <... futex resumed>) = 0 [pid 5715] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5715] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5715] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5716] memfd_create("syzkaller", 0 [pid 5715] <... mprotect resumed>) = 0 [pid 5715] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5716] <... memfd_create resumed>) = 3 [pid 5715] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5715] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5716] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5717 attached [pid 5717] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5717] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5717] rt_sigprocmask(SIG_SETMASK, [], [pid 5716] <... mmap resumed>) = 0x7f793ef10000 [pid 5715] <... clone3 resumed> => {parent_tid=[5717]}, 88) = 5717 [pid 5717] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5715] rt_sigprocmask(SIG_SETMASK, [], [pid 5717] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5715] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5715] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5717] <... futex resumed>) = 0 [pid 5715] <... futex resumed>) = 1 [pid 5717] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5717] write(4, "85", 2) = 2 [pid 5717] memfd_create("syzkaller", 0 [pid 5715] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5717] <... memfd_create resumed>) = 5 [pid 5717] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5716] munmap(0x7f793ef10000, 138412032) = 0 [pid 5716] close(3) = 0 [pid 5716] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 155.443651][ T5717] FAULT_INJECTION: forcing a failure. [ 155.443651][ T5717] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 155.457540][ T5717] CPU: 1 PID: 5717 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 155.467952][ T5717] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 155.478001][ T5717] Call Trace: [ 155.481270][ T5717] [ 155.484288][ T5717] dump_stack_lvl+0x1e7/0x2d0 [ 155.488981][ T5717] ? nf_tcp_handle_invalid+0x650/0x650 [ 155.494437][ T5717] ? panic+0x770/0x770 [ 155.498510][ T5717] should_fail_ex+0x3aa/0x4e0 [ 155.503188][ T5717] prepare_alloc_pages+0x1d9/0x5b0 [ 155.508316][ T5717] __alloc_pages+0x165/0x670 [ 155.512898][ T5717] ? zone_statistics+0x170/0x170 [ 155.517842][ T5717] ? verify_lock_unused+0x140/0x140 [ 155.523047][ T5717] ? handle_mm_fault+0x11d/0x62b0 [ 155.528087][ T5717] ? __lock_acquire+0x7f70/0x7f70 [ 155.534498][ T5717] ? pte_offset_map_nolock+0x137/0x1e0 [ 155.540034][ T5717] __folio_alloc+0x13/0x30 [ 155.544461][ T5717] vma_alloc_folio+0x48a/0x9a0 [ 155.549250][ T5717] handle_mm_fault+0x2376/0x62b0 [ 155.554187][ T5717] ? handle_mm_fault+0x11d/0x62b0 [ 155.559237][ T5717] ? numa_migrate_prep+0x380/0x380 [ 155.564371][ T5717] ? mtree_range_walk+0x6a0/0x7e0 [ 155.569395][ T5717] ? lock_vma_under_rcu+0x187/0x6f0 [ 155.574603][ T5717] ? __lock_acquire+0x7f70/0x7f70 [ 155.579661][ T5717] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 155.584952][ T5717] ? lock_vma_under_rcu+0x5df/0x6f0 [ 155.590155][ T5717] ? lock_vma_under_rcu+0x187/0x6f0 [ 155.595373][ T5717] ? exc_page_fault+0x10f/0x860 [ 155.600232][ T5717] exc_page_fault+0x455/0x860 [ 155.604909][ T5717] asm_exc_page_fault+0x26/0x30 [ 155.609751][ T5717] RIP: 0033:0x7f794735bc53 [ 155.614265][ T5717] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 155.633952][ T5717] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5716] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5717] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5717] munmap(0x7f7936b10000, 2097152) = 0 [pid 5717] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 155.640028][ T5717] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 155.648101][ T5717] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 155.656103][ T5717] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 155.664064][ T5717] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 155.672201][ T5717] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 155.680190][ T5717] [ 155.683518][ T5717] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5717] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5717] close(5) = 0 [pid 5717] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5717] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 155.718158][ T5717] loop0: detected capacity change from 0 to 4096 [ 155.737128][ T5717] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 155.744140][ T5717] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5717] ioctl(3, LOOP_CLR_FD) = 0 [pid 5717] close(3) = 0 [pid 5717] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5715] <... futex resumed>) = 0 [pid 5715] exit_group(0) = ? [pid 5716] <... futex resumed>) = ? [pid 5716] +++ exited with 0 +++ [pid 5717] +++ exited with 0 +++ [pid 5715] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5715, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./225", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./225", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./225/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./225/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./225/binderfs") = 0 umount2("\x2e\x2f\x32\x32\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x32\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x32\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x32\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x32\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./225") = 0 mkdir("./226", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5718 attached , child_tidptr=0x555555f17690) = 5718 [pid 5718] set_robust_list(0x555555f176a0, 24) = 0 [pid 5718] chdir("./226") = 0 [pid 5718] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5718] setpgid(0, 0) = 0 [pid 5718] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5718] write(3, "1000", 4) = 4 [pid 5718] close(3) = 0 [pid 5718] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5718] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5718] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5718] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5718] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5718] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5718] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5718] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5719]}, 88) = 5719 [pid 5718] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5718] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5718] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5718] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0./strace-static-x86_64: Process 5719 attached ) = 0x7f7947310000 [pid 5719] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5718] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5719] <... rseq resumed>) = 0 [pid 5718] <... mprotect resumed>) = 0 [pid 5719] set_robust_list(0x7f79473519a0, 24 [pid 5718] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5719] <... set_robust_list resumed>) = 0 [pid 5719] rt_sigprocmask(SIG_SETMASK, [], [pid 5718] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5719] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5718] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5720 attached [pid 5720] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5718] <... clone3 resumed> => {parent_tid=[5720]}, 88) = 5720 [pid 5720] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5718] rt_sigprocmask(SIG_SETMASK, [], [pid 5720] rt_sigprocmask(SIG_SETMASK, [], [pid 5719] memfd_create("syzkaller", 0 [pid 5718] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5719] <... memfd_create resumed>) = 3 [pid 5720] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5719] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5718] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5719] <... mmap resumed>) = 0x7f793ef10000 [pid 5718] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5720] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5720] write(4, "85", 2) = 2 [pid 5720] memfd_create("syzkaller", 0) = 5 [pid 5720] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5719] munmap(0x7f793ef10000, 138412032) = 0 [pid 5719] close(3) = 0 [pid 5719] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 155.876881][ T5720] FAULT_INJECTION: forcing a failure. [ 155.876881][ T5720] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 155.890568][ T5720] CPU: 0 PID: 5720 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 155.901016][ T5720] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 155.911060][ T5720] Call Trace: [ 155.914341][ T5720] [ 155.917264][ T5720] dump_stack_lvl+0x1e7/0x2d0 [ 155.921941][ T5720] ? nf_tcp_handle_invalid+0x650/0x650 [ 155.927404][ T5720] ? panic+0x770/0x770 [ 155.931468][ T5720] should_fail_ex+0x3aa/0x4e0 [ 155.936156][ T5720] prepare_alloc_pages+0x1d9/0x5b0 [ 155.941273][ T5720] __alloc_pages+0x165/0x670 [ 155.945868][ T5720] ? zone_statistics+0x170/0x170 [ 155.950821][ T5720] ? verify_lock_unused+0x140/0x140 [ 155.956015][ T5720] ? handle_mm_fault+0x11d/0x62b0 [ 155.961031][ T5720] ? __lock_acquire+0x7f70/0x7f70 [ 155.966057][ T5720] ? pte_offset_map_nolock+0x137/0x1e0 [ 155.971524][ T5720] __folio_alloc+0x13/0x30 [ 155.975936][ T5720] vma_alloc_folio+0x48a/0x9a0 [ 155.980716][ T5720] handle_mm_fault+0x2376/0x62b0 [ 155.985767][ T5720] ? handle_mm_fault+0x11d/0x62b0 [ 155.990907][ T5720] ? numa_migrate_prep+0x380/0x380 [ 155.996037][ T5720] ? mtree_range_walk+0x6a0/0x7e0 [ 156.001073][ T5720] ? lock_vma_under_rcu+0x187/0x6f0 [ 156.006262][ T5720] ? __lock_acquire+0x7f70/0x7f70 [ 156.011297][ T5720] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 156.016489][ T5720] ? lock_vma_under_rcu+0x5df/0x6f0 [ 156.022025][ T5720] ? lock_vma_under_rcu+0x187/0x6f0 [ 156.027223][ T5720] ? exc_page_fault+0x10f/0x860 [ 156.032059][ T5720] exc_page_fault+0x455/0x860 [ 156.036754][ T5720] asm_exc_page_fault+0x26/0x30 [ 156.041619][ T5720] RIP: 0033:0x7f794735bc53 [ 156.046023][ T5720] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 156.065631][ T5720] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5719] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5720] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5720] munmap(0x7f7936b10000, 2097152) = 0 [pid 5720] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 156.071695][ T5720] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 156.079656][ T5720] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 156.087618][ T5720] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 156.095591][ T5720] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 156.103551][ T5720] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 156.111520][ T5720] [ 156.115890][ T5720] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5720] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5720] close(5) = 0 [pid 5720] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5720] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 156.152893][ T5720] loop0: detected capacity change from 0 to 4096 [ 156.172208][ T5720] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 156.179324][ T5720] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5720] ioctl(3, LOOP_CLR_FD) = 0 [pid 5720] close(3) = 0 [pid 5720] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5718] <... futex resumed>) = 0 [pid 5718] exit_group(0 [pid 5720] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5719] <... futex resumed>) = ? [pid 5718] <... exit_group resumed>) = ? [pid 5720] +++ exited with 0 +++ [pid 5719] +++ exited with 0 +++ [pid 5718] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5718, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=10 /* 0.10 s */} --- umount2("./226", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./226", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./226/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./226/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./226/binderfs") = 0 umount2("\x2e\x2f\x32\x32\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x32\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x32\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x32\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x32\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./226") = 0 mkdir("./227", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5721 attached , child_tidptr=0x555555f17690) = 5721 [pid 5721] set_robust_list(0x555555f176a0, 24) = 0 [pid 5721] chdir("./227") = 0 [pid 5721] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5721] setpgid(0, 0) = 0 [pid 5721] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5721] write(3, "1000", 4) = 4 [pid 5721] close(3) = 0 [pid 5721] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5721] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5721] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5721] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5721] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5721] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5721] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5721] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5722 attached [pid 5722] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5721] <... clone3 resumed> => {parent_tid=[5722]}, 88) = 5722 [pid 5722] <... rseq resumed>) = 0 [pid 5722] set_robust_list(0x7f79473519a0, 24 [pid 5721] rt_sigprocmask(SIG_SETMASK, [], [pid 5722] <... set_robust_list resumed>) = 0 [pid 5722] rt_sigprocmask(SIG_SETMASK, [], [pid 5721] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5722] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5721] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5722] memfd_create("syzkaller", 0) = 3 [pid 5722] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5721] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5722] <... mmap resumed>) = 0x7f793ef31000 [pid 5721] <... futex resumed>) = 0 [pid 5721] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5721] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5721] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5721] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5723 attached => {parent_tid=[5723]}, 88) = 5723 [pid 5723] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053) = 0 [pid 5723] set_robust_list(0x7f793ef309a0, 24) = 0 [pid 5723] rt_sigprocmask(SIG_SETMASK, [], [pid 5721] rt_sigprocmask(SIG_SETMASK, [], [pid 5723] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5723] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5721] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5721] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5723] <... futex resumed>) = 0 [pid 5721] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5723] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5723] write(4, "85", 2) = 2 [pid 5723] memfd_create("syzkaller", 0) = 5 [pid 5723] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5722] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 156.323660][ T5723] FAULT_INJECTION: forcing a failure. [ 156.323660][ T5723] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 156.337016][ T5723] CPU: 1 PID: 5723 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 156.347458][ T5723] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 156.357511][ T5723] Call Trace: [ 156.360798][ T5723] [ 156.363746][ T5723] dump_stack_lvl+0x1e7/0x2d0 [ 156.368434][ T5723] ? nf_tcp_handle_invalid+0x650/0x650 [ 156.373904][ T5723] ? panic+0x770/0x770 [ 156.377986][ T5723] should_fail_ex+0x3aa/0x4e0 [ 156.382668][ T5723] prepare_alloc_pages+0x1d9/0x5b0 [ 156.387903][ T5723] __alloc_pages+0x165/0x670 [ 156.392493][ T5723] ? zone_statistics+0x170/0x170 [ 156.397453][ T5723] ? verify_lock_unused+0x140/0x140 [ 156.402655][ T5723] ? handle_mm_fault+0x11d/0x62b0 [ 156.407677][ T5723] ? __lock_acquire+0x7f70/0x7f70 [ 156.412693][ T5723] ? pte_offset_map_nolock+0x137/0x1e0 [ 156.418324][ T5723] __folio_alloc+0x13/0x30 [ 156.422840][ T5723] vma_alloc_folio+0x48a/0x9a0 [ 156.427605][ T5723] handle_mm_fault+0x2376/0x62b0 [ 156.432550][ T5723] ? handle_mm_fault+0x11d/0x62b0 [ 156.437580][ T5723] ? numa_migrate_prep+0x380/0x380 [ 156.442697][ T5723] ? mtree_range_walk+0x6a0/0x7e0 [ 156.447912][ T5723] ? lock_vma_under_rcu+0x187/0x6f0 [ 156.453111][ T5723] ? __lock_acquire+0x7f70/0x7f70 [ 156.458145][ T5723] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 156.463352][ T5723] ? lock_vma_under_rcu+0x5df/0x6f0 [ 156.468581][ T5723] ? lock_vma_under_rcu+0x187/0x6f0 [ 156.473786][ T5723] ? exc_page_fault+0x10f/0x860 [ 156.478635][ T5723] exc_page_fault+0x455/0x860 [ 156.483314][ T5723] asm_exc_page_fault+0x26/0x30 [ 156.488181][ T5723] RIP: 0033:0x7f794735bc53 [ 156.492592][ T5723] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 156.512191][ T5723] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [pid 5722] munmap(0x7f793ef31000, 2097152) = 0 [pid 5722] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 156.518254][ T5723] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 156.526219][ T5723] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 156.534202][ T5723] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 156.542266][ T5723] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 156.550229][ T5723] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 156.558204][ T5723] [ 156.566117][ T5723] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5722] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5722] close(3) = 0 [pid 5722] mkdir("./file0", 0777) = 0 [pid 5722] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 156.566471][ T5722] loop0: detected capacity change from 0 to 4096 [ 156.588310][ T5722] __ntfs_error: 137 callbacks suppressed [ 156.588326][ T5722] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 156.605302][ T5722] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5723] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5723] munmap(0x7f7936b10000, 2097152) = 0 [pid 5723] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5723] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5723] ioctl(3, LOOP_CLR_FD) = 0 [pid 5723] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5723] close(3) = 0 [ 156.618830][ T5722] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 156.634189][ T5722] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 156.644245][ T5722] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 156.652320][ T5722] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [pid 5723] close(5) = 0 [pid 5723] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5721] <... futex resumed>) = 0 [pid 5723] <... futex resumed>) = 1 [ 156.665465][ T5722] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 156.686708][ T5722] ntfs: volume version 12.0. [ 156.692041][ T5722] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 156.701085][ T5722] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [pid 5723] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5722] <... mount resumed>) = 0 [pid 5722] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5722] chdir("./file0") = 0 [pid 5722] ioctl(6, LOOP_CLR_FD) = 0 [pid 5722] close(6) = 0 [pid 5722] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5721] exit_group(0 [pid 5723] <... futex resumed>) = ? [pid 5722] <... futex resumed>) = ? [pid 5721] <... exit_group resumed>) = ? [pid 5723] +++ exited with 0 +++ [pid 5722] +++ exited with 0 +++ [pid 5721] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5721, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=51 /* 0.51 s */} --- umount2("./227", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./227", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./227/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./227/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./227/binderfs") = 0 umount2("./227/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./227/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./227/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./227/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./227/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 [ 156.714599][ T5722] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. rmdir("./227/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./227") = 0 mkdir("./228", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5724 attached [pid 5724] set_robust_list(0x555555f176a0, 24 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5724 [pid 5724] <... set_robust_list resumed>) = 0 [pid 5724] chdir("./228") = 0 [pid 5724] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5724] setpgid(0, 0) = 0 [pid 5724] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5724] write(3, "1000", 4) = 4 [pid 5724] close(3) = 0 [pid 5724] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5724] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5724] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5724] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5724] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5724] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5724] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5724] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5725 attached => {parent_tid=[5725]}, 88) = 5725 [pid 5725] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5725] set_robust_list(0x7f79473519a0, 24 [pid 5724] rt_sigprocmask(SIG_SETMASK, [], [pid 5725] <... set_robust_list resumed>) = 0 [pid 5724] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5725] rt_sigprocmask(SIG_SETMASK, [], [pid 5724] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5725] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5724] <... futex resumed>) = 0 [pid 5725] memfd_create("syzkaller", 0 [pid 5724] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5725] <... memfd_create resumed>) = 3 [pid 5725] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef31000 [pid 5724] <... futex resumed>) = 0 [pid 5724] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f793ef10000 [pid 5724] mprotect(0x7f793ef11000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5724] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5724] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f793ef30990, parent_tid=0x7f793ef30990, exit_signal=0, stack=0x7f793ef10000, stack_size=0x20300, tls=0x7f793ef306c0}./strace-static-x86_64: Process 5726 attached [pid 5726] rseq(0x7f793ef30fe0, 0x20, 0, 0x53053053 [pid 5724] <... clone3 resumed> => {parent_tid=[5726]}, 88) = 5726 [pid 5726] <... rseq resumed>) = 0 [pid 5724] rt_sigprocmask(SIG_SETMASK, [], [pid 5726] set_robust_list(0x7f793ef309a0, 24 [pid 5724] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5726] <... set_robust_list resumed>) = 0 [pid 5724] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5726] rt_sigprocmask(SIG_SETMASK, [], [pid 5724] <... futex resumed>) = 0 [pid 5726] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5724] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5726] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5726] write(4, "85", 2) = 2 [pid 5726] memfd_create("syzkaller", 0) = 5 [pid 5726] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 156.821370][ T5726] FAULT_INJECTION: forcing a failure. [ 156.821370][ T5726] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 156.842758][ T5726] CPU: 1 PID: 5726 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 156.853219][ T5726] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 156.863296][ T5726] Call Trace: [ 156.866598][ T5726] [pid 5725] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 156.869545][ T5726] dump_stack_lvl+0x1e7/0x2d0 [ 156.874248][ T5726] ? nf_tcp_handle_invalid+0x650/0x650 [ 156.879819][ T5726] ? panic+0x770/0x770 [ 156.883908][ T5726] should_fail_ex+0x3aa/0x4e0 [ 156.888679][ T5726] prepare_alloc_pages+0x1d9/0x5b0 [ 156.894403][ T5726] __alloc_pages+0x165/0x670 [ 156.899279][ T5726] ? zone_statistics+0x170/0x170 [ 156.904407][ T5726] ? verify_lock_unused+0x140/0x140 [ 156.909618][ T5726] ? handle_mm_fault+0x11d/0x62b0 [ 156.914666][ T5726] ? __lock_acquire+0x7f70/0x7f70 [ 156.919712][ T5726] ? pte_offset_map_nolock+0x137/0x1e0 [ 156.925203][ T5726] __folio_alloc+0x13/0x30 [ 156.929630][ T5726] vma_alloc_folio+0x48a/0x9a0 [ 156.934404][ T5726] handle_mm_fault+0x2376/0x62b0 [ 156.939354][ T5726] ? handle_mm_fault+0x11d/0x62b0 [ 156.944910][ T5726] ? numa_migrate_prep+0x380/0x380 [ 156.950045][ T5726] ? mtree_range_walk+0x6a0/0x7e0 [ 156.955085][ T5726] ? lock_vma_under_rcu+0x187/0x6f0 [ 156.960311][ T5726] ? __lock_acquire+0x7f70/0x7f70 [ 156.965429][ T5726] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 156.970743][ T5726] ? lock_vma_under_rcu+0x5df/0x6f0 [ 156.975969][ T5726] ? lock_vma_under_rcu+0x187/0x6f0 [ 156.981179][ T5726] ? exc_page_fault+0x10f/0x860 [ 156.986036][ T5726] exc_page_fault+0x455/0x860 [ 156.990720][ T5726] asm_exc_page_fault+0x26/0x30 [ 156.995590][ T5726] RIP: 0033:0x7f794735bc53 [ 157.000008][ T5726] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [pid 5725] munmap(0x7f793ef31000, 2097152) = 0 [pid 5725] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 157.019787][ T5726] RSP: 002b:00007f793ef2f6b0 EFLAGS: 00010206 [ 157.025854][ T5726] RAX: 0000000000047000 RBX: 00007f793ef2f750 RCX: 00007f7936b10000 [ 157.033842][ T5726] RDX: 00007f793ef2f8f0 RSI: 000000000000002e RDI: 00007f793ef2f7f0 [ 157.041811][ T5726] RBP: 00000000000000e5 R08: 0000000000000009 R09: 0000000000000127 [ 157.049777][ T5726] R10: 0000000000000132 R11: 00007f793ef2f750 R12: 0000000000000001 [ 157.057833][ T5726] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f793ef2f7f0 [ 157.065911][ T5726] [pid 5725] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5725] close(3) = 0 [pid 5725] mkdir("./file0", 0777) = 0 [pid 5725] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5725] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5725] chdir("./file0") = 0 [pid 5726] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5725] ioctl(6, LOOP_CLR_FD) = 0 [pid 5725] close(6) = 0 [pid 5725] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5725] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5726] <... write resumed>) = 2097152 [pid 5726] munmap(0x7f7936b10000, 2097152) = 0 [pid 5726] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5726] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5726] ioctl(6, LOOP_CLR_FD) = 0 [pid 5726] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5726] close(6) = 0 [ 157.075508][ T5725] loop0: detected capacity change from 0 to 4096 [ 157.092571][ T5725] ntfs: volume version 12.0. [pid 5726] close(5) = 0 [pid 5726] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5724] <... futex resumed>) = 0 [pid 5724] exit_group(0) = ? [pid 5726] <... futex resumed>) = ? [pid 5726] +++ exited with 0 +++ [pid 5725] <... futex resumed>) = ? [pid 5725] +++ exited with 0 +++ [pid 5724] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5724, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=31 /* 0.31 s */} --- umount2("./228", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./228", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./228/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./228/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./228/binderfs") = 0 umount2("./228/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./228/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./228/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./228/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./228/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./228/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./228") = 0 mkdir("./229", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5727 ./strace-static-x86_64: Process 5727 attached [pid 5727] set_robust_list(0x555555f176a0, 24) = 0 [pid 5727] chdir("./229") = 0 [pid 5727] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5727] setpgid(0, 0) = 0 [pid 5727] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5727] write(3, "1000", 4) = 4 [pid 5727] close(3) = 0 [pid 5727] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5727] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5727] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5727] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5727] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5727] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5727] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5727] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5728]}, 88) = 5728 ./strace-static-x86_64: Process 5728 attached [pid 5727] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5727] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5727] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5727] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5728] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5727] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5728] <... rseq resumed>) = 0 [pid 5727] <... mprotect resumed>) = 0 [pid 5728] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5727] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5728] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5727] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5727] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5729 attached [pid 5729] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5727] <... clone3 resumed> => {parent_tid=[5729]}, 88) = 5729 [pid 5729] set_robust_list(0x7f79473309a0, 24 [pid 5727] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5727] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5727] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5729] <... set_robust_list resumed>) = 0 [pid 5728] memfd_create("syzkaller", 0 [pid 5729] rt_sigprocmask(SIG_SETMASK, [], [pid 5728] <... memfd_create resumed>) = 3 [pid 5729] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5728] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5729] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5728] <... mmap resumed>) = 0x7f793ef10000 [pid 5729] <... openat resumed>) = 4 [pid 5728] munmap(0x7f793ef10000, 138412032 [pid 5729] write(4, "85", 2 [pid 5728] <... munmap resumed>) = 0 [pid 5729] <... write resumed>) = 2 [pid 5728] close(3 [pid 5729] memfd_create("syzkaller", 0 [pid 5728] <... close resumed>) = 0 [pid 5729] <... memfd_create resumed>) = 3 [pid 5728] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5729] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5728] <... futex resumed>) = 0 [pid 5729] <... mmap resumed>) = 0x7f793ef10000 [ 157.210332][ T5729] FAULT_INJECTION: forcing a failure. [ 157.210332][ T5729] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 157.223932][ T5729] CPU: 0 PID: 5729 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 157.234435][ T5729] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 157.244493][ T5729] Call Trace: [ 157.247796][ T5729] [ 157.250808][ T5729] dump_stack_lvl+0x1e7/0x2d0 [ 157.255472][ T5729] ? nf_tcp_handle_invalid+0x650/0x650 [ 157.260918][ T5729] ? panic+0x770/0x770 [ 157.264977][ T5729] should_fail_ex+0x3aa/0x4e0 [ 157.269641][ T5729] prepare_alloc_pages+0x1d9/0x5b0 [ 157.274746][ T5729] __alloc_pages+0x165/0x670 [ 157.279326][ T5729] ? zone_statistics+0x170/0x170 [ 157.284255][ T5729] ? verify_lock_unused+0x140/0x140 [ 157.289483][ T5729] ? handle_mm_fault+0x11d/0x62b0 [ 157.294583][ T5729] ? __lock_acquire+0x7f70/0x7f70 [ 157.299680][ T5729] ? pte_offset_map_nolock+0x137/0x1e0 [ 157.305128][ T5729] __folio_alloc+0x13/0x30 [ 157.309530][ T5729] vma_alloc_folio+0x48a/0x9a0 [ 157.314284][ T5729] handle_mm_fault+0x2376/0x62b0 [ 157.319214][ T5729] ? handle_mm_fault+0x11d/0x62b0 [ 157.324230][ T5729] ? numa_migrate_prep+0x380/0x380 [ 157.329336][ T5729] ? mtree_range_walk+0x6a0/0x7e0 [ 157.334351][ T5729] ? lock_vma_under_rcu+0x187/0x6f0 [ 157.339536][ T5729] ? __lock_acquire+0x7f70/0x7f70 [ 157.344549][ T5729] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 157.349746][ T5729] ? lock_vma_under_rcu+0x5df/0x6f0 [ 157.354931][ T5729] ? lock_vma_under_rcu+0x187/0x6f0 [ 157.360125][ T5729] ? exc_page_fault+0x10f/0x860 [ 157.365052][ T5729] exc_page_fault+0x455/0x860 [ 157.369720][ T5729] asm_exc_page_fault+0x26/0x30 [ 157.374662][ T5729] RIP: 0033:0x7f794735bd00 [ 157.379065][ T5729] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 157.399351][ T5729] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5728] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5729] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5729] munmap(0x7f793ef10000, 2097152) = 0 [pid 5729] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 157.405410][ T5729] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 157.413454][ T5729] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 157.421407][ T5729] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 157.429363][ T5729] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 157.437319][ T5729] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 157.445281][ T5729] [pid 5729] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5729] close(3) = 0 [pid 5729] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5729] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5729] ioctl(5, LOOP_CLR_FD) = 0 [pid 5729] close(5) = 0 [pid 5729] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5729] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5727] <... futex resumed>) = 0 [pid 5727] exit_group(0 [pid 5729] <... futex resumed>) = ? [pid 5728] <... futex resumed>) = ? [pid 5727] <... exit_group resumed>) = ? [pid 5729] +++ exited with 0 +++ [pid 5728] +++ exited with 0 +++ [ 157.482381][ T5729] loop0: detected capacity change from 0 to 4096 [ 157.500997][ T5729] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 157.508065][ T5729] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5727] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5727, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./229", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./229", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./229/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./229/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./229/binderfs") = 0 umount2("\x2e\x2f\x32\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x32\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./229") = 0 mkdir("./230", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5730 attached , child_tidptr=0x555555f17690) = 5730 [pid 5730] set_robust_list(0x555555f176a0, 24) = 0 [pid 5730] chdir("./230") = 0 [pid 5730] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5730] setpgid(0, 0) = 0 [pid 5730] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5730] write(3, "1000", 4) = 4 [pid 5730] close(3) = 0 [pid 5730] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5730] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5730] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5730] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5730] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5730] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5730] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5730] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5731 attached [pid 5731] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5730] <... clone3 resumed> => {parent_tid=[5731]}, 88) = 5731 [pid 5731] <... rseq resumed>) = 0 [pid 5730] rt_sigprocmask(SIG_SETMASK, [], [pid 5731] set_robust_list(0x7f79473519a0, 24 [pid 5730] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5731] <... set_robust_list resumed>) = 0 [pid 5730] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5731] rt_sigprocmask(SIG_SETMASK, [], [pid 5730] <... futex resumed>) = 0 [pid 5731] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5730] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5730] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5730] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5731] memfd_create("syzkaller", 0 [pid 5730] <... mprotect resumed>) = 0 [pid 5730] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5731] <... memfd_create resumed>) = 3 [pid 5730] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5731] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 ./strace-static-x86_64: Process 5732 attached [pid 5730] <... clone3 resumed> => {parent_tid=[5732]}, 88) = 5732 [pid 5732] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5730] rt_sigprocmask(SIG_SETMASK, [], [pid 5732] <... rseq resumed>) = 0 [pid 5730] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5732] set_robust_list(0x7f79473309a0, 24 [pid 5730] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5732] <... set_robust_list resumed>) = 0 [pid 5732] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5730] <... futex resumed>) = 0 [pid 5730] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5732] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5732] write(4, "85", 2) = 2 [pid 5732] memfd_create("syzkaller", 0) = 5 [pid 5732] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5731] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 157.631171][ T5732] FAULT_INJECTION: forcing a failure. [ 157.631171][ T5732] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 157.644598][ T5732] CPU: 0 PID: 5732 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 157.655038][ T5732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 157.665124][ T5732] Call Trace: [ 157.668403][ T5732] [ 157.671343][ T5732] dump_stack_lvl+0x1e7/0x2d0 [ 157.676033][ T5732] ? nf_tcp_handle_invalid+0x650/0x650 [ 157.681515][ T5732] ? panic+0x770/0x770 [ 157.685587][ T5732] should_fail_ex+0x3aa/0x4e0 [ 157.690263][ T5732] prepare_alloc_pages+0x1d9/0x5b0 [ 157.695381][ T5732] __alloc_pages+0x165/0x670 [ 157.699988][ T5732] ? zone_statistics+0x170/0x170 [ 157.704917][ T5732] ? verify_lock_unused+0x140/0x140 [ 157.710328][ T5732] ? handle_mm_fault+0x11d/0x62b0 [ 157.715364][ T5732] ? __lock_acquire+0x7f70/0x7f70 [ 157.720373][ T5732] ? pte_offset_map_nolock+0x137/0x1e0 [ 157.725824][ T5732] __folio_alloc+0x13/0x30 [ 157.730239][ T5732] vma_alloc_folio+0x48a/0x9a0 [ 157.735092][ T5732] handle_mm_fault+0x2376/0x62b0 [ 157.740132][ T5732] ? handle_mm_fault+0x11d/0x62b0 [ 157.745171][ T5732] ? numa_migrate_prep+0x380/0x380 [ 157.750382][ T5732] ? mtree_range_walk+0x6a0/0x7e0 [ 157.755398][ T5732] ? lock_vma_under_rcu+0x187/0x6f0 [ 157.760688][ T5732] ? __lock_acquire+0x7f70/0x7f70 [ 157.765698][ T5732] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 157.770900][ T5732] ? lock_vma_under_rcu+0x5df/0x6f0 [ 157.776110][ T5732] ? lock_vma_under_rcu+0x187/0x6f0 [ 157.781320][ T5732] ? exc_page_fault+0x10f/0x860 [ 157.786182][ T5732] exc_page_fault+0x455/0x860 [ 157.790956][ T5732] asm_exc_page_fault+0x26/0x30 [ 157.795821][ T5732] RIP: 0033:0x7f794735bc53 [ 157.800226][ T5732] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 157.819824][ T5732] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 157.825892][ T5732] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 157.833870][ T5732] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 157.841830][ T5732] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 157.849788][ T5732] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 157.857776][ T5732] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 157.865793][ T5732] [ 157.869692][ T5732] pagefault_out_of_memory: 2 callbacks suppressed [pid 5731] munmap(0x7f793ef10000, 2097152) = 0 [pid 5731] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5731] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5731] close(3) = 0 [pid 5731] mkdir("./file0", 0777) = 0 [pid 5731] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5732] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5731] <... mount resumed>) = 0 [pid 5731] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5731] chdir("./file0") = 0 [pid 5731] ioctl(6, LOOP_CLR_FD) = 0 [pid 5731] close(6) = 0 [pid 5731] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5731] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5732] <... write resumed>) = 2097152 [pid 5732] munmap(0x7f7936b10000, 2097152) = 0 [pid 5732] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5732] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5732] ioctl(6, LOOP_CLR_FD) = 0 [pid 5732] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5732] close(6) = 0 [ 157.869706][ T5732] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 157.887329][ T5731] loop0: detected capacity change from 0 to 4096 [ 157.901327][ T5731] ntfs: volume version 12.0. [pid 5732] close(5) = 0 [pid 5732] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5730] <... futex resumed>) = 0 [pid 5732] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5730] exit_group(0) = ? [pid 5732] <... futex resumed>) = ? [pid 5732] +++ exited with 0 +++ [pid 5731] <... futex resumed>) = ? [pid 5731] +++ exited with 0 +++ [pid 5730] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5730, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=15 /* 0.15 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./230", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./230", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./230/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./230/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./230/binderfs") = 0 umount2("./230/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./230/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./230/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./230/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./230/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./230/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./230") = 0 mkdir("./231", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5733 attached , child_tidptr=0x555555f17690) = 5733 [pid 5733] set_robust_list(0x555555f176a0, 24) = 0 [pid 5733] chdir("./231") = 0 [pid 5733] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5733] setpgid(0, 0) = 0 [pid 5733] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5733] write(3, "1000", 4) = 4 [pid 5733] close(3) = 0 [pid 5733] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5733] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5733] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5733] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5733] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5733] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5733] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5733] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5734]}, 88) = 5734 [pid 5733] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5733] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5733] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5733] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5733] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5733] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5733] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5735 attached [pid 5735] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5733] <... clone3 resumed> => {parent_tid=[5735]}, 88) = 5735 [pid 5735] set_robust_list(0x7f79473309a0, 24 [pid 5733] rt_sigprocmask(SIG_SETMASK, [], [pid 5735] <... set_robust_list resumed>) = 0 [pid 5733] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5735] rt_sigprocmask(SIG_SETMASK, [], [pid 5733] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5735] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5733] <... futex resumed>) = 0 ./strace-static-x86_64: Process 5734 attached [pid 5735] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5733] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5735] <... openat resumed>) = 3 [pid 5735] write(3, "85", 2) = 2 [pid 5735] memfd_create("syzkaller", 0) = 4 [pid 5735] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5734] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5734] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5734] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5734] memfd_create("syzkaller", 0) = 5 [ 158.032416][ T5735] FAULT_INJECTION: forcing a failure. [ 158.032416][ T5735] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 158.045971][ T5735] CPU: 1 PID: 5735 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 158.056584][ T5735] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 158.066730][ T5735] Call Trace: [ 158.069999][ T5735] [ 158.072917][ T5735] dump_stack_lvl+0x1e7/0x2d0 [ 158.077591][ T5735] ? nf_tcp_handle_invalid+0x650/0x650 [ 158.083044][ T5735] ? panic+0x770/0x770 [ 158.087135][ T5735] should_fail_ex+0x3aa/0x4e0 [ 158.091819][ T5735] prepare_alloc_pages+0x1d9/0x5b0 [ 158.096937][ T5735] __alloc_pages+0x165/0x670 [ 158.101526][ T5735] ? zone_statistics+0x170/0x170 [ 158.106468][ T5735] ? verify_lock_unused+0x140/0x140 [ 158.111661][ T5735] ? handle_mm_fault+0x11d/0x62b0 [ 158.116683][ T5735] ? __lock_acquire+0x7f70/0x7f70 [ 158.121699][ T5735] ? pte_offset_map_nolock+0x137/0x1e0 [ 158.127508][ T5735] __folio_alloc+0x13/0x30 [ 158.131922][ T5735] vma_alloc_folio+0x48a/0x9a0 [ 158.136690][ T5735] handle_mm_fault+0x2376/0x62b0 [ 158.141635][ T5735] ? handle_mm_fault+0x11d/0x62b0 [ 158.146664][ T5735] ? numa_migrate_prep+0x380/0x380 [ 158.151780][ T5735] ? mtree_range_walk+0x6a0/0x7e0 [ 158.156803][ T5735] ? lock_vma_under_rcu+0x187/0x6f0 [ 158.162006][ T5735] ? __lock_acquire+0x7f70/0x7f70 [ 158.167024][ T5735] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 158.172233][ T5735] ? lock_vma_under_rcu+0x5df/0x6f0 [ 158.177430][ T5735] ? lock_vma_under_rcu+0x187/0x6f0 [ 158.182646][ T5735] ? exc_page_fault+0x10f/0x860 [ 158.187513][ T5735] exc_page_fault+0x455/0x860 [ 158.192192][ T5735] asm_exc_page_fault+0x26/0x30 [ 158.197037][ T5735] RIP: 0033:0x7f794735bc53 [ 158.201465][ T5735] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 158.221068][ T5735] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5734] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5735] munmap(0x7f793ef10000, 138412032) = 0 [pid 5735] close(4) = 0 [pid 5735] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5733] <... futex resumed>) = 0 [pid 5735] <... futex resumed>) = 1 [pid 5735] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 158.227131][ T5735] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 158.235101][ T5735] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 158.243068][ T5735] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 158.251030][ T5735] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 158.258998][ T5735] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 158.266979][ T5735] [ 158.271486][ T5735] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5734] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5734] munmap(0x7f7936b10000, 2097152) = 0 [pid 5734] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5734] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5734] close(5) = 0 [pid 5734] mkdir("./file0", 0777) = 0 [pid 5734] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5734] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5734] chdir("./file0") = 0 [pid 5734] ioctl(4, LOOP_CLR_FD) = 0 [pid 5734] close(4) = 0 [pid 5734] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5733] exit_group(0 [pid 5735] <... futex resumed>) = ? [pid 5733] <... exit_group resumed>) = ? [pid 5735] +++ exited with 0 +++ [pid 5734] <... futex resumed>) = ? [pid 5734] +++ exited with 0 +++ [pid 5733] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5733, si_uid=0, si_status=0, si_utime=0, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./231", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./231", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./231/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./231/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./231/binderfs") = 0 [ 158.323881][ T5734] loop0: detected capacity change from 0 to 4096 [ 158.338407][ T5734] ntfs: volume version 12.0. umount2("./231/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./231/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./231/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./231/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./231/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./231/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./231") = 0 mkdir("./232", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5736 attached , child_tidptr=0x555555f17690) = 5736 [pid 5736] set_robust_list(0x555555f176a0, 24) = 0 [pid 5736] chdir("./232") = 0 [pid 5736] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5736] setpgid(0, 0) = 0 [pid 5736] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5736] write(3, "1000", 4) = 4 [pid 5736] close(3) = 0 [pid 5736] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5736] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5736] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5736] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5736] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5736] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5736] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5736] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5737]}, 88) = 5737 ./strace-static-x86_64: Process 5737 attached [pid 5736] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5736] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5736] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5736] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5736] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5737] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5737] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5736] <... mprotect resumed>) = 0 [pid 5737] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5736] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5737] memfd_create("syzkaller", 0 [pid 5736] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5736] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5737] <... memfd_create resumed>) = 3 [pid 5737] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5736] <... clone3 resumed> => {parent_tid=[5738]}, 88) = 5738 [pid 5737] <... mmap resumed>) = 0x7f793ef10000 [pid 5736] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5736] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5738 attached ) = 0 [pid 5738] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5736] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5738] <... rseq resumed>) = 0 [pid 5738] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5738] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5738] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5737] munmap(0x7f793ef10000, 138412032) = 0 [pid 5737] close(3) = 0 [pid 5737] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5737] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5738] <... openat resumed>) = 4 [pid 5738] write(4, "85", 2) = 2 [pid 5738] memfd_create("syzkaller", 0) = 3 [pid 5738] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 158.447690][ T5738] FAULT_INJECTION: forcing a failure. [ 158.447690][ T5738] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 158.461338][ T5738] CPU: 1 PID: 5738 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 158.471765][ T5738] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 158.481818][ T5738] Call Trace: [ 158.485102][ T5738] [ 158.488042][ T5738] dump_stack_lvl+0x1e7/0x2d0 [ 158.492740][ T5738] ? nf_tcp_handle_invalid+0x650/0x650 [ 158.498192][ T5738] ? panic+0x770/0x770 [ 158.502273][ T5738] should_fail_ex+0x3aa/0x4e0 [ 158.506960][ T5738] prepare_alloc_pages+0x1d9/0x5b0 [ 158.512071][ T5738] __alloc_pages+0x165/0x670 [ 158.516664][ T5738] ? zone_statistics+0x170/0x170 [ 158.521628][ T5738] ? verify_lock_unused+0x140/0x140 [ 158.526824][ T5738] ? handle_mm_fault+0x11d/0x62b0 [ 158.531845][ T5738] ? __lock_acquire+0x7f70/0x7f70 [ 158.536862][ T5738] ? pte_offset_map_nolock+0x137/0x1e0 [ 158.542318][ T5738] __folio_alloc+0x13/0x30 [ 158.546735][ T5738] vma_alloc_folio+0x48a/0x9a0 [ 158.551503][ T5738] handle_mm_fault+0x2376/0x62b0 [ 158.556448][ T5738] ? handle_mm_fault+0x11d/0x62b0 [ 158.561577][ T5738] ? numa_migrate_prep+0x380/0x380 [ 158.566784][ T5738] ? mtree_range_walk+0x6a0/0x7e0 [ 158.571809][ T5738] ? lock_vma_under_rcu+0x187/0x6f0 [ 158.577197][ T5738] ? __lock_acquire+0x7f70/0x7f70 [ 158.582214][ T5738] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 158.587510][ T5738] ? lock_vma_under_rcu+0x5df/0x6f0 [ 158.592706][ T5738] ? lock_vma_under_rcu+0x187/0x6f0 [ 158.597913][ T5738] ? exc_page_fault+0x10f/0x860 [ 158.602762][ T5738] exc_page_fault+0x455/0x860 [ 158.607440][ T5738] asm_exc_page_fault+0x26/0x30 [ 158.612286][ T5738] RIP: 0033:0x7f794735bd00 [ 158.616714][ T5738] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 158.636314][ T5738] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5738] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5738] munmap(0x7f793ef10000, 2097152) = 0 [pid 5738] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 158.642376][ T5738] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 158.650343][ T5738] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 158.658305][ T5738] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 158.666273][ T5738] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 158.674239][ T5738] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 158.682353][ T5738] [ 158.685931][ T5738] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5738] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5738] close(3) = 0 [pid 5738] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5738] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 158.727168][ T5738] loop0: detected capacity change from 0 to 4096 [ 158.745288][ T5738] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 158.752450][ T5738] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5738] ioctl(5, LOOP_CLR_FD) = 0 [pid 5738] close(5) = 0 [pid 5738] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5736] <... futex resumed>) = 0 [pid 5736] exit_group(0 [pid 5738] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5736] <... exit_group resumed>) = ? [pid 5738] <... futex resumed>) = ? [pid 5737] <... futex resumed>) = ? [pid 5737] +++ exited with 0 +++ [pid 5738] +++ exited with 0 +++ [pid 5736] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5736, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./232", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./232", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./232/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./232/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./232/binderfs") = 0 umount2("\x2e\x2f\x32\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x33\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./232") = 0 mkdir("./233", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5739 attached , child_tidptr=0x555555f17690) = 5739 [pid 5739] set_robust_list(0x555555f176a0, 24) = 0 [pid 5739] chdir("./233") = 0 [pid 5739] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5739] setpgid(0, 0) = 0 [pid 5739] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5739] write(3, "1000", 4) = 4 [pid 5739] close(3) = 0 [pid 5739] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5739] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5739] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5739] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5739] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5739] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5739] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5739] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5740]}, 88) = 5740 [pid 5739] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5739] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5739] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5739] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5739] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5739] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5739] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5741 attached [pid 5741] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5739] <... clone3 resumed> => {parent_tid=[5741]}, 88) = 5741 [pid 5741] <... rseq resumed>) = 0 [pid 5739] rt_sigprocmask(SIG_SETMASK, [], [pid 5741] set_robust_list(0x7f79473309a0, 24 [pid 5739] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5741] <... set_robust_list resumed>) = 0 [pid 5741] rt_sigprocmask(SIG_SETMASK, [], [pid 5739] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5741] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5739] <... futex resumed>) = 0 [pid 5741] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5739] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5740 attached [pid 5740] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5740] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5741] <... openat resumed>) = 3 [pid 5740] rt_sigprocmask(SIG_SETMASK, [], [pid 5741] write(3, "85", 2 [pid 5740] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5741] <... write resumed>) = 2 [pid 5741] memfd_create("syzkaller", 0) = 4 [pid 5741] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5740] memfd_create("syzkaller", 0) = 5 [pid 5740] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 158.871599][ T5741] FAULT_INJECTION: forcing a failure. [ 158.871599][ T5741] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 158.886394][ T5741] CPU: 0 PID: 5741 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 158.896930][ T5741] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 158.906989][ T5741] Call Trace: [ 158.910271][ T5741] [ 158.913198][ T5741] dump_stack_lvl+0x1e7/0x2d0 [ 158.917906][ T5741] ? nf_tcp_handle_invalid+0x650/0x650 [ 158.923537][ T5741] ? panic+0x770/0x770 [ 158.927611][ T5741] should_fail_ex+0x3aa/0x4e0 [ 158.932291][ T5741] prepare_alloc_pages+0x1d9/0x5b0 [ 158.937407][ T5741] __alloc_pages+0x165/0x670 [ 158.942089][ T5741] ? zone_statistics+0x170/0x170 [ 158.947043][ T5741] ? verify_lock_unused+0x140/0x140 [ 158.952415][ T5741] ? handle_mm_fault+0x11d/0x62b0 [ 158.957459][ T5741] ? __lock_acquire+0x7f70/0x7f70 [ 158.962491][ T5741] ? pte_offset_map_nolock+0x137/0x1e0 [ 158.968001][ T5741] __folio_alloc+0x13/0x30 [ 158.972440][ T5741] vma_alloc_folio+0x48a/0x9a0 [ 158.977240][ T5741] handle_mm_fault+0x2376/0x62b0 [ 158.982231][ T5741] ? handle_mm_fault+0x11d/0x62b0 [ 158.987488][ T5741] ? numa_migrate_prep+0x380/0x380 [ 158.992632][ T5741] ? mtree_range_walk+0x6a0/0x7e0 [ 158.997664][ T5741] ? lock_vma_under_rcu+0x187/0x6f0 [ 159.002864][ T5741] ? __lock_acquire+0x7f70/0x7f70 [ 159.007974][ T5741] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 159.013213][ T5741] ? lock_vma_under_rcu+0x5df/0x6f0 [ 159.018423][ T5741] ? lock_vma_under_rcu+0x187/0x6f0 [ 159.023723][ T5741] ? exc_page_fault+0x10f/0x860 [ 159.028605][ T5741] exc_page_fault+0x455/0x860 [ 159.033301][ T5741] asm_exc_page_fault+0x26/0x30 [ 159.038208][ T5741] RIP: 0033:0x7f794735bc53 [ 159.042648][ T5741] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 159.062263][ T5741] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5741] munmap(0x7f793ef10000, 138412032) = 0 [pid 5741] close(4) = 0 [pid 5741] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5739] <... futex resumed>) = 0 [pid 5741] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 159.068339][ T5741] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 159.076407][ T5741] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 159.084381][ T5741] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 159.092384][ T5741] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 159.100358][ T5741] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 159.108338][ T5741] [ 159.111698][ T5741] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5740] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5740] munmap(0x7f7936b10000, 2097152) = 0 [pid 5740] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5740] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5740] close(5) = 0 [pid 5740] mkdir("./file0", 0777) = 0 [pid 5740] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5740] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5740] chdir("./file0") = 0 [pid 5740] ioctl(4, LOOP_CLR_FD) = 0 [pid 5740] close(4) = 0 [pid 5740] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5739] exit_group(0 [pid 5741] <... futex resumed>) = ? [pid 5740] <... futex resumed>) = ? [pid 5739] <... exit_group resumed>) = ? [pid 5740] +++ exited with 0 +++ [pid 5741] +++ exited with 0 +++ [pid 5739] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5739, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- umount2("./233", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./233", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./233/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./233/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./233/binderfs") = 0 umount2("./233/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./233/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./233/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./233/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./233/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./233/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./233") = 0 mkdir("./234", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 [ 159.161192][ T5740] loop0: detected capacity change from 0 to 4096 [ 159.174821][ T5740] ntfs: volume version 12.0. close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5742 attached , child_tidptr=0x555555f17690) = 5742 [pid 5742] set_robust_list(0x555555f176a0, 24) = 0 [pid 5742] chdir("./234") = 0 [pid 5742] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5742] setpgid(0, 0) = 0 [pid 5742] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5742] write(3, "1000", 4) = 4 [pid 5742] close(3) = 0 [pid 5742] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5742] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5742] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5742] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5742] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5742] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5742] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5742] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5743]}, 88) = 5743 [pid 5742] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5742] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5742] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5742] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5742] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 ./strace-static-x86_64: Process 5743 attached [pid 5742] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5742] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5744 attached => {parent_tid=[5744]}, 88) = 5744 [pid 5744] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5742] rt_sigprocmask(SIG_SETMASK, [], [pid 5744] set_robust_list(0x7f79473309a0, 24 [pid 5742] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5744] <... set_robust_list resumed>) = 0 [pid 5742] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5744] rt_sigprocmask(SIG_SETMASK, [], [pid 5742] <... futex resumed>) = 0 [pid 5744] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5742] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5744] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5743] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5743] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5743] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5744] <... openat resumed>) = 3 [pid 5744] write(3, "85", 2) = 2 [pid 5744] memfd_create("syzkaller", 0 [pid 5743] memfd_create("syzkaller", 0 [pid 5744] <... memfd_create resumed>) = 4 [pid 5744] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5743] <... memfd_create resumed>) = 5 [pid 5743] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 159.260315][ T5744] FAULT_INJECTION: forcing a failure. [ 159.260315][ T5744] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 159.274495][ T5744] CPU: 1 PID: 5744 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 159.284941][ T5744] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 159.294998][ T5744] Call Trace: [ 159.298272][ T5744] [ 159.301196][ T5744] dump_stack_lvl+0x1e7/0x2d0 [ 159.305877][ T5744] ? nf_tcp_handle_invalid+0x650/0x650 [ 159.311330][ T5744] ? panic+0x770/0x770 [ 159.315400][ T5744] should_fail_ex+0x3aa/0x4e0 [ 159.320102][ T5744] prepare_alloc_pages+0x1d9/0x5b0 [ 159.325217][ T5744] __alloc_pages+0x165/0x670 [ 159.329808][ T5744] ? zone_statistics+0x170/0x170 [ 159.334755][ T5744] ? verify_lock_unused+0x140/0x140 [ 159.340039][ T5744] ? handle_mm_fault+0x11d/0x62b0 [ 159.345089][ T5744] ? __lock_acquire+0x7f70/0x7f70 [ 159.350219][ T5744] ? pte_offset_map_nolock+0x137/0x1e0 [ 159.355694][ T5744] __folio_alloc+0x13/0x30 [ 159.360116][ T5744] vma_alloc_folio+0x48a/0x9a0 [ 159.364902][ T5744] handle_mm_fault+0x2376/0x62b0 [ 159.369867][ T5744] ? handle_mm_fault+0x11d/0x62b0 [ 159.374916][ T5744] ? numa_migrate_prep+0x380/0x380 [ 159.380063][ T5744] ? mtree_range_walk+0x6a0/0x7e0 [ 159.385098][ T5744] ? lock_vma_under_rcu+0x187/0x6f0 [ 159.390302][ T5744] ? __lock_acquire+0x7f70/0x7f70 [ 159.395347][ T5744] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 159.400602][ T5744] ? lock_vma_under_rcu+0x5df/0x6f0 [ 159.405815][ T5744] ? lock_vma_under_rcu+0x187/0x6f0 [ 159.411025][ T5744] ? exc_page_fault+0x10f/0x860 [ 159.415966][ T5744] exc_page_fault+0x455/0x860 [ 159.420668][ T5744] asm_exc_page_fault+0x26/0x30 [ 159.425514][ T5744] RIP: 0033:0x7f794735bc53 [ 159.429922][ T5744] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 159.449621][ T5744] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [ 159.455682][ T5744] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 159.463679][ T5744] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 159.471645][ T5744] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 159.479634][ T5744] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 159.487620][ T5744] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 159.495694][ T5744] [pid 5743] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5744] munmap(0x7f793ef10000, 138412032) = 0 [pid 5744] close(4) = 0 [pid 5744] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5742] <... futex resumed>) = 0 [pid 5744] <... futex resumed>) = 1 [pid 5744] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5743] <... write resumed>) = 2097152 [pid 5743] munmap(0x7f7936b10000, 2097152) = 0 [pid 5743] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 159.504844][ T5744] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5743] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5743] close(5) = 0 [pid 5743] mkdir("./file0", 0777) = 0 [pid 5743] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5743] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5743] chdir("./file0") = 0 [pid 5743] ioctl(4, LOOP_CLR_FD) = 0 [pid 5743] close(4) = 0 [pid 5743] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5743] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5742] exit_group(0 [pid 5743] <... futex resumed>) = ? [pid 5743] +++ exited with 0 +++ [pid 5744] <... futex resumed>) = ? [pid 5744] +++ exited with 0 +++ [pid 5742] <... exit_group resumed>) = ? [pid 5742] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5742, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./234", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./234", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./234/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./234/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./234/binderfs") = 0 umount2("./234/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./234/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./234/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./234/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./234/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./234/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./234") = 0 mkdir("./235", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 [ 159.549069][ T5743] loop0: detected capacity change from 0 to 4096 [ 159.561928][ T5743] ntfs: volume version 12.0. close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5745 attached , child_tidptr=0x555555f17690) = 5745 [pid 5745] set_robust_list(0x555555f176a0, 24) = 0 [pid 5745] chdir("./235") = 0 [pid 5745] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5745] setpgid(0, 0) = 0 [pid 5745] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5745] write(3, "1000", 4) = 4 [pid 5745] close(3) = 0 [pid 5745] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5745] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5745] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5745] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5745] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5745] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5745] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5745] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5746 attached => {parent_tid=[5746]}, 88) = 5746 [pid 5745] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5745] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5745] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5745] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5745] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5745] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5745] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5746] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053./strace-static-x86_64: Process 5747 attached ) = 0 [pid 5745] <... clone3 resumed> => {parent_tid=[5747]}, 88) = 5747 [pid 5746] set_robust_list(0x7f79473519a0, 24 [pid 5747] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5746] <... set_robust_list resumed>) = 0 [pid 5745] rt_sigprocmask(SIG_SETMASK, [], [pid 5746] rt_sigprocmask(SIG_SETMASK, [], [pid 5747] <... rseq resumed>) = 0 [pid 5746] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5745] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5747] set_robust_list(0x7f79473309a0, 24 [pid 5745] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5747] <... set_robust_list resumed>) = 0 [pid 5745] <... futex resumed>) = 0 [pid 5747] rt_sigprocmask(SIG_SETMASK, [], [pid 5745] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5747] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5747] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5746] memfd_create("syzkaller", 0) = 3 [pid 5746] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5746] munmap(0x7f793ef10000, 138412032) = 0 [pid 5746] close(3 [pid 5747] <... openat resumed>) = 4 [pid 5746] <... close resumed>) = 0 [pid 5746] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5747] write(4, "85", 2 [pid 5746] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5747] <... write resumed>) = 2 [pid 5747] memfd_create("syzkaller", 0) = 3 [pid 5747] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 159.661280][ T5747] FAULT_INJECTION: forcing a failure. [ 159.661280][ T5747] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 159.674641][ T5747] CPU: 1 PID: 5747 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 159.685231][ T5747] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 159.695335][ T5747] Call Trace: [ 159.698606][ T5747] [ 159.701526][ T5747] dump_stack_lvl+0x1e7/0x2d0 [ 159.706205][ T5747] ? nf_tcp_handle_invalid+0x650/0x650 [ 159.711662][ T5747] ? panic+0x770/0x770 [ 159.715764][ T5747] should_fail_ex+0x3aa/0x4e0 [ 159.720453][ T5747] prepare_alloc_pages+0x1d9/0x5b0 [ 159.725581][ T5747] __alloc_pages+0x165/0x670 [ 159.730210][ T5747] ? zone_statistics+0x170/0x170 [ 159.735152][ T5747] ? verify_lock_unused+0x140/0x140 [ 159.740373][ T5747] ? handle_mm_fault+0x11d/0x62b0 [ 159.745416][ T5747] ? __lock_acquire+0x7f70/0x7f70 [ 159.750494][ T5747] ? pte_offset_map_nolock+0x137/0x1e0 [ 159.756006][ T5747] __folio_alloc+0x13/0x30 [ 159.760430][ T5747] vma_alloc_folio+0x48a/0x9a0 [ 159.765210][ T5747] handle_mm_fault+0x2376/0x62b0 [ 159.770191][ T5747] ? handle_mm_fault+0x11d/0x62b0 [ 159.775234][ T5747] ? numa_migrate_prep+0x380/0x380 [ 159.780359][ T5747] ? mtree_range_walk+0x6a0/0x7e0 [ 159.785387][ T5747] ? lock_vma_under_rcu+0x187/0x6f0 [ 159.790582][ T5747] ? __lock_acquire+0x7f70/0x7f70 [ 159.795665][ T5747] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 159.800868][ T5747] ? lock_vma_under_rcu+0x5df/0x6f0 [ 159.806061][ T5747] ? lock_vma_under_rcu+0x187/0x6f0 [ 159.811279][ T5747] ? exc_page_fault+0x10f/0x860 [ 159.816140][ T5747] exc_page_fault+0x455/0x860 [ 159.820816][ T5747] asm_exc_page_fault+0x26/0x30 [ 159.825658][ T5747] RIP: 0033:0x7f794735bd00 [ 159.830064][ T5747] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 159.849695][ T5747] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5747] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5747] munmap(0x7f793ef10000, 2106600) = 0 [pid 5747] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 159.855799][ T5747] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 159.863787][ T5747] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 159.871771][ T5747] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 159.879822][ T5747] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 159.887787][ T5747] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 159.895776][ T5747] [ 159.899406][ T5747] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5747] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5747] close(3) = 0 [pid 5747] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5747] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 159.938567][ T5747] loop0: detected capacity change from 0 to 4114 [ 159.955325][ T5747] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5747] ioctl(5, LOOP_CLR_FD) = 0 [pid 5747] close(5) = 0 [pid 5747] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5745] <... futex resumed>) = 0 [pid 5745] exit_group(0) = ? [pid 5746] <... futex resumed>) = ? [pid 5746] +++ exited with 0 +++ [pid 5747] +++ exited with 0 +++ [pid 5745] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5745, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./235", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./235", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./235/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./235/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./235/binderfs") = 0 umount2("\x2e\x2f\x32\x33\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x33\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x33\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x33\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x33\x35\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./235") = 0 mkdir("./236", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5748 attached , child_tidptr=0x555555f17690) = 5748 [pid 5748] set_robust_list(0x555555f176a0, 24) = 0 [pid 5748] chdir("./236") = 0 [pid 5748] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5748] setpgid(0, 0) = 0 [pid 5748] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5748] write(3, "1000", 4) = 4 [pid 5748] close(3) = 0 [pid 5748] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5748] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5748] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5748] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5748] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5748] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5748] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5748] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5749 attached => {parent_tid=[5749]}, 88) = 5749 [pid 5749] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5748] rt_sigprocmask(SIG_SETMASK, [], [pid 5749] <... rseq resumed>) = 0 [pid 5748] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5749] set_robust_list(0x7f79473519a0, 24 [pid 5748] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5749] <... set_robust_list resumed>) = 0 [pid 5749] rt_sigprocmask(SIG_SETMASK, [], [pid 5748] <... futex resumed>) = 0 [pid 5748] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5749] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5748] <... futex resumed>) = 0 [pid 5748] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5748] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5748] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5748] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5749] memfd_create("syzkaller", 0 [pid 5748] <... clone3 resumed> => {parent_tid=[5750]}, 88) = 5750 [pid 5748] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5748] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5748] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5750 attached [pid 5750] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5749] <... memfd_create resumed>) = 3 [pid 5750] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5750] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5749] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5750] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5749] <... mmap resumed>) = 0x7f793ef10000 [pid 5749] munmap(0x7f793ef10000, 138412032) = 0 [pid 5749] close(3) = 0 [pid 5750] <... openat resumed>) = 4 [pid 5749] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5749] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5750] write(4, "85", 2) = 2 [pid 5750] memfd_create("syzkaller", 0) = 3 [pid 5750] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 160.066503][ T5750] FAULT_INJECTION: forcing a failure. [ 160.066503][ T5750] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 160.080402][ T5750] CPU: 1 PID: 5750 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 160.090818][ T5750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 160.101049][ T5750] Call Trace: [ 160.104328][ T5750] [ 160.107258][ T5750] dump_stack_lvl+0x1e7/0x2d0 [ 160.111948][ T5750] ? nf_tcp_handle_invalid+0x650/0x650 [ 160.117417][ T5750] ? panic+0x770/0x770 [ 160.121515][ T5750] should_fail_ex+0x3aa/0x4e0 [ 160.126215][ T5750] prepare_alloc_pages+0x1d9/0x5b0 [ 160.131357][ T5750] __alloc_pages+0x165/0x670 [ 160.135963][ T5750] ? zone_statistics+0x170/0x170 [ 160.140972][ T5750] ? verify_lock_unused+0x140/0x140 [ 160.146183][ T5750] ? handle_mm_fault+0x11d/0x62b0 [ 160.151209][ T5750] ? __lock_acquire+0x7f70/0x7f70 [ 160.156222][ T5750] ? pte_offset_map_nolock+0x137/0x1e0 [ 160.161676][ T5750] __folio_alloc+0x13/0x30 [ 160.166105][ T5750] vma_alloc_folio+0x48a/0x9a0 [ 160.170887][ T5750] handle_mm_fault+0x2376/0x62b0 [ 160.175845][ T5750] ? handle_mm_fault+0x11d/0x62b0 [ 160.180910][ T5750] ? numa_migrate_prep+0x380/0x380 [ 160.186023][ T5750] ? mtree_range_walk+0x6a0/0x7e0 [ 160.191042][ T5750] ? lock_vma_under_rcu+0x187/0x6f0 [ 160.196938][ T5750] ? __lock_acquire+0x7f70/0x7f70 [ 160.201970][ T5750] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 160.207172][ T5750] ? lock_vma_under_rcu+0x5df/0x6f0 [ 160.212368][ T5750] ? lock_vma_under_rcu+0x187/0x6f0 [ 160.217584][ T5750] ? exc_page_fault+0x10f/0x860 [ 160.222469][ T5750] exc_page_fault+0x455/0x860 [ 160.227143][ T5750] asm_exc_page_fault+0x26/0x30 [ 160.232008][ T5750] RIP: 0033:0x7f794735bd00 [ 160.236413][ T5750] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 160.256041][ T5750] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5750] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5750] munmap(0x7f793ef10000, 2097152) = 0 [pid 5750] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 160.262109][ T5750] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 160.270086][ T5750] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 160.278058][ T5750] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 160.286128][ T5750] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 160.294097][ T5750] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 160.302258][ T5750] [ 160.305650][ T5750] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5750] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5750] close(3) = 0 [pid 5750] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5750] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5750] ioctl(5, LOOP_CLR_FD) = 0 [pid 5750] close(5) = 0 [pid 5750] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5750] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5748] <... futex resumed>) = 0 [pid 5748] exit_group(0) = ? [pid 5750] <... futex resumed>) = ? [pid 5749] <... futex resumed>) = ? [pid 5750] +++ exited with 0 +++ [pid 5749] +++ exited with 0 +++ [pid 5748] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5748, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 [ 160.344630][ T5750] loop0: detected capacity change from 0 to 4096 [ 160.360171][ T5750] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 160.367420][ T5750] ntfs3: loop0: Failed to load $AttrDef (-22) umount2("./236", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./236", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./236/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./236/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./236/binderfs") = 0 umount2("\x2e\x2f\x32\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x33\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./236") = 0 mkdir("./237", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5751 attached , child_tidptr=0x555555f17690) = 5751 [pid 5751] set_robust_list(0x555555f176a0, 24) = 0 [pid 5751] chdir("./237") = 0 [pid 5751] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5751] setpgid(0, 0) = 0 [pid 5751] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5751] write(3, "1000", 4) = 4 [pid 5751] close(3) = 0 [pid 5751] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5751] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5751] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5751] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5751] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5751] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5751] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5751] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5752 attached [pid 5752] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5752] set_robust_list(0x7f79473519a0, 24 [pid 5751] <... clone3 resumed> => {parent_tid=[5752]}, 88) = 5752 [pid 5752] <... set_robust_list resumed>) = 0 [pid 5752] rt_sigprocmask(SIG_SETMASK, [], [pid 5751] rt_sigprocmask(SIG_SETMASK, [], [pid 5752] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5752] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5751] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5751] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5752] <... futex resumed>) = 0 [pid 5751] <... futex resumed>) = 1 [pid 5751] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5751] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5752] memfd_create("syzkaller", 0 [pid 5751] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5752] <... memfd_create resumed>) = 3 [pid 5752] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5751] <... mprotect resumed>) = 0 [pid 5751] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5751] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5753]}, 88) = 5753 [pid 5751] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5751] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5751] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5753 attached [pid 5753] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5753] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5753] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5753] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5753] write(4, "85", 2) = 2 [pid 5753] memfd_create("syzkaller", 0) = 5 [pid 5753] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 160.492564][ T5753] FAULT_INJECTION: forcing a failure. [ 160.492564][ T5753] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 160.506743][ T5753] CPU: 0 PID: 5753 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 160.517185][ T5753] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 160.527245][ T5753] Call Trace: [ 160.530522][ T5753] [ 160.533438][ T5753] dump_stack_lvl+0x1e7/0x2d0 [pid 5752] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 160.538102][ T5753] ? nf_tcp_handle_invalid+0x650/0x650 [ 160.543585][ T5753] ? panic+0x770/0x770 [ 160.547820][ T5753] should_fail_ex+0x3aa/0x4e0 [ 160.552505][ T5753] prepare_alloc_pages+0x1d9/0x5b0 [ 160.557607][ T5753] __alloc_pages+0x165/0x670 [ 160.562184][ T5753] ? zone_statistics+0x170/0x170 [ 160.567148][ T5753] ? verify_lock_unused+0x140/0x140 [ 160.572338][ T5753] ? handle_mm_fault+0x11d/0x62b0 [ 160.577348][ T5753] ? __lock_acquire+0x7f70/0x7f70 [ 160.582356][ T5753] ? pte_offset_map_nolock+0x137/0x1e0 [ 160.587806][ T5753] __folio_alloc+0x13/0x30 [ 160.592208][ T5753] vma_alloc_folio+0x48a/0x9a0 [ 160.596960][ T5753] handle_mm_fault+0x2376/0x62b0 [ 160.601901][ T5753] ? handle_mm_fault+0x11d/0x62b0 [ 160.606920][ T5753] ? numa_migrate_prep+0x380/0x380 [ 160.612034][ T5753] ? mtree_range_walk+0x6a0/0x7e0 [ 160.617256][ T5753] ? lock_vma_under_rcu+0x187/0x6f0 [ 160.622445][ T5753] ? __lock_acquire+0x7f70/0x7f70 [ 160.627457][ T5753] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 160.632650][ T5753] ? lock_vma_under_rcu+0x5df/0x6f0 [ 160.637836][ T5753] ? lock_vma_under_rcu+0x187/0x6f0 [ 160.643064][ T5753] ? exc_page_fault+0x10f/0x860 [ 160.647914][ T5753] exc_page_fault+0x455/0x860 [ 160.652591][ T5753] asm_exc_page_fault+0x26/0x30 [ 160.657430][ T5753] RIP: 0033:0x7f794735bc53 [ 160.661835][ T5753] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 160.681433][ T5753] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5752] munmap(0x7f793ef10000, 2097152) = 0 [pid 5752] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 160.687490][ T5753] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 160.695446][ T5753] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 160.703399][ T5753] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 160.711357][ T5753] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 160.719419][ T5753] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 160.727387][ T5753] [ 160.731634][ T5753] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5752] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5752] close(3) = 0 [pid 5752] mkdir("./file0", 0777) = 0 [pid 5752] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5753] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5752] <... mount resumed>) = 0 [pid 5752] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5752] chdir("./file0") = 0 [pid 5752] ioctl(6, LOOP_CLR_FD) = 0 [pid 5752] close(6) = 0 [pid 5752] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5752] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5753] <... write resumed>) = 2097152 [pid 5753] munmap(0x7f7936b10000, 2097152) = 0 [pid 5753] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5753] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5753] ioctl(6, LOOP_CLR_FD) = 0 [pid 5753] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5753] close(6) = 0 [ 160.746361][ T5752] loop0: detected capacity change from 0 to 4096 [ 160.760427][ T5752] ntfs: volume version 12.0. [pid 5753] close(5) = 0 [pid 5753] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5753] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5751] <... futex resumed>) = 0 [pid 5751] exit_group(0 [pid 5752] <... futex resumed>) = ? [pid 5751] <... exit_group resumed>) = ? [pid 5753] <... futex resumed>) = ? [pid 5752] +++ exited with 0 +++ [pid 5753] +++ exited with 0 +++ [pid 5751] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5751, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./237", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./237", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./237/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./237/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./237/binderfs") = 0 umount2("./237/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./237/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./237/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./237/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./237/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./237/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./237") = 0 mkdir("./238", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5754 ./strace-static-x86_64: Process 5754 attached [pid 5754] set_robust_list(0x555555f176a0, 24) = 0 [pid 5754] chdir("./238") = 0 [pid 5754] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5754] setpgid(0, 0) = 0 [pid 5754] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5754] write(3, "1000", 4) = 4 [pid 5754] close(3) = 0 [pid 5754] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5754] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5754] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5754] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5754] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5754] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5754] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5754] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5755 attached [pid 5755] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5754] <... clone3 resumed> => {parent_tid=[5755]}, 88) = 5755 [pid 5755] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5754] rt_sigprocmask(SIG_SETMASK, [], [pid 5755] rt_sigprocmask(SIG_SETMASK, [], [pid 5754] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5755] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5754] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5755] memfd_create("syzkaller", 0 [pid 5754] <... futex resumed>) = 0 [pid 5754] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5754] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5755] <... memfd_create resumed>) = 3 [pid 5755] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5754] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5755] <... mmap resumed>) = 0x7f793ef10000 [pid 5754] <... mprotect resumed>) = 0 [pid 5754] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5754] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5756]}, 88) = 5756 [pid 5754] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5754] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5754] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5756 attached [pid 5756] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5756] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5756] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5756] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5756] write(4, "85", 2) = 2 [pid 5756] memfd_create("syzkaller", 0) = 5 [pid 5756] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5755] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 160.916507][ T5756] FAULT_INJECTION: forcing a failure. [ 160.916507][ T5756] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 160.930078][ T5756] CPU: 0 PID: 5756 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 160.940602][ T5756] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 160.950684][ T5756] Call Trace: [ 160.953987][ T5756] [ 160.956929][ T5756] dump_stack_lvl+0x1e7/0x2d0 [ 160.961609][ T5756] ? nf_tcp_handle_invalid+0x650/0x650 [ 160.967077][ T5756] ? panic+0x770/0x770 [ 160.971185][ T5756] should_fail_ex+0x3aa/0x4e0 [ 160.975891][ T5756] prepare_alloc_pages+0x1d9/0x5b0 [ 160.981030][ T5756] __alloc_pages+0x165/0x670 [ 160.985637][ T5756] ? zone_statistics+0x170/0x170 [ 160.990933][ T5756] ? verify_lock_unused+0x140/0x140 [ 160.996142][ T5756] ? handle_mm_fault+0x11d/0x62b0 [ 161.001179][ T5756] ? __lock_acquire+0x7f70/0x7f70 [ 161.006204][ T5756] ? pte_offset_map_nolock+0x137/0x1e0 [ 161.011686][ T5756] __folio_alloc+0x13/0x30 [ 161.016140][ T5756] vma_alloc_folio+0x48a/0x9a0 [ 161.020905][ T5756] handle_mm_fault+0x2376/0x62b0 [ 161.025846][ T5756] ? handle_mm_fault+0x11d/0x62b0 [ 161.030868][ T5756] ? numa_migrate_prep+0x380/0x380 [ 161.035987][ T5756] ? mtree_range_walk+0x6a0/0x7e0 [ 161.041010][ T5756] ? lock_vma_under_rcu+0x187/0x6f0 [ 161.046208][ T5756] ? __lock_acquire+0x7f70/0x7f70 [ 161.051237][ T5756] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 161.056436][ T5756] ? lock_vma_under_rcu+0x5df/0x6f0 [ 161.061645][ T5756] ? lock_vma_under_rcu+0x187/0x6f0 [ 161.066952][ T5756] ? exc_page_fault+0x10f/0x860 [ 161.071797][ T5756] exc_page_fault+0x455/0x860 [ 161.076474][ T5756] asm_exc_page_fault+0x26/0x30 [ 161.081318][ T5756] RIP: 0033:0x7f794735bc53 [ 161.085819][ T5756] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 161.105432][ T5756] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5755] munmap(0x7f793ef10000, 2097152) = 0 [pid 5755] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 161.111503][ T5756] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 161.119491][ T5756] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 161.127474][ T5756] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 161.135452][ T5756] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 161.143423][ T5756] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 161.151414][ T5756] [ 161.155485][ T5756] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5755] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5755] close(3) = 0 [pid 5755] mkdir("./file0", 0777) = 0 [pid 5755] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5756] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5755] <... mount resumed>) = 0 [pid 5755] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5755] chdir("./file0") = 0 [pid 5755] ioctl(6, LOOP_CLR_FD) = 0 [pid 5755] close(6) = 0 [pid 5755] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5755] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5756] <... write resumed>) = 2097152 [pid 5756] munmap(0x7f7936b10000, 2097152) = 0 [pid 5756] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5756] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5756] ioctl(6, LOOP_CLR_FD) = 0 [pid 5756] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5756] close(6) = 0 [pid 5756] close(5) = 0 [pid 5756] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5754] <... futex resumed>) = 0 [pid 5756] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 161.171389][ T5755] loop0: detected capacity change from 0 to 4096 [ 161.187321][ T5755] ntfs: volume version 12.0. [pid 5754] exit_group(0 [pid 5756] <... futex resumed>) = ? [pid 5755] <... futex resumed>) = ? [pid 5754] <... exit_group resumed>) = ? [pid 5756] +++ exited with 0 +++ [pid 5755] +++ exited with 0 +++ [pid 5754] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5754, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=14 /* 0.14 s */} --- umount2("./238", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./238", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./238/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./238/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./238/binderfs") = 0 umount2("./238/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./238/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./238/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./238/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./238/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./238/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./238") = 0 mkdir("./239", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5757 attached , child_tidptr=0x555555f17690) = 5757 [pid 5757] set_robust_list(0x555555f176a0, 24) = 0 [pid 5757] chdir("./239") = 0 [pid 5757] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5757] setpgid(0, 0) = 0 [pid 5757] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5757] write(3, "1000", 4) = 4 [pid 5757] close(3) = 0 [pid 5757] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5757] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5757] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5757] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5757] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5757] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5757] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5757] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5758 attached [pid 5758] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5758] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5758] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5757] <... clone3 resumed> => {parent_tid=[5758]}, 88) = 5758 [pid 5758] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5757] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5757] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5758] <... futex resumed>) = 0 [pid 5757] <... futex resumed>) = 1 [pid 5757] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5757] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5758] memfd_create("syzkaller", 0 [pid 5757] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5758] <... memfd_create resumed>) = 3 [pid 5758] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5757] <... mprotect resumed>) = 0 [pid 5757] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5757] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5759 attached => {parent_tid=[5759]}, 88) = 5759 [pid 5759] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5757] rt_sigprocmask(SIG_SETMASK, [], [pid 5759] <... rseq resumed>) = 0 [pid 5757] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5759] set_robust_list(0x7f79473309a0, 24 [pid 5757] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5759] <... set_robust_list resumed>) = 0 [pid 5759] rt_sigprocmask(SIG_SETMASK, [], [pid 5757] <... futex resumed>) = 0 [pid 5759] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5757] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5759] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5759] write(4, "85", 2) = 2 [pid 5759] memfd_create("syzkaller", 0) = 5 [pid 5759] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5758] munmap(0x7f793ef10000, 138412032) = 0 [pid 5758] close(3) = 0 [pid 5758] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 161.320073][ T5759] FAULT_INJECTION: forcing a failure. [ 161.320073][ T5759] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 161.333819][ T5759] CPU: 1 PID: 5759 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 161.344261][ T5759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 161.354310][ T5759] Call Trace: [ 161.357583][ T5759] [ 161.360502][ T5759] dump_stack_lvl+0x1e7/0x2d0 [ 161.366261][ T5759] ? nf_tcp_handle_invalid+0x650/0x650 [ 161.371903][ T5759] ? panic+0x770/0x770 [ 161.376170][ T5759] should_fail_ex+0x3aa/0x4e0 [ 161.380844][ T5759] prepare_alloc_pages+0x1d9/0x5b0 [ 161.385950][ T5759] __alloc_pages+0x165/0x670 [ 161.390541][ T5759] ? zone_statistics+0x170/0x170 [ 161.395755][ T5759] ? verify_lock_unused+0x140/0x140 [ 161.401060][ T5759] ? handle_mm_fault+0x11d/0x62b0 [ 161.406090][ T5759] ? __lock_acquire+0x7f70/0x7f70 [ 161.411108][ T5759] ? pte_offset_map_nolock+0x137/0x1e0 [ 161.416560][ T5759] __folio_alloc+0x13/0x30 [ 161.421014][ T5759] vma_alloc_folio+0x48a/0x9a0 [ 161.425816][ T5759] handle_mm_fault+0x2376/0x62b0 [ 161.430813][ T5759] ? handle_mm_fault+0x11d/0x62b0 [ 161.435852][ T5759] ? numa_migrate_prep+0x380/0x380 [ 161.441252][ T5759] ? mtree_range_walk+0x6a0/0x7e0 [ 161.446273][ T5759] ? lock_vma_under_rcu+0x187/0x6f0 [ 161.451460][ T5759] ? __lock_acquire+0x7f70/0x7f70 [ 161.456504][ T5759] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 161.461738][ T5759] ? lock_vma_under_rcu+0x5df/0x6f0 [ 161.466924][ T5759] ? lock_vma_under_rcu+0x187/0x6f0 [ 161.472114][ T5759] ? exc_page_fault+0x10f/0x860 [ 161.476954][ T5759] exc_page_fault+0x455/0x860 [ 161.481632][ T5759] asm_exc_page_fault+0x26/0x30 [ 161.486926][ T5759] RIP: 0033:0x7f794735bc53 [ 161.491326][ T5759] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 161.510931][ T5759] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5758] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5759] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5759] munmap(0x7f7936b10000, 2097152) = 0 [pid 5759] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 161.517075][ T5759] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 161.525291][ T5759] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 161.533437][ T5759] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 161.541410][ T5759] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 161.549378][ T5759] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 161.557348][ T5759] [ 161.561259][ T5759] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5759] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5759] close(5) = 0 [pid 5759] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5759] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 161.595133][ T5759] loop0: detected capacity change from 0 to 4096 [ 161.610905][ T5759] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 161.617941][ T5759] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5759] ioctl(3, LOOP_CLR_FD) = 0 [pid 5759] close(3) = 0 [pid 5759] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5757] <... futex resumed>) = 0 [pid 5759] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5757] exit_group(0 [pid 5759] <... futex resumed>) = ? [pid 5758] <... futex resumed>) = ? [pid 5757] <... exit_group resumed>) = ? [pid 5759] +++ exited with 0 +++ [pid 5758] +++ exited with 0 +++ [pid 5757] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5757, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- umount2("./239", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./239", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./239/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./239/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./239/binderfs") = 0 umount2("\x2e\x2f\x32\x33\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x33\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x33\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x33\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x33\x39\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./239") = 0 mkdir("./240", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5760 attached , child_tidptr=0x555555f17690) = 5760 [pid 5760] set_robust_list(0x555555f176a0, 24) = 0 [pid 5760] chdir("./240") = 0 [pid 5760] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5760] setpgid(0, 0) = 0 [pid 5760] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5760] write(3, "1000", 4) = 4 [pid 5760] close(3) = 0 [pid 5760] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5760] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5760] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5760] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5760] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5760] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5760] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5760] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5761]}, 88) = 5761 ./strace-static-x86_64: Process 5761 attached [pid 5761] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5760] rt_sigprocmask(SIG_SETMASK, [], [pid 5761] <... rseq resumed>) = 0 [pid 5761] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5761] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5760] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5761] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5760] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5761] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5760] <... futex resumed>) = 0 [pid 5760] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5760] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5760] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5761] memfd_create("syzkaller", 0 [pid 5760] <... mprotect resumed>) = 0 [pid 5761] <... memfd_create resumed>) = 3 [pid 5761] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5760] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5761] <... mmap resumed>) = 0x7f793ef10000 [pid 5760] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5760] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5762 attached => {parent_tid=[5762]}, 88) = 5762 [pid 5762] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5760] rt_sigprocmask(SIG_SETMASK, [], [pid 5762] <... rseq resumed>) = 0 [pid 5760] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5760] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5762] set_robust_list(0x7f79473309a0, 24 [pid 5760] <... futex resumed>) = 0 [pid 5762] <... set_robust_list resumed>) = 0 [pid 5760] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5762] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5762] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5762] write(4, "85", 2) = 2 [pid 5762] memfd_create("syzkaller", 0) = 5 [pid 5762] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 161.742711][ T5762] FAULT_INJECTION: forcing a failure. [ 161.742711][ T5762] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 161.756370][ T5762] CPU: 0 PID: 5762 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 161.766813][ T5762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 161.776978][ T5762] Call Trace: [ 161.780288][ T5762] [ 161.783426][ T5762] dump_stack_lvl+0x1e7/0x2d0 [pid 5761] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777) = 2028777 [ 161.788135][ T5762] ? nf_tcp_handle_invalid+0x650/0x650 [ 161.793589][ T5762] ? panic+0x770/0x770 [ 161.797747][ T5762] should_fail_ex+0x3aa/0x4e0 [ 161.802435][ T5762] prepare_alloc_pages+0x1d9/0x5b0 [ 161.807564][ T5762] __alloc_pages+0x165/0x670 [ 161.812158][ T5762] ? zone_statistics+0x170/0x170 [ 161.817109][ T5762] ? verify_lock_unused+0x140/0x140 [ 161.822298][ T5762] ? handle_mm_fault+0x11d/0x62b0 [ 161.827318][ T5762] ? __lock_acquire+0x7f70/0x7f70 [ 161.832591][ T5762] ? pte_offset_map_nolock+0x137/0x1e0 [ 161.838052][ T5762] __folio_alloc+0x13/0x30 [ 161.842559][ T5762] vma_alloc_folio+0x48a/0x9a0 [ 161.847340][ T5762] handle_mm_fault+0x2376/0x62b0 [ 161.852292][ T5762] ? handle_mm_fault+0x11d/0x62b0 [ 161.857349][ T5762] ? numa_migrate_prep+0x380/0x380 [ 161.862482][ T5762] ? mtree_range_walk+0x6a0/0x7e0 [ 161.867519][ T5762] ? lock_vma_under_rcu+0x187/0x6f0 [ 161.872709][ T5762] ? __lock_acquire+0x7f70/0x7f70 [ 161.877730][ T5762] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 161.882953][ T5762] ? lock_vma_under_rcu+0x5df/0x6f0 [ 161.888152][ T5762] ? lock_vma_under_rcu+0x187/0x6f0 [ 161.893392][ T5762] ? exc_page_fault+0x10f/0x860 [ 161.898272][ T5762] exc_page_fault+0x455/0x860 [ 161.902953][ T5762] asm_exc_page_fault+0x26/0x30 [ 161.907799][ T5762] RIP: 0033:0x7f794735bc53 [ 161.912293][ T5762] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 161.932070][ T5762] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5761] munmap(0x7f793ef10000, 2028777) = 0 [pid 5761] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 161.938134][ T5762] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 161.946101][ T5762] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 161.954239][ T5762] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 161.962212][ T5762] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 161.970202][ T5762] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 161.978297][ T5762] [pid 5761] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5761] close(3) = 0 [pid 5761] mkdir("./file0", 0777) = 0 [pid 5761] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5762] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5762] munmap(0x7f7936b10000, 2097152 [pid 5761] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5761] ioctl(6, LOOP_CLR_FD [pid 5762] <... munmap resumed>) = 0 [pid 5762] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5762] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5762] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5762] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5762] close(3) = 0 [pid 5762] close(5) = 0 [pid 5762] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5760] <... futex resumed>) = 0 [pid 5762] <... futex resumed>) = 1 [ 161.991687][ T5761] loop0: detected capacity change from 0 to 3962 [ 162.006645][ T5761] __ntfs_error: 158 callbacks suppressed [ 162.006659][ T5761] ntfs: (device loop0): ntfs_read_inode_mount(): Incorrect mft record size 4294967295 in superblock, should be 1024. [ 162.025702][ T5761] ntfs: (device loop0): ntfs_read_inode_mount(): Failed. Marking inode as bad. [pid 5762] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5761] <... ioctl resumed>) = 0 [pid 5761] close(6) = 0 [pid 5761] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5761] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5760] exit_group(0 [pid 5761] <... futex resumed>) = ? [pid 5762] <... futex resumed>) = ? [pid 5760] <... exit_group resumed>) = ? [pid 5761] +++ exited with 0 +++ [pid 5762] +++ exited with 0 +++ [pid 5760] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5760, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=16 /* 0.16 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./240", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./240", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./240/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./240/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./240/binderfs") = 0 umount2("./240/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./240/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./240/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./240/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./240/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./240") = 0 mkdir("./241", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5763 attached , child_tidptr=0x555555f17690) = 5763 [pid 5763] set_robust_list(0x555555f176a0, 24) = 0 [pid 5763] chdir("./241") = 0 [pid 5763] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5763] setpgid(0, 0) = 0 [pid 5763] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5763] write(3, "1000", 4) = 4 [pid 5763] close(3) = 0 [pid 5763] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5763] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5763] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5763] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5763] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5763] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5763] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5763] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5764 attached => {parent_tid=[5764]}, 88) = 5764 [pid 5763] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5763] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5763] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5764] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5763] <... futex resumed>) = 0 [pid 5763] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5764] <... rseq resumed>) = 0 [pid 5764] set_robust_list(0x7f79473519a0, 24 [pid 5763] <... mmap resumed>) = 0x7f7947310000 [pid 5764] <... set_robust_list resumed>) = 0 [pid 5763] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5764] rt_sigprocmask(SIG_SETMASK, [], [pid 5763] <... mprotect resumed>) = 0 [pid 5763] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5764] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5763] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5763] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5765 attached [pid 5765] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5763] <... clone3 resumed> => {parent_tid=[5765]}, 88) = 5765 [pid 5765] <... rseq resumed>) = 0 [pid 5763] rt_sigprocmask(SIG_SETMASK, [], [pid 5765] set_robust_list(0x7f79473309a0, 24 [pid 5763] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5765] <... set_robust_list resumed>) = 0 [pid 5763] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5765] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5763] <... futex resumed>) = 0 [pid 5765] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5764] memfd_create("syzkaller", 0 [pid 5763] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5764] <... memfd_create resumed>) = 4 [pid 5764] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5765] <... openat resumed>) = 3 [pid 5765] write(3, "85", 2 [pid 5764] <... mmap resumed>) = 0x7f793ef10000 [pid 5765] <... write resumed>) = 2 [pid 5764] munmap(0x7f793ef10000, 138412032 [pid 5765] memfd_create("syzkaller", 0 [pid 5764] <... munmap resumed>) = 0 [pid 5765] <... memfd_create resumed>) = 5 [pid 5764] close(4 [pid 5765] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5764] <... close resumed>) = 0 [ 162.086834][ T5238] I/O error, dev loop0, sector 3712 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5765] <... mmap resumed>) = 0x7f793ef10000 [pid 5764] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 162.150210][ T5765] FAULT_INJECTION: forcing a failure. [ 162.150210][ T5765] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 162.163797][ T5765] CPU: 1 PID: 5765 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 162.174242][ T5765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 162.184286][ T5765] Call Trace: [ 162.187551][ T5765] [ 162.190487][ T5765] dump_stack_lvl+0x1e7/0x2d0 [ 162.195793][ T5765] ? nf_tcp_handle_invalid+0x650/0x650 [ 162.201714][ T5765] ? panic+0x770/0x770 [ 162.205819][ T5765] should_fail_ex+0x3aa/0x4e0 [ 162.210560][ T5765] prepare_alloc_pages+0x1d9/0x5b0 [ 162.215695][ T5765] __alloc_pages+0x165/0x670 [ 162.220295][ T5765] ? zone_statistics+0x170/0x170 [ 162.225328][ T5765] ? verify_lock_unused+0x140/0x140 [ 162.230529][ T5765] ? handle_mm_fault+0x11d/0x62b0 [ 162.235558][ T5765] ? __lock_acquire+0x7f70/0x7f70 [ 162.240612][ T5765] ? pte_offset_map_nolock+0x137/0x1e0 [ 162.246209][ T5765] __folio_alloc+0x13/0x30 [ 162.251059][ T5765] vma_alloc_folio+0x48a/0x9a0 [ 162.255912][ T5765] handle_mm_fault+0x2376/0x62b0 [ 162.260856][ T5765] ? handle_mm_fault+0x11d/0x62b0 [ 162.265886][ T5765] ? numa_migrate_prep+0x380/0x380 [ 162.271096][ T5765] ? mtree_range_walk+0x6a0/0x7e0 [ 162.276222][ T5765] ? lock_vma_under_rcu+0x187/0x6f0 [ 162.281418][ T5765] ? __lock_acquire+0x7f70/0x7f70 [ 162.286441][ T5765] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 162.291826][ T5765] ? lock_vma_under_rcu+0x5df/0x6f0 [ 162.297023][ T5765] ? lock_vma_under_rcu+0x187/0x6f0 [ 162.302315][ T5765] ? exc_page_fault+0x10f/0x860 [ 162.307165][ T5765] exc_page_fault+0x455/0x860 [ 162.311844][ T5765] asm_exc_page_fault+0x26/0x30 [ 162.316690][ T5765] RIP: 0033:0x7f794735bd00 [ 162.321109][ T5765] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 162.340885][ T5765] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5764] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5765] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5765] munmap(0x7f793ef10000, 2097152) = 0 [pid 5765] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 162.346950][ T5765] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 162.355002][ T5765] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 162.362969][ T5765] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 162.371035][ T5765] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 162.379396][ T5765] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 162.387458][ T5765] [pid 5765] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5765] close(5) = 0 [pid 5765] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5765] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5765] ioctl(4, LOOP_CLR_FD) = 0 [pid 5765] close(4) = 0 [pid 5765] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5763] <... futex resumed>) = 0 [pid 5763] exit_group(0) = ? [pid 5765] <... futex resumed>) = ? [pid 5765] +++ exited with 0 +++ [pid 5764] <... futex resumed>) = ? [ 162.425520][ T5765] loop0: detected capacity change from 0 to 4096 [ 162.440809][ T5765] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 162.448051][ T5765] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5764] +++ exited with 0 +++ [pid 5763] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5763, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./241", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./241", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./241/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./241/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./241/binderfs") = 0 umount2("\x2e\x2f\x32\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x34\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./241") = 0 mkdir("./242", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5766 attached , child_tidptr=0x555555f17690) = 5766 [pid 5766] set_robust_list(0x555555f176a0, 24) = 0 [pid 5766] chdir("./242") = 0 [pid 5766] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5766] setpgid(0, 0) = 0 [pid 5766] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5766] write(3, "1000", 4) = 4 [pid 5766] close(3) = 0 [pid 5766] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5766] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5766] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5766] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5766] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5766] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5766] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5766] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5767 attached [pid 5767] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5766] <... clone3 resumed> => {parent_tid=[5767]}, 88) = 5767 [pid 5767] <... rseq resumed>) = 0 [pid 5766] rt_sigprocmask(SIG_SETMASK, [], [pid 5767] set_robust_list(0x7f79473519a0, 24 [pid 5766] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5767] <... set_robust_list resumed>) = 0 [pid 5767] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5767] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5766] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5767] <... futex resumed>) = 0 [pid 5766] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5766] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5767] memfd_create("syzkaller", 0 [pid 5766] <... mmap resumed>) = 0x7f7947310000 [pid 5766] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5766] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5767] <... memfd_create resumed>) = 3 [pid 5766] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5767] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5768 attached [pid 5766] <... clone3 resumed> => {parent_tid=[5768]}, 88) = 5768 [pid 5768] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5767] <... mmap resumed>) = 0x7f793ef10000 [pid 5766] rt_sigprocmask(SIG_SETMASK, [], [pid 5768] <... rseq resumed>) = 0 [pid 5766] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5768] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5766] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5768] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5766] <... futex resumed>) = 0 [pid 5766] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5768] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5768] write(4, "85", 2) = 2 [pid 5768] memfd_create("syzkaller", 0) = 5 [pid 5768] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5767] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2285416) = 2285416 [ 162.567304][ T5768] FAULT_INJECTION: forcing a failure. [ 162.567304][ T5768] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 162.580850][ T5768] CPU: 1 PID: 5768 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 162.591334][ T5768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 162.601422][ T5768] Call Trace: [ 162.604816][ T5768] [ 162.607769][ T5768] dump_stack_lvl+0x1e7/0x2d0 [ 162.612461][ T5768] ? nf_tcp_handle_invalid+0x650/0x650 [ 162.617924][ T5768] ? panic+0x770/0x770 [ 162.622032][ T5768] should_fail_ex+0x3aa/0x4e0 [ 162.626772][ T5768] prepare_alloc_pages+0x1d9/0x5b0 [ 162.631902][ T5768] __alloc_pages+0x165/0x670 [ 162.636512][ T5768] ? zone_statistics+0x170/0x170 [ 162.641467][ T5768] ? verify_lock_unused+0x140/0x140 [ 162.646671][ T5768] ? handle_mm_fault+0x11d/0x62b0 [ 162.651718][ T5768] ? __lock_acquire+0x7f70/0x7f70 [ 162.656745][ T5768] ? pte_offset_map_nolock+0x137/0x1e0 [ 162.662212][ T5768] __folio_alloc+0x13/0x30 [ 162.666632][ T5768] vma_alloc_folio+0x48a/0x9a0 [ 162.671407][ T5768] handle_mm_fault+0x2376/0x62b0 [ 162.676360][ T5768] ? handle_mm_fault+0x11d/0x62b0 [ 162.681396][ T5768] ? numa_migrate_prep+0x380/0x380 [ 162.686863][ T5768] ? mtree_range_walk+0x6a0/0x7e0 [ 162.691896][ T5768] ? lock_vma_under_rcu+0x187/0x6f0 [ 162.697092][ T5768] ? __lock_acquire+0x7f70/0x7f70 [ 162.702135][ T5768] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 162.707350][ T5768] ? lock_vma_under_rcu+0x5df/0x6f0 [ 162.712565][ T5768] ? lock_vma_under_rcu+0x187/0x6f0 [ 162.717773][ T5768] ? exc_page_fault+0x10f/0x860 [ 162.722622][ T5768] exc_page_fault+0x455/0x860 [ 162.727304][ T5768] asm_exc_page_fault+0x26/0x30 [ 162.732166][ T5768] RIP: 0033:0x7f794735bc53 [ 162.736588][ T5768] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 162.756275][ T5768] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5767] munmap(0x7f793ef10000, 2285416) = 0 [pid 5767] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 162.762339][ T5768] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 162.770306][ T5768] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 162.778292][ T5768] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 162.786273][ T5768] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 162.794236][ T5768] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 162.802212][ T5768] [ 162.812137][ T5767] loop0: detected capacity change from 0 to 4463 [pid 5767] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5767] close(3) = 0 [pid 5767] mkdir("./file0", 0777) = 0 [pid 5767] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5767] ioctl(6, LOOP_CLR_FD [pid 5768] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5768] munmap(0x7f7936b10000, 2097152) = 0 [pid 5768] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5768] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5768] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5768] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5768] close(3) = 0 [pid 5768] close(5) = 0 [ 162.824879][ T5767] ntfs: (device loop0): ntfs_read_inode_mount(): Incorrect mft record size 67372036 in superblock, should be 1024. [ 162.837290][ T5767] ntfs: (device loop0): ntfs_read_inode_mount(): Failed. Marking inode as bad. [pid 5768] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5766] <... futex resumed>) = 0 [pid 5768] <... futex resumed>) = 1 [pid 5768] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5767] <... ioctl resumed>) = 0 [pid 5767] close(6) = 0 [pid 5767] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5766] exit_group(0 [pid 5767] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5766] <... exit_group resumed>) = ? [pid 5768] <... futex resumed>) = ? [pid 5767] +++ exited with 0 +++ [pid 5768] +++ exited with 0 +++ [pid 5766] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5766, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=15 /* 0.15 s */} --- umount2("./242", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./242", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./242/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./242/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./242/binderfs") = 0 umount2("./242/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./242/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./242/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./242/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./242/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./242") = 0 mkdir("./243", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5769 ./strace-static-x86_64: Process 5769 attached [pid 5769] set_robust_list(0x555555f176a0, 24) = 0 [pid 5769] chdir("./243") = 0 [pid 5769] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5769] setpgid(0, 0) = 0 [pid 5769] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5769] write(3, "1000", 4) = 4 [pid 5769] close(3) = 0 [pid 5769] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5769] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5769] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5769] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5769] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5769] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5769] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5769] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5770 attached => {parent_tid=[5770]}, 88) = 5770 [ 162.888341][ T5238] I/O error, dev loop0, sector 4224 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5769] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5769] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5769] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5769] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5769] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5769] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5769] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5771 attached [pid 5771] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5770] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5771] <... rseq resumed>) = 0 [pid 5771] set_robust_list(0x7f79473309a0, 24 [pid 5769] <... clone3 resumed> => {parent_tid=[5771]}, 88) = 5771 [pid 5771] <... set_robust_list resumed>) = 0 [pid 5769] rt_sigprocmask(SIG_SETMASK, [], [pid 5771] rt_sigprocmask(SIG_SETMASK, [], [pid 5769] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5771] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5769] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5771] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5770] <... rseq resumed>) = 0 [pid 5769] <... futex resumed>) = 0 [pid 5770] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5770] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5769] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5771] <... openat resumed>) = 3 [pid 5771] write(3, "85", 2 [pid 5770] memfd_create("syzkaller", 0 [pid 5771] <... write resumed>) = 2 [pid 5771] memfd_create("syzkaller", 0) = 4 [pid 5771] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5770] <... memfd_create resumed>) = 5 [ 162.961812][ T5771] FAULT_INJECTION: forcing a failure. [ 162.961812][ T5771] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 162.975909][ T5771] CPU: 1 PID: 5771 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 162.986519][ T5771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 162.996571][ T5771] Call Trace: [ 162.999849][ T5771] [ 163.002783][ T5771] dump_stack_lvl+0x1e7/0x2d0 [ 163.007478][ T5771] ? nf_tcp_handle_invalid+0x650/0x650 [ 163.012928][ T5771] ? panic+0x770/0x770 [ 163.016995][ T5771] should_fail_ex+0x3aa/0x4e0 [ 163.021685][ T5771] prepare_alloc_pages+0x1d9/0x5b0 [ 163.026796][ T5771] __alloc_pages+0x165/0x670 [ 163.031384][ T5771] ? zone_statistics+0x170/0x170 [ 163.036333][ T5771] ? verify_lock_unused+0x140/0x140 [ 163.041535][ T5771] ? handle_mm_fault+0x11d/0x62b0 [ 163.046581][ T5771] ? __lock_acquire+0x7f70/0x7f70 [ 163.051624][ T5771] ? pte_offset_map_nolock+0x137/0x1e0 [ 163.057100][ T5771] __folio_alloc+0x13/0x30 [ 163.061528][ T5771] vma_alloc_folio+0x48a/0x9a0 [ 163.066287][ T5771] handle_mm_fault+0x2376/0x62b0 [ 163.071247][ T5771] ? handle_mm_fault+0x11d/0x62b0 [ 163.076282][ T5771] ? numa_migrate_prep+0x380/0x380 [ 163.081406][ T5771] ? mtree_range_walk+0x6a0/0x7e0 [ 163.086430][ T5771] ? lock_vma_under_rcu+0x187/0x6f0 [ 163.091626][ T5771] ? __lock_acquire+0x7f70/0x7f70 [ 163.096644][ T5771] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 163.101861][ T5771] ? lock_vma_under_rcu+0x5df/0x6f0 [ 163.107074][ T5771] ? lock_vma_under_rcu+0x187/0x6f0 [ 163.112727][ T5771] ? exc_page_fault+0x10f/0x860 [ 163.117597][ T5771] exc_page_fault+0x455/0x860 [ 163.122284][ T5771] asm_exc_page_fault+0x26/0x30 [ 163.127136][ T5771] RIP: 0033:0x7f794735bc53 [ 163.131640][ T5771] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 163.151257][ T5771] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5770] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 163.157325][ T5771] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 163.165296][ T5771] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 163.173269][ T5771] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 163.181250][ T5771] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 163.189363][ T5771] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 163.197353][ T5771] [ 163.201242][ T5771] pagefault_out_of_memory: 3 callbacks suppressed [pid 5771] munmap(0x7f793ef10000, 138412032) = 0 [pid 5771] close(4) = 0 [pid 5771] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5769] <... futex resumed>) = 0 [pid 5771] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5770] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 163.201256][ T5771] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5770] munmap(0x7f7936b10000, 2097152) = 0 [pid 5770] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5770] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5770] close(5) = 0 [pid 5770] mkdir("./file0", 0777) = 0 [ 163.257446][ T5770] loop0: detected capacity change from 0 to 4096 [ 163.268908][ T5770] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 163.279837][ T5770] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 163.293403][ T5770] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [pid 5770] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5770] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5770] chdir("./file0") = 0 [pid 5770] ioctl(4, LOOP_CLR_FD) = 0 [pid 5770] close(4) = 0 [pid 5770] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5769] exit_group(0 [pid 5771] <... futex resumed>) = ? [pid 5769] <... exit_group resumed>) = ? [pid 5771] +++ exited with 0 +++ [pid 5770] <... futex resumed>) = ? [pid 5770] +++ exited with 0 +++ [pid 5769] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5769, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=16 /* 0.16 s */} --- umount2("./243", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./243", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./243/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./243/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./243/binderfs") = 0 [ 163.308346][ T5770] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 163.318371][ T5770] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 163.326895][ T5770] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 163.342136][ T5770] ntfs: volume version 12.0. umount2("./243/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./243/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./243/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./243/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./243/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./243/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./243") = 0 mkdir("./244", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5772 attached , child_tidptr=0x555555f17690) = 5772 [pid 5772] set_robust_list(0x555555f176a0, 24) = 0 [pid 5772] chdir("./244") = 0 [pid 5772] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5772] setpgid(0, 0) = 0 [pid 5772] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5772] write(3, "1000", 4) = 4 [pid 5772] close(3) = 0 [pid 5772] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5772] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5772] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5772] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5772] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5772] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5772] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5772] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5773 attached => {parent_tid=[5773]}, 88) = 5773 [pid 5772] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5772] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5772] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5772] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5772] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5772] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5772] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5774 attached [pid 5773] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5774] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5772] <... clone3 resumed> => {parent_tid=[5774]}, 88) = 5774 [pid 5774] <... rseq resumed>) = 0 [pid 5772] rt_sigprocmask(SIG_SETMASK, [], [pid 5774] set_robust_list(0x7f79473309a0, 24 [pid 5772] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5774] <... set_robust_list resumed>) = 0 [pid 5772] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5774] rt_sigprocmask(SIG_SETMASK, [], [pid 5772] <... futex resumed>) = 0 [pid 5774] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5772] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5774] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5773] <... rseq resumed>) = 0 [pid 5773] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5773] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5774] <... openat resumed>) = 3 [pid 5774] write(3, "85", 2) = 2 [pid 5774] memfd_create("syzkaller", 0 [pid 5773] memfd_create("syzkaller", 0) = 4 [pid 5774] <... memfd_create resumed>) = 5 [pid 5773] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5774] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5773] <... mmap resumed>) = 0x7f793ef10000 [pid 5774] <... mmap resumed>) = 0x7f7936b10000 [ 163.444438][ T5774] FAULT_INJECTION: forcing a failure. [ 163.444438][ T5774] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 163.458683][ T5774] CPU: 1 PID: 5774 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 163.469212][ T5774] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 163.479388][ T5774] Call Trace: [ 163.482663][ T5774] [ 163.485588][ T5774] dump_stack_lvl+0x1e7/0x2d0 [ 163.490264][ T5774] ? nf_tcp_handle_invalid+0x650/0x650 [ 163.495719][ T5774] ? panic+0x770/0x770 [ 163.499797][ T5774] should_fail_ex+0x3aa/0x4e0 [ 163.504473][ T5774] prepare_alloc_pages+0x1d9/0x5b0 [ 163.509587][ T5774] __alloc_pages+0x165/0x670 [ 163.514173][ T5774] ? zone_statistics+0x170/0x170 [ 163.519120][ T5774] ? verify_lock_unused+0x140/0x140 [ 163.524315][ T5774] ? handle_mm_fault+0x11d/0x62b0 [ 163.529380][ T5774] ? __lock_acquire+0x7f70/0x7f70 [ 163.534395][ T5774] ? pte_offset_map_nolock+0x137/0x1e0 [ 163.539851][ T5774] __folio_alloc+0x13/0x30 [ 163.544265][ T5774] vma_alloc_folio+0x48a/0x9a0 [ 163.549047][ T5774] handle_mm_fault+0x2376/0x62b0 [ 163.553989][ T5774] ? handle_mm_fault+0x11d/0x62b0 [ 163.559102][ T5774] ? numa_migrate_prep+0x380/0x380 [ 163.564216][ T5774] ? mtree_range_walk+0x6a0/0x7e0 [ 163.569239][ T5774] ? lock_vma_under_rcu+0x187/0x6f0 [ 163.574433][ T5774] ? __lock_acquire+0x7f70/0x7f70 [ 163.579446][ T5774] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 163.584649][ T5774] ? lock_vma_under_rcu+0x5df/0x6f0 [ 163.589842][ T5774] ? lock_vma_under_rcu+0x187/0x6f0 [ 163.595045][ T5774] ? exc_page_fault+0x10f/0x860 [ 163.599895][ T5774] exc_page_fault+0x455/0x860 [ 163.604571][ T5774] asm_exc_page_fault+0x26/0x30 [ 163.609415][ T5774] RIP: 0033:0x7f794735bc53 [ 163.613824][ T5774] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 163.633426][ T5774] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5773] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5774] munmap(0x7f7936b10000, 138412032 [pid 5773] <... write resumed>) = 2097152 [pid 5773] munmap(0x7f793ef10000, 2097152 [pid 5774] <... munmap resumed>) = 0 [pid 5774] close(5) = 0 [pid 5774] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5772] <... futex resumed>) = 0 [pid 5773] <... munmap resumed>) = 0 [pid 5773] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5774] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5773] <... openat resumed>) = 5 [ 163.639495][ T5774] RAX: 0000000000087000 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 163.647456][ T5774] RDX: 00007f794732f8f0 RSI: 0000000000000002 RDI: 00007f794732f7f0 [ 163.655423][ T5774] RBP: 00000000000000ac R08: 0000000000000009 R09: 0000000000000127 [ 163.663385][ T5774] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 163.671437][ T5774] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f794732f7f0 [ 163.679588][ T5774] [ 163.686549][ T5774] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5773] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5773] close(4) = 0 [pid 5773] mkdir("./file0", 0777) = 0 [pid 5773] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5773] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5773] chdir("./file0") = 0 [pid 5773] ioctl(5, LOOP_CLR_FD) = 0 [pid 5773] close(5) = 0 [pid 5773] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5773] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5772] exit_group(0) = ? [pid 5773] <... futex resumed>) = ? [pid 5773] +++ exited with 0 +++ [pid 5774] <... futex resumed>) = ? [pid 5774] +++ exited with 0 +++ [pid 5772] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5772, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=27 /* 0.27 s */} --- umount2("./244", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./244", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./244/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./244/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./244/binderfs") = 0 [ 163.713823][ T5773] loop0: detected capacity change from 0 to 4096 [ 163.726961][ T5773] ntfs: volume version 12.0. umount2("./244/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./244/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./244/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./244/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./244/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./244/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./244") = 0 mkdir("./245", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5775 attached , child_tidptr=0x555555f17690) = 5775 [pid 5775] set_robust_list(0x555555f176a0, 24) = 0 [pid 5775] chdir("./245") = 0 [pid 5775] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5775] setpgid(0, 0) = 0 [pid 5775] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5775] write(3, "1000", 4) = 4 [pid 5775] close(3) = 0 [pid 5775] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5775] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5775] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5775] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5775] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5775] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5775] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5775] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5776 attached [pid 5776] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5776] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5776] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5776] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5775] <... clone3 resumed> => {parent_tid=[5776]}, 88) = 5776 [pid 5775] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5775] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5776] <... futex resumed>) = 0 [pid 5776] memfd_create("syzkaller", 0 [pid 5775] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5775] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5776] <... memfd_create resumed>) = 3 [pid 5775] <... mmap resumed>) = 0x7f7947310000 [pid 5776] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5775] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5775] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5775] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5777 attached [pid 5777] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5775] <... clone3 resumed> => {parent_tid=[5777]}, 88) = 5777 [pid 5777] <... rseq resumed>) = 0 [pid 5775] rt_sigprocmask(SIG_SETMASK, [], [pid 5777] set_robust_list(0x7f79473309a0, 24 [pid 5775] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5775] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5777] <... set_robust_list resumed>) = 0 [pid 5775] <... futex resumed>) = 0 [pid 5777] rt_sigprocmask(SIG_SETMASK, [], [pid 5775] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5777] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5777] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5777] write(4, "85", 2) = 2 [pid 5777] memfd_create("syzkaller", 0) = 5 [pid 5777] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5776] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 163.837077][ T5777] FAULT_INJECTION: forcing a failure. [ 163.837077][ T5777] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 163.851089][ T5777] CPU: 0 PID: 5777 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 163.861550][ T5777] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 163.871640][ T5777] Call Trace: [ 163.874933][ T5777] [ 163.877866][ T5777] dump_stack_lvl+0x1e7/0x2d0 [ 163.882541][ T5777] ? nf_tcp_handle_invalid+0x650/0x650 [ 163.887989][ T5777] ? panic+0x770/0x770 [ 163.892056][ T5777] should_fail_ex+0x3aa/0x4e0 [ 163.896738][ T5777] prepare_alloc_pages+0x1d9/0x5b0 [ 163.901862][ T5777] __alloc_pages+0x165/0x670 [ 163.906454][ T5777] ? zone_statistics+0x170/0x170 [ 163.911397][ T5777] ? verify_lock_unused+0x140/0x140 [ 163.916591][ T5777] ? handle_mm_fault+0x11d/0x62b0 [ 163.921616][ T5777] ? __lock_acquire+0x7f70/0x7f70 [ 163.926635][ T5777] ? pte_offset_map_nolock+0x137/0x1e0 [ 163.932089][ T5777] __folio_alloc+0x13/0x30 [ 163.936506][ T5777] vma_alloc_folio+0x48a/0x9a0 [ 163.941280][ T5777] handle_mm_fault+0x2376/0x62b0 [ 163.946222][ T5777] ? handle_mm_fault+0x11d/0x62b0 [ 163.951249][ T5777] ? numa_migrate_prep+0x380/0x380 [ 163.956364][ T5777] ? mtree_range_walk+0x6a0/0x7e0 [ 163.961386][ T5777] ? lock_vma_under_rcu+0x187/0x6f0 [ 163.966580][ T5777] ? __lock_acquire+0x7f70/0x7f70 [ 163.971593][ T5777] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 163.976801][ T5777] ? lock_vma_under_rcu+0x5df/0x6f0 [ 163.982141][ T5777] ? lock_vma_under_rcu+0x187/0x6f0 [ 163.987433][ T5777] ? exc_page_fault+0x10f/0x860 [ 163.992284][ T5777] exc_page_fault+0x455/0x860 [ 163.996963][ T5777] asm_exc_page_fault+0x26/0x30 [ 164.001813][ T5777] RIP: 0033:0x7f794735bc53 [ 164.006227][ T5777] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 164.025833][ T5777] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5776] munmap(0x7f793ef10000, 2097152) = 0 [ 164.031896][ T5777] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 164.039947][ T5777] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 164.047914][ T5777] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 164.055880][ T5777] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 164.063946][ T5777] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 164.071946][ T5777] [ 164.076110][ T5777] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5776] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5776] ioctl(6, LOOP_SET_FD, 3 [pid 5777] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5776] <... ioctl resumed>) = 0 [pid 5776] close(3) = 0 [pid 5776] mkdir("./file0", 0777) = 0 [pid 5776] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5776] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5776] chdir("./file0") = 0 [pid 5776] ioctl(6, LOOP_CLR_FD) = 0 [pid 5776] close(6) = 0 [pid 5776] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5776] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5777] <... write resumed>) = 2097152 [pid 5777] munmap(0x7f7936b10000, 2097152) = 0 [pid 5777] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5777] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5777] ioctl(6, LOOP_CLR_FD) = 0 [pid 5777] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5777] close(6) = 0 [ 164.096943][ T5776] loop0: detected capacity change from 0 to 4096 [ 164.110624][ T5776] ntfs: volume version 12.0. [pid 5777] close(5) = 0 [pid 5777] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5775] <... futex resumed>) = 0 [pid 5777] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5775] exit_group(0 [pid 5777] <... futex resumed>) = ? [pid 5776] <... futex resumed>) = ? [pid 5777] +++ exited with 0 +++ [pid 5776] +++ exited with 0 +++ [pid 5775] <... exit_group resumed>) = ? [pid 5775] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5775, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=14 /* 0.14 s */} --- umount2("./245", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./245", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./245/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./245/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./245/binderfs") = 0 umount2("./245/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./245/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./245/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./245/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./245/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./245/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./245") = 0 mkdir("./246", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5778 attached , child_tidptr=0x555555f17690) = 5778 [pid 5778] set_robust_list(0x555555f176a0, 24) = 0 [pid 5778] chdir("./246") = 0 [pid 5778] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5778] setpgid(0, 0) = 0 [pid 5778] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5778] write(3, "1000", 4) = 4 [pid 5778] close(3) = 0 [pid 5778] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5778] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5778] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5778] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5778] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5778] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5778] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5778] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5779 attached => {parent_tid=[5779]}, 88) = 5779 [pid 5778] rt_sigprocmask(SIG_SETMASK, [], [pid 5779] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5778] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5779] <... rseq resumed>) = 0 [pid 5779] set_robust_list(0x7f79473519a0, 24 [pid 5778] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5778] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5778] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5779] <... set_robust_list resumed>) = 0 [pid 5778] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5778] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5778] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5780 attached => {parent_tid=[5780]}, 88) = 5780 [pid 5780] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5779] rt_sigprocmask(SIG_SETMASK, [], [pid 5780] <... rseq resumed>) = 0 [pid 5779] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5778] rt_sigprocmask(SIG_SETMASK, [], [pid 5780] set_robust_list(0x7f79473309a0, 24 [pid 5778] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5780] <... set_robust_list resumed>) = 0 [pid 5778] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5780] rt_sigprocmask(SIG_SETMASK, [], [pid 5778] <... futex resumed>) = 0 [pid 5780] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5780] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5779] memfd_create("syzkaller", 0 [pid 5778] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5780] <... openat resumed>) = 3 [pid 5780] write(3, "85", 2) = 2 [pid 5780] memfd_create("syzkaller", 0) = 4 [pid 5780] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5779] <... memfd_create resumed>) = 5 [ 164.216984][ T5780] FAULT_INJECTION: forcing a failure. [ 164.216984][ T5780] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 164.232375][ T5780] CPU: 0 PID: 5780 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 164.243534][ T5780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 164.253770][ T5780] Call Trace: [ 164.257070][ T5780] [ 164.259989][ T5780] dump_stack_lvl+0x1e7/0x2d0 [ 164.264657][ T5780] ? nf_tcp_handle_invalid+0x650/0x650 [ 164.270275][ T5780] ? panic+0x770/0x770 [ 164.274341][ T5780] should_fail_ex+0x3aa/0x4e0 [ 164.279013][ T5780] prepare_alloc_pages+0x1d9/0x5b0 [ 164.284118][ T5780] __alloc_pages+0x165/0x670 [ 164.288784][ T5780] ? zone_statistics+0x170/0x170 [ 164.293915][ T5780] ? verify_lock_unused+0x140/0x140 [ 164.299206][ T5780] ? handle_mm_fault+0x11d/0x62b0 [ 164.304264][ T5780] ? __lock_acquire+0x7f70/0x7f70 [ 164.309340][ T5780] ? pte_offset_map_nolock+0x137/0x1e0 [ 164.314888][ T5780] __folio_alloc+0x13/0x30 [ 164.319398][ T5780] vma_alloc_folio+0x48a/0x9a0 [ 164.324160][ T5780] handle_mm_fault+0x2376/0x62b0 [ 164.329122][ T5780] ? handle_mm_fault+0x11d/0x62b0 [ 164.334186][ T5780] ? numa_migrate_prep+0x380/0x380 [ 164.339645][ T5780] ? mtree_range_walk+0x6a0/0x7e0 [ 164.344752][ T5780] ? lock_vma_under_rcu+0x187/0x6f0 [ 164.349941][ T5780] ? __lock_acquire+0x7f70/0x7f70 [ 164.354952][ T5780] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 164.360145][ T5780] ? lock_vma_under_rcu+0x5df/0x6f0 [ 164.365334][ T5780] ? lock_vma_under_rcu+0x187/0x6f0 [ 164.370539][ T5780] ? exc_page_fault+0x10f/0x860 [ 164.375380][ T5780] exc_page_fault+0x455/0x860 [ 164.380154][ T5780] asm_exc_page_fault+0x26/0x30 [ 164.385116][ T5780] RIP: 0033:0x7f794735bc53 [ 164.389545][ T5780] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 164.410023][ T5780] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5779] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5779] munmap(0x7f7936b10000, 138412032) = 0 [pid 5779] close(5) = 0 [pid 5779] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 164.416086][ T5780] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 164.424058][ T5780] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 164.432015][ T5780] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 164.439975][ T5780] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 164.447935][ T5780] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 164.455912][ T5780] [ 164.460750][ T5780] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5779] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5780] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5780] munmap(0x7f793ef10000, 2097152) = 0 [pid 5780] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 5780] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5780] close(4) = 0 [pid 5780] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5780] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 164.502088][ T5780] loop0: detected capacity change from 0 to 4096 [ 164.519854][ T5780] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 164.526940][ T5780] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5780] ioctl(5, LOOP_CLR_FD) = 0 [pid 5780] close(5) = 0 [pid 5780] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5778] <... futex resumed>) = 0 [pid 5778] exit_group(0 [pid 5779] <... futex resumed>) = ? [pid 5778] <... exit_group resumed>) = ? [pid 5779] +++ exited with 0 +++ [pid 5780] <... futex resumed>) = ? [pid 5780] +++ exited with 0 +++ [pid 5778] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5778, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./246", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./246", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./246/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./246/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./246/binderfs") = 0 umount2("\x2e\x2f\x32\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x34\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./246") = 0 mkdir("./247", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5781 attached , child_tidptr=0x555555f17690) = 5781 [pid 5781] set_robust_list(0x555555f176a0, 24) = 0 [pid 5781] chdir("./247") = 0 [pid 5781] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5781] setpgid(0, 0) = 0 [pid 5781] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5781] write(3, "1000", 4) = 4 [pid 5781] close(3) = 0 [pid 5781] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5781] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5781] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5781] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5781] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5781] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5781] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5781] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5782]}, 88) = 5782 [pid 5781] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5781] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5781] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5782 attached ) = 0 [pid 5781] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5781] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5781] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5781] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5783 attached [pid 5783] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5783] set_robust_list(0x7f79473309a0, 24 [pid 5781] <... clone3 resumed> => {parent_tid=[5783]}, 88) = 5783 [pid 5783] <... set_robust_list resumed>) = 0 [pid 5781] rt_sigprocmask(SIG_SETMASK, [], [pid 5783] rt_sigprocmask(SIG_SETMASK, [], [pid 5781] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5783] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5781] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5783] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5781] <... futex resumed>) = 0 [pid 5781] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5783] <... openat resumed>) = 3 [pid 5783] write(3, "85", 2) = 2 [pid 5783] memfd_create("syzkaller", 0) = 4 [pid 5783] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5782] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5782] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5782] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5782] memfd_create("syzkaller", 0) = 5 [ 164.649863][ T5783] FAULT_INJECTION: forcing a failure. [ 164.649863][ T5783] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 164.663596][ T5783] CPU: 0 PID: 5783 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 164.674020][ T5783] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 164.684077][ T5783] Call Trace: [ 164.687358][ T5783] [ 164.690300][ T5783] dump_stack_lvl+0x1e7/0x2d0 [ 164.694984][ T5783] ? nf_tcp_handle_invalid+0x650/0x650 [ 164.700435][ T5783] ? panic+0x770/0x770 [ 164.704527][ T5783] should_fail_ex+0x3aa/0x4e0 [ 164.709202][ T5783] prepare_alloc_pages+0x1d9/0x5b0 [ 164.714315][ T5783] __alloc_pages+0x165/0x670 [ 164.718910][ T5783] ? zone_statistics+0x170/0x170 [ 164.723854][ T5783] ? verify_lock_unused+0x140/0x140 [ 164.729059][ T5783] ? handle_mm_fault+0x11d/0x62b0 [ 164.734078][ T5783] ? __lock_acquire+0x7f70/0x7f70 [ 164.739097][ T5783] ? pte_offset_map_nolock+0x137/0x1e0 [ 164.744580][ T5783] __folio_alloc+0x13/0x30 [ 164.749017][ T5783] vma_alloc_folio+0x48a/0x9a0 [ 164.753791][ T5783] handle_mm_fault+0x2376/0x62b0 [ 164.758729][ T5783] ? handle_mm_fault+0x11d/0x62b0 [ 164.763754][ T5783] ? numa_migrate_prep+0x380/0x380 [ 164.768921][ T5783] ? mtree_range_walk+0x6a0/0x7e0 [ 164.773979][ T5783] ? lock_vma_under_rcu+0x187/0x6f0 [ 164.779170][ T5783] ? __lock_acquire+0x7f70/0x7f70 [ 164.784192][ T5783] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 164.789415][ T5783] ? lock_vma_under_rcu+0x5df/0x6f0 [ 164.794606][ T5783] ? lock_vma_under_rcu+0x187/0x6f0 [ 164.799824][ T5783] ? exc_page_fault+0x10f/0x860 [ 164.804776][ T5783] exc_page_fault+0x455/0x860 [ 164.809452][ T5783] asm_exc_page_fault+0x26/0x30 [ 164.814308][ T5783] RIP: 0033:0x7f794735bc53 [ 164.818733][ T5783] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 164.838429][ T5783] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5782] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5783] munmap(0x7f793ef10000, 138412032) = 0 [pid 5783] close(4) = 0 [pid 5783] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5781] <... futex resumed>) = 0 [pid 5783] <... futex resumed>) = 1 [pid 5783] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 164.844655][ T5783] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 164.852632][ T5783] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 164.860598][ T5783] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 164.868563][ T5783] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 164.876550][ T5783] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 164.884632][ T5783] [ 164.893013][ T5783] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5782] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5782] munmap(0x7f7936b10000, 2097152) = 0 [pid 5782] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5782] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5782] close(5) = 0 [pid 5782] mkdir("./file0", 0777) = 0 [pid 5782] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5782] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5782] chdir("./file0") = 0 [pid 5782] ioctl(4, LOOP_CLR_FD) = 0 [pid 5782] close(4) = 0 [pid 5782] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5782] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5781] exit_group(0 [pid 5782] <... futex resumed>) = ? [pid 5781] <... exit_group resumed>) = ? [pid 5782] +++ exited with 0 +++ [pid 5783] <... futex resumed>) = ? [pid 5783] +++ exited with 0 +++ [pid 5781] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5781, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=8 /* 0.08 s */} --- umount2("./247", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./247", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./247/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./247/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./247/binderfs") = 0 [ 164.939404][ T5782] loop0: detected capacity change from 0 to 4096 [ 164.952387][ T5782] ntfs: volume version 12.0. umount2("./247/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./247/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./247/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./247/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./247/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./247/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./247") = 0 mkdir("./248", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5784 attached , child_tidptr=0x555555f17690) = 5784 [pid 5784] set_robust_list(0x555555f176a0, 24) = 0 [pid 5784] chdir("./248") = 0 [pid 5784] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5784] setpgid(0, 0) = 0 [pid 5784] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5784] write(3, "1000", 4) = 4 [pid 5784] close(3) = 0 [pid 5784] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5784] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5784] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5784] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5784] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5784] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5784] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5784] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5785 attached [pid 5785] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5784] <... clone3 resumed> => {parent_tid=[5785]}, 88) = 5785 [pid 5785] <... rseq resumed>) = 0 [pid 5784] rt_sigprocmask(SIG_SETMASK, [], [pid 5785] set_robust_list(0x7f79473519a0, 24 [pid 5784] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5785] <... set_robust_list resumed>) = 0 [pid 5784] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5785] rt_sigprocmask(SIG_SETMASK, [], [pid 5784] <... futex resumed>) = 0 [pid 5785] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5784] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5785] memfd_create("syzkaller", 0 [pid 5784] <... futex resumed>) = 0 [pid 5784] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5784] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5784] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5784] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5786]}, 88) = 5786 ./strace-static-x86_64: Process 5786 attached [pid 5785] <... memfd_create resumed>) = 3 [pid 5784] rt_sigprocmask(SIG_SETMASK, [], [pid 5785] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5784] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5785] <... mmap resumed>) = 0x7f793ef10000 [pid 5784] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5784] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5786] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5786] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5786] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5786] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5785] munmap(0x7f793ef10000, 138412032 [pid 5786] <... openat resumed>) = 4 [pid 5786] write(4, "85", 2) = 2 [pid 5786] memfd_create("syzkaller", 0 [pid 5785] <... munmap resumed>) = 0 [pid 5785] close(3 [pid 5786] <... memfd_create resumed>) = 5 [pid 5786] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5785] <... close resumed>) = 0 [pid 5785] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 165.047959][ T5786] FAULT_INJECTION: forcing a failure. [ 165.047959][ T5786] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 165.062570][ T5786] CPU: 0 PID: 5786 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 165.073037][ T5786] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 165.083097][ T5786] Call Trace: [ 165.086409][ T5786] [ 165.089342][ T5786] dump_stack_lvl+0x1e7/0x2d0 [ 165.094056][ T5786] ? nf_tcp_handle_invalid+0x650/0x650 [ 165.099626][ T5786] ? panic+0x770/0x770 [ 165.103897][ T5786] should_fail_ex+0x3aa/0x4e0 [ 165.108588][ T5786] prepare_alloc_pages+0x1d9/0x5b0 [ 165.113735][ T5786] __alloc_pages+0x165/0x670 [ 165.118329][ T5786] ? zone_statistics+0x170/0x170 [ 165.123270][ T5786] ? verify_lock_unused+0x140/0x140 [ 165.128482][ T5786] ? handle_mm_fault+0x11d/0x62b0 [ 165.133528][ T5786] ? __lock_acquire+0x7f70/0x7f70 [ 165.138560][ T5786] ? pte_offset_map_nolock+0x137/0x1e0 [ 165.144046][ T5786] __folio_alloc+0x13/0x30 [ 165.148489][ T5786] vma_alloc_folio+0x48a/0x9a0 [ 165.153297][ T5786] handle_mm_fault+0x2376/0x62b0 [ 165.158273][ T5786] ? handle_mm_fault+0x11d/0x62b0 [ 165.163397][ T5786] ? numa_migrate_prep+0x380/0x380 [ 165.168541][ T5786] ? mtree_range_walk+0x6a0/0x7e0 [ 165.173648][ T5786] ? lock_vma_under_rcu+0x187/0x6f0 [ 165.178854][ T5786] ? __lock_acquire+0x7f70/0x7f70 [ 165.183978][ T5786] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 165.189224][ T5786] ? lock_vma_under_rcu+0x5df/0x6f0 [ 165.194433][ T5786] ? lock_vma_under_rcu+0x187/0x6f0 [ 165.199633][ T5786] ? exc_page_fault+0x10f/0x860 [ 165.204477][ T5786] exc_page_fault+0x455/0x860 [ 165.209166][ T5786] asm_exc_page_fault+0x26/0x30 [ 165.214021][ T5786] RIP: 0033:0x7f794735bd00 [ 165.218423][ T5786] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 165.238022][ T5786] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5785] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5786] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5786] munmap(0x7f793ef10000, 2097152) = 0 [pid 5786] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 165.244087][ T5786] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 165.252573][ T5786] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 165.260544][ T5786] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 165.268517][ T5786] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 165.276564][ T5786] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 165.284534][ T5786] [ 165.287918][ T5786] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5786] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5786] close(5) = 0 [pid 5786] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5786] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 165.326331][ T5786] loop0: detected capacity change from 0 to 4096 [ 165.342155][ T5786] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 165.349212][ T5786] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5786] ioctl(3, LOOP_CLR_FD) = 0 [pid 5786] close(3) = 0 [pid 5786] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5784] <... futex resumed>) = 0 [pid 5784] exit_group(0) = ? [pid 5785] <... futex resumed>) = ? [pid 5785] +++ exited with 0 +++ [pid 5786] <... futex resumed>) = ? [pid 5786] +++ exited with 0 +++ [pid 5784] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5784, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=7 /* 0.07 s */} --- umount2("./248", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./248", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./248/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./248/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./248/binderfs") = 0 umount2("\x2e\x2f\x32\x34\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x34\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x34\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x34\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x34\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./248") = 0 mkdir("./249", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5787 attached , child_tidptr=0x555555f17690) = 5787 [pid 5787] set_robust_list(0x555555f176a0, 24) = 0 [pid 5787] chdir("./249") = 0 [pid 5787] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5787] setpgid(0, 0) = 0 [pid 5787] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5787] write(3, "1000", 4) = 4 [pid 5787] close(3) = 0 [pid 5787] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5787] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5787] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5787] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5787] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5787] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5787] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5787] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5788 attached => {parent_tid=[5788]}, 88) = 5788 [pid 5788] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5787] rt_sigprocmask(SIG_SETMASK, [], [pid 5788] <... rseq resumed>) = 0 [pid 5787] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5788] set_robust_list(0x7f79473519a0, 24 [pid 5787] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5788] <... set_robust_list resumed>) = 0 [pid 5787] <... futex resumed>) = 0 [pid 5788] rt_sigprocmask(SIG_SETMASK, [], [pid 5787] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5788] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5787] <... futex resumed>) = 0 [pid 5787] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5787] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5788] memfd_create("syzkaller", 0 [pid 5787] <... mprotect resumed>) = 0 [pid 5788] <... memfd_create resumed>) = 3 [pid 5788] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5787] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5788] <... mmap resumed>) = 0x7f793ef10000 [pid 5787] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5787] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5789]}, 88) = 5789 [pid 5787] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5787] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5787] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5789 attached [pid 5789] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5789] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5789] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5789] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5789] write(4, "85", 2) = 2 [pid 5789] memfd_create("syzkaller", 0) = 5 [pid 5789] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5788] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 165.498147][ T5789] FAULT_INJECTION: forcing a failure. [ 165.498147][ T5789] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 165.511513][ T5789] CPU: 1 PID: 5789 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 165.521947][ T5789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 165.532021][ T5789] Call Trace: [ 165.535294][ T5789] [ 165.538231][ T5789] dump_stack_lvl+0x1e7/0x2d0 [ 165.542915][ T5789] ? nf_tcp_handle_invalid+0x650/0x650 [ 165.548375][ T5789] ? panic+0x770/0x770 [ 165.552454][ T5789] should_fail_ex+0x3aa/0x4e0 [ 165.557138][ T5789] prepare_alloc_pages+0x1d9/0x5b0 [ 165.562268][ T5789] __alloc_pages+0x165/0x670 [ 165.566866][ T5789] ? zone_statistics+0x170/0x170 [ 165.571826][ T5789] ? verify_lock_unused+0x140/0x140 [ 165.577042][ T5789] ? handle_mm_fault+0x11d/0x62b0 [ 165.582076][ T5789] ? __lock_acquire+0x7f70/0x7f70 [ 165.587118][ T5789] ? pte_offset_map_nolock+0x137/0x1e0 [ 165.592591][ T5789] __folio_alloc+0x13/0x30 [ 165.597011][ T5789] vma_alloc_folio+0x48a/0x9a0 [ 165.601780][ T5789] handle_mm_fault+0x2376/0x62b0 [ 165.606734][ T5789] ? handle_mm_fault+0x11d/0x62b0 [ 165.611771][ T5789] ? numa_migrate_prep+0x380/0x380 [ 165.616895][ T5789] ? mtree_range_walk+0x6a0/0x7e0 [ 165.621921][ T5789] ? lock_vma_under_rcu+0x187/0x6f0 [ 165.627202][ T5789] ? __lock_acquire+0x7f70/0x7f70 [ 165.632221][ T5789] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 165.637429][ T5789] ? lock_vma_under_rcu+0x5df/0x6f0 [ 165.642625][ T5789] ? lock_vma_under_rcu+0x187/0x6f0 [ 165.647832][ T5789] ? exc_page_fault+0x10f/0x860 [ 165.652684][ T5789] exc_page_fault+0x455/0x860 [ 165.657358][ T5789] asm_exc_page_fault+0x26/0x30 [ 165.662218][ T5789] RIP: 0033:0x7f794735bc53 [ 165.666627][ T5789] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 165.686230][ T5789] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5788] munmap(0x7f793ef10000, 2097152) = 0 [pid 5788] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 165.692290][ T5789] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 165.700252][ T5789] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 165.708213][ T5789] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 165.716176][ T5789] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 165.724155][ T5789] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 165.732658][ T5789] [ 165.737605][ T5789] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5788] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5788] close(3) = 0 [pid 5788] mkdir("./file0", 0777) = 0 [pid 5788] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5789] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5788] <... mount resumed>) = 0 [pid 5788] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5788] chdir("./file0") = 0 [pid 5788] ioctl(6, LOOP_CLR_FD) = 0 [pid 5788] close(6) = 0 [pid 5788] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5788] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5789] <... write resumed>) = 2097152 [pid 5789] munmap(0x7f7936b10000, 2097152) = 0 [pid 5789] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5789] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5789] ioctl(6, LOOP_CLR_FD) = 0 [pid 5789] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5789] close(6) = 0 [ 165.751805][ T5788] loop0: detected capacity change from 0 to 4096 [ 165.769049][ T5788] ntfs: volume version 12.0. [pid 5789] close(5) = 0 [pid 5789] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5787] <... futex resumed>) = 0 [pid 5787] exit_group(0 [pid 5789] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5788] <... futex resumed>) = ? [pid 5788] +++ exited with 0 +++ [pid 5789] +++ exited with 0 +++ [pid 5787] <... exit_group resumed>) = ? [pid 5787] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5787, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=19 /* 0.19 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./249", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./249", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./249/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./249/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./249/binderfs") = 0 umount2("./249/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./249/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./249/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./249/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./249/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./249/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./249") = 0 mkdir("./250", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5790 ./strace-static-x86_64: Process 5790 attached [pid 5790] set_robust_list(0x555555f176a0, 24) = 0 [pid 5790] chdir("./250") = 0 [pid 5790] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5790] setpgid(0, 0) = 0 [pid 5790] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5790] write(3, "1000", 4) = 4 [pid 5790] close(3) = 0 [pid 5790] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5790] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5790] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5790] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5790] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5790] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5790] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5790] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5791 attached => {parent_tid=[5791]}, 88) = 5791 [pid 5791] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5790] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5790] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5791] <... rseq resumed>) = 0 [pid 5791] set_robust_list(0x7f79473519a0, 24 [pid 5790] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5791] <... set_robust_list resumed>) = 0 [pid 5791] rt_sigprocmask(SIG_SETMASK, [], [pid 5790] <... futex resumed>) = 0 [pid 5790] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5791] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5790] <... mmap resumed>) = 0x7f7947310000 [pid 5790] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5790] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5790] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5792 attached [pid 5792] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5790] <... clone3 resumed> => {parent_tid=[5792]}, 88) = 5792 [pid 5792] set_robust_list(0x7f79473309a0, 24 [pid 5790] rt_sigprocmask(SIG_SETMASK, [], [pid 5792] <... set_robust_list resumed>) = 0 [pid 5790] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5792] rt_sigprocmask(SIG_SETMASK, [], [pid 5791] memfd_create("syzkaller", 0 [pid 5790] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5792] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5790] <... futex resumed>) = 0 [pid 5791] <... memfd_create resumed>) = 3 [pid 5792] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5790] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5791] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5791] munmap(0x7f793ef10000, 138412032) = 0 [pid 5791] close(3) = 0 [pid 5792] <... openat resumed>) = 4 [pid 5792] write(4, "85", 2) = 2 [pid 5792] memfd_create("syzkaller", 0) = 3 [pid 5791] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5792] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5791] <... futex resumed>) = 0 [pid 5791] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5792] <... mmap resumed>) = 0x7f793ef10000 [ 165.912446][ T5792] FAULT_INJECTION: forcing a failure. [ 165.912446][ T5792] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 165.925806][ T5792] CPU: 0 PID: 5792 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 165.936273][ T5792] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 165.946322][ T5792] Call Trace: [ 165.949594][ T5792] [ 165.952514][ T5792] dump_stack_lvl+0x1e7/0x2d0 [ 165.957208][ T5792] ? nf_tcp_handle_invalid+0x650/0x650 [ 165.962669][ T5792] ? panic+0x770/0x770 [ 165.966776][ T5792] should_fail_ex+0x3aa/0x4e0 [ 165.971467][ T5792] prepare_alloc_pages+0x1d9/0x5b0 [ 165.976598][ T5792] __alloc_pages+0x165/0x670 [ 165.981209][ T5792] ? zone_statistics+0x170/0x170 [ 165.986161][ T5792] ? verify_lock_unused+0x140/0x140 [ 165.991389][ T5792] ? handle_mm_fault+0x11d/0x62b0 [ 165.996497][ T5792] ? __lock_acquire+0x7f70/0x7f70 [ 166.001513][ T5792] ? pte_offset_map_nolock+0x137/0x1e0 [ 166.006966][ T5792] __folio_alloc+0x13/0x30 [ 166.011378][ T5792] vma_alloc_folio+0x48a/0x9a0 [ 166.016153][ T5792] handle_mm_fault+0x2376/0x62b0 [ 166.021090][ T5792] ? handle_mm_fault+0x11d/0x62b0 [ 166.026110][ T5792] ? numa_migrate_prep+0x380/0x380 [ 166.031238][ T5792] ? mtree_range_walk+0x6a0/0x7e0 [ 166.036310][ T5792] ? lock_vma_under_rcu+0x187/0x6f0 [ 166.041502][ T5792] ? __lock_acquire+0x7f70/0x7f70 [ 166.046526][ T5792] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 166.051754][ T5792] ? lock_vma_under_rcu+0x5df/0x6f0 [ 166.057029][ T5792] ? lock_vma_under_rcu+0x187/0x6f0 [ 166.062266][ T5792] ? exc_page_fault+0x10f/0x860 [ 166.067136][ T5792] exc_page_fault+0x455/0x860 [ 166.071826][ T5792] asm_exc_page_fault+0x26/0x30 [ 166.076782][ T5792] RIP: 0033:0x7f794735bd00 [ 166.081217][ T5792] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 166.102740][ T5792] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5792] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5792] munmap(0x7f793ef10000, 2097152) = 0 [pid 5792] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 166.108825][ T5792] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 166.116798][ T5792] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 166.124855][ T5792] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 166.132832][ T5792] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 166.140825][ T5792] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 166.148807][ T5792] [ 166.154561][ T5792] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5792] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5792] close(3) = 0 [pid 5792] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5792] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 166.191358][ T5792] loop0: detected capacity change from 0 to 4096 [ 166.208109][ T5792] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 166.215228][ T5792] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5792] ioctl(5, LOOP_CLR_FD) = 0 [pid 5792] close(5) = 0 [pid 5792] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5790] <... futex resumed>) = 0 [pid 5792] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5790] exit_group(0 [pid 5792] <... futex resumed>) = ? [pid 5791] <... futex resumed>) = ? [pid 5790] <... exit_group resumed>) = ? [pid 5792] +++ exited with 0 +++ [pid 5791] +++ exited with 0 +++ [pid 5790] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5790, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./250", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./250", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./250/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./250/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./250/binderfs") = 0 umount2("\x2e\x2f\x32\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x35\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./250") = 0 mkdir("./251", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5793 attached [pid 5793] set_robust_list(0x555555f176a0, 24) = 0 [pid 5793] chdir("./251") = 0 [pid 5793] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5793] setpgid(0, 0) = 0 [pid 5793] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5793] write(3, "1000", 4) = 4 [pid 5793] close(3) = 0 [pid 5793] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5793] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5793] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5793] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5793 [pid 5793] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5793] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5793] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5793] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5793] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5794]}, 88) = 5794 ./strace-static-x86_64: Process 5794 attached [pid 5793] rt_sigprocmask(SIG_SETMASK, [], [pid 5794] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5793] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5794] <... rseq resumed>) = 0 [pid 5794] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5794] rt_sigprocmask(SIG_SETMASK, [], [pid 5793] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5794] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5793] <... futex resumed>) = 0 [pid 5793] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5793] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5793] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5793] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5793] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5795 attached [pid 5795] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5794] memfd_create("syzkaller", 0 [pid 5793] <... clone3 resumed> => {parent_tid=[5795]}, 88) = 5795 [pid 5795] <... rseq resumed>) = 0 [pid 5793] rt_sigprocmask(SIG_SETMASK, [], [pid 5795] set_robust_list(0x7f79473309a0, 24 [pid 5793] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5795] <... set_robust_list resumed>) = 0 [pid 5793] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5795] rt_sigprocmask(SIG_SETMASK, [], [pid 5793] <... futex resumed>) = 0 [pid 5794] <... memfd_create resumed>) = 3 [pid 5795] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5793] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5795] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5794] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5795] <... openat resumed>) = 4 [pid 5794] munmap(0x7f793ef10000, 138412032) = 0 [pid 5794] close(3) = 0 [pid 5795] write(4, "85", 2 [pid 5794] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5795] <... write resumed>) = 2 [pid 5795] memfd_create("syzkaller", 0 [pid 5794] <... futex resumed>) = 0 [pid 5795] <... memfd_create resumed>) = 3 [pid 5794] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5795] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 166.327797][ T5795] FAULT_INJECTION: forcing a failure. [ 166.327797][ T5795] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 166.341341][ T5795] CPU: 1 PID: 5795 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 166.351866][ T5795] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 166.361927][ T5795] Call Trace: [ 166.365308][ T5795] [ 166.368248][ T5795] dump_stack_lvl+0x1e7/0x2d0 [ 166.372943][ T5795] ? nf_tcp_handle_invalid+0x650/0x650 [ 166.378778][ T5795] ? panic+0x770/0x770 [ 166.382863][ T5795] should_fail_ex+0x3aa/0x4e0 [ 166.387543][ T5795] prepare_alloc_pages+0x1d9/0x5b0 [ 166.392673][ T5795] __alloc_pages+0x165/0x670 [ 166.397371][ T5795] ? zone_statistics+0x170/0x170 [ 166.402307][ T5795] ? verify_lock_unused+0x140/0x140 [ 166.407557][ T5795] ? handle_mm_fault+0x11d/0x62b0 [ 166.412599][ T5795] ? __lock_acquire+0x7f70/0x7f70 [ 166.417669][ T5795] ? pte_offset_map_nolock+0x137/0x1e0 [ 166.423136][ T5795] __folio_alloc+0x13/0x30 [ 166.427556][ T5795] vma_alloc_folio+0x48a/0x9a0 [ 166.432411][ T5795] handle_mm_fault+0x2376/0x62b0 [ 166.437612][ T5795] ? handle_mm_fault+0x11d/0x62b0 [ 166.442638][ T5795] ? numa_migrate_prep+0x380/0x380 [ 166.447755][ T5795] ? mtree_range_walk+0x6a0/0x7e0 [ 166.453035][ T5795] ? lock_vma_under_rcu+0x187/0x6f0 [ 166.458228][ T5795] ? __lock_acquire+0x7f70/0x7f70 [ 166.463246][ T5795] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 166.468457][ T5795] ? lock_vma_under_rcu+0x5df/0x6f0 [ 166.473744][ T5795] ? lock_vma_under_rcu+0x187/0x6f0 [ 166.479293][ T5795] ? exc_page_fault+0x10f/0x860 [ 166.484139][ T5795] exc_page_fault+0x455/0x860 [ 166.488815][ T5795] asm_exc_page_fault+0x26/0x30 [ 166.493662][ T5795] RIP: 0033:0x7f794735bc53 [ 166.498075][ T5795] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 166.517699][ T5795] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5795] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5795] munmap(0x7f793ef10000, 2097152) = 0 [pid 5795] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 166.523762][ T5795] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 166.531810][ T5795] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 166.539771][ T5795] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 166.547732][ T5795] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 166.556223][ T5795] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 166.564202][ T5795] [ 166.567648][ T5795] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5795] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5795] close(3) = 0 [pid 5795] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5795] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5795] ioctl(5, LOOP_CLR_FD) = 0 [pid 5795] close(5) = 0 [pid 5795] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5793] <... futex resumed>) = 0 [pid 5793] exit_group(0 [pid 5795] <... futex resumed>) = 1 [ 166.606915][ T5795] loop0: detected capacity change from 0 to 4096 [ 166.624641][ T5795] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 166.631765][ T5795] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5795] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5794] <... futex resumed>) = ? [pid 5793] <... exit_group resumed>) = ? [pid 5795] +++ exited with 0 +++ [pid 5794] +++ exited with 0 +++ [pid 5793] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5793, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./251", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./251", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./251/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./251/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./251/binderfs") = 0 umount2("\x2e\x2f\x32\x35\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x35\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x35\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x35\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x35\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./251") = 0 mkdir("./252", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5796 attached , child_tidptr=0x555555f17690) = 5796 [pid 5796] set_robust_list(0x555555f176a0, 24) = 0 [pid 5796] chdir("./252") = 0 [pid 5796] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5796] setpgid(0, 0) = 0 [pid 5796] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5796] write(3, "1000", 4) = 4 [pid 5796] close(3) = 0 [pid 5796] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5796] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5796] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5796] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5796] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5796] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5796] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5796] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5797 attached [pid 5797] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5796] <... clone3 resumed> => {parent_tid=[5797]}, 88) = 5797 [pid 5797] set_robust_list(0x7f79473519a0, 24 [pid 5796] rt_sigprocmask(SIG_SETMASK, [], [pid 5797] <... set_robust_list resumed>) = 0 [pid 5796] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5797] rt_sigprocmask(SIG_SETMASK, [], [pid 5796] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5797] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5796] <... futex resumed>) = 0 [pid 5797] memfd_create("syzkaller", 0 [pid 5796] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5796] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5796] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5796] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5797] <... memfd_create resumed>) = 3 [pid 5796] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5797] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5796] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5797] <... mmap resumed>) = 0x7f793ef10000 ./strace-static-x86_64: Process 5798 attached [pid 5796] <... clone3 resumed> => {parent_tid=[5798]}, 88) = 5798 [pid 5796] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5796] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5798] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5796] <... futex resumed>) = 0 [pid 5798] set_robust_list(0x7f79473309a0, 24 [pid 5796] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5798] <... set_robust_list resumed>) = 0 [pid 5798] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5798] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5798] write(4, "85", 2) = 2 [pid 5798] memfd_create("syzkaller", 0) = 5 [pid 5798] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5797] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 166.750638][ T5798] FAULT_INJECTION: forcing a failure. [ 166.750638][ T5798] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 166.764062][ T5798] CPU: 1 PID: 5798 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 166.774513][ T5798] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 166.784597][ T5798] Call Trace: [ 166.787989][ T5798] [ 166.791008][ T5798] dump_stack_lvl+0x1e7/0x2d0 [ 166.795683][ T5798] ? nf_tcp_handle_invalid+0x650/0x650 [ 166.801142][ T5798] ? panic+0x770/0x770 [ 166.805209][ T5798] should_fail_ex+0x3aa/0x4e0 [ 166.809902][ T5798] prepare_alloc_pages+0x1d9/0x5b0 [ 166.815047][ T5798] __alloc_pages+0x165/0x670 [ 166.819647][ T5798] ? zone_statistics+0x170/0x170 [ 166.824601][ T5798] ? verify_lock_unused+0x140/0x140 [ 166.829800][ T5798] ? handle_mm_fault+0x11d/0x62b0 [ 166.834823][ T5798] ? __lock_acquire+0x7f70/0x7f70 [ 166.839839][ T5798] ? pte_offset_map_nolock+0x137/0x1e0 [ 166.845297][ T5798] __folio_alloc+0x13/0x30 [ 166.849796][ T5798] vma_alloc_folio+0x48a/0x9a0 [ 166.854565][ T5798] handle_mm_fault+0x2376/0x62b0 [ 166.859595][ T5798] ? handle_mm_fault+0x11d/0x62b0 [ 166.864625][ T5798] ? numa_migrate_prep+0x380/0x380 [ 166.869835][ T5798] ? mtree_range_walk+0x6a0/0x7e0 [ 166.875377][ T5798] ? lock_vma_under_rcu+0x187/0x6f0 [ 166.880600][ T5798] ? __lock_acquire+0x7f70/0x7f70 [ 166.885878][ T5798] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 166.891197][ T5798] ? lock_vma_under_rcu+0x5df/0x6f0 [ 166.896591][ T5798] ? lock_vma_under_rcu+0x187/0x6f0 [ 166.901847][ T5798] ? exc_page_fault+0x10f/0x860 [ 166.906727][ T5798] exc_page_fault+0x455/0x860 [ 166.911415][ T5798] asm_exc_page_fault+0x26/0x30 [ 166.916282][ T5798] RIP: 0033:0x7f794735bc53 [ 166.920696][ T5798] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 166.940319][ T5798] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5797] munmap(0x7f793ef10000, 2097152) = 0 [pid 5797] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 166.946408][ T5798] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 166.954406][ T5798] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 166.962407][ T5798] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 166.970385][ T5798] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 166.978353][ T5798] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 166.986434][ T5798] [ 166.989843][ T5798] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5797] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5797] close(3) = 0 [pid 5797] mkdir("./file0", 0777) = 0 [pid 5797] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5798] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 167.004833][ T5797] loop0: detected capacity change from 0 to 4096 [ 167.022151][ T5797] __ntfs_error: 99 callbacks suppressed [ 167.022168][ T5797] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [ 167.038942][ T5797] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [pid 5798] munmap(0x7f7936b10000, 2097152) = 0 [pid 5798] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5798] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5798] ioctl(3, LOOP_CLR_FD) = 0 [pid 5798] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5798] close(3) = 0 [pid 5798] close(5) = 0 [pid 5798] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5798] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5796] <... futex resumed>) = 0 [ 167.052781][ T5797] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 167.068179][ T5797] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 167.082419][ T5797] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 167.091116][ T5797] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 167.104951][ T5797] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 167.118368][ T5797] ntfs: volume version 12.0. [ 167.123125][ T5797] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 167.131962][ T5797] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x2 as bad. Run chkdsk. [pid 5797] <... mount resumed>) = 0 [pid 5797] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5797] chdir("./file0") = 0 [pid 5797] ioctl(6, LOOP_CLR_FD) = 0 [pid 5797] close(6) = 0 [pid 5797] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5796] exit_group(0 [pid 5798] <... futex resumed>) = ? [pid 5797] <... futex resumed>) = ? [pid 5796] <... exit_group resumed>) = ? [pid 5798] +++ exited with 0 +++ [pid 5797] +++ exited with 0 +++ [pid 5796] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5796, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=27 /* 0.27 s */} --- umount2("./252", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./252", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./252/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./252/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./252/binderfs") = 0 [ 167.145585][ T5797] ntfs: (device loop0): load_system_files(): Failed to load $LogFile. Will not be able to remount read-write. Mount in Windows. umount2("./252/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./252/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./252/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./252/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./252/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./252/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./252") = 0 mkdir("./253", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5799 attached , child_tidptr=0x555555f17690) = 5799 [pid 5799] set_robust_list(0x555555f176a0, 24) = 0 [pid 5799] chdir("./253") = 0 [pid 5799] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5799] setpgid(0, 0) = 0 [pid 5799] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5799] write(3, "1000", 4) = 4 [pid 5799] close(3) = 0 [pid 5799] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5799] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5799] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5799] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5799] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5799] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5799] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5799] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5800 attached => {parent_tid=[5800]}, 88) = 5800 [pid 5800] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5800] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5800] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5800] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5799] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5799] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5800] <... futex resumed>) = 0 [pid 5799] <... futex resumed>) = 1 [pid 5799] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5799] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5800] memfd_create("syzkaller", 0) = 3 [pid 5800] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5799] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5800] <... mmap resumed>) = 0x7f793ef10000 [pid 5799] <... mprotect resumed>) = 0 [pid 5799] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5799] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5801 attached [pid 5801] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5801] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5799] <... clone3 resumed> => {parent_tid=[5801]}, 88) = 5801 [pid 5801] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5799] rt_sigprocmask(SIG_SETMASK, [], [pid 5801] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5799] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5799] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5801] <... futex resumed>) = 0 [pid 5799] <... futex resumed>) = 1 [pid 5799] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5801] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5800] munmap(0x7f793ef10000, 138412032 [pid 5801] write(4, "85", 2 [pid 5800] <... munmap resumed>) = 0 [pid 5801] <... write resumed>) = 2 [pid 5800] close(3 [pid 5801] memfd_create("syzkaller", 0 [pid 5800] <... close resumed>) = 0 [pid 5800] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5801] <... memfd_create resumed>) = 3 [pid 5800] <... futex resumed>) = 0 [pid 5801] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5800] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5801] <... mmap resumed>) = 0x7f793ef10000 [ 167.260815][ T5801] FAULT_INJECTION: forcing a failure. [ 167.260815][ T5801] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 167.274450][ T5801] CPU: 1 PID: 5801 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 167.284877][ T5801] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 167.294923][ T5801] Call Trace: [ 167.298193][ T5801] [ 167.301114][ T5801] dump_stack_lvl+0x1e7/0x2d0 [ 167.305791][ T5801] ? nf_tcp_handle_invalid+0x650/0x650 [ 167.311235][ T5801] ? panic+0x770/0x770 [ 167.315297][ T5801] should_fail_ex+0x3aa/0x4e0 [ 167.319968][ T5801] prepare_alloc_pages+0x1d9/0x5b0 [ 167.325126][ T5801] __alloc_pages+0x165/0x670 [ 167.329707][ T5801] ? zone_statistics+0x170/0x170 [ 167.334635][ T5801] ? verify_lock_unused+0x140/0x140 [ 167.339837][ T5801] ? handle_mm_fault+0x11d/0x62b0 [ 167.344857][ T5801] ? __lock_acquire+0x7f70/0x7f70 [ 167.349864][ T5801] ? pte_offset_map_nolock+0x137/0x1e0 [ 167.355340][ T5801] __folio_alloc+0x13/0x30 [ 167.359745][ T5801] vma_alloc_folio+0x48a/0x9a0 [ 167.364506][ T5801] handle_mm_fault+0x2376/0x62b0 [ 167.369449][ T5801] ? handle_mm_fault+0x11d/0x62b0 [ 167.374491][ T5801] ? numa_migrate_prep+0x380/0x380 [ 167.379796][ T5801] ? mtree_range_walk+0x6a0/0x7e0 [ 167.384972][ T5801] ? lock_vma_under_rcu+0x187/0x6f0 [ 167.390372][ T5801] ? __lock_acquire+0x7f70/0x7f70 [ 167.395390][ T5801] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 167.400683][ T5801] ? lock_vma_under_rcu+0x5df/0x6f0 [ 167.405881][ T5801] ? lock_vma_under_rcu+0x187/0x6f0 [ 167.411177][ T5801] ? exc_page_fault+0x10f/0x860 [ 167.416026][ T5801] exc_page_fault+0x455/0x860 [ 167.420723][ T5801] asm_exc_page_fault+0x26/0x30 [ 167.425567][ T5801] RIP: 0033:0x7f794735bd00 [ 167.429986][ T5801] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 167.449623][ T5801] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5801] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5801] munmap(0x7f793ef10000, 2097152) = 0 [pid 5801] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 167.455685][ T5801] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 167.463740][ T5801] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 167.471716][ T5801] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 167.479710][ T5801] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 167.492163][ T5801] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 167.500503][ T5801] [pid 5801] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5801] close(3) = 0 [pid 5801] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5801] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5801] ioctl(5, LOOP_CLR_FD) = 0 [pid 5801] close(5) = 0 [pid 5801] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5799] <... futex resumed>) = 0 [pid 5801] <... futex resumed>) = 1 [pid 5799] exit_group(0 [pid 5801] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5799] <... exit_group resumed>) = ? [pid 5801] <... futex resumed>) = ? [pid 5801] +++ exited with 0 +++ [pid 5800] <... futex resumed>) = ? [pid 5800] +++ exited with 0 +++ [pid 5799] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5799, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=9 /* 0.09 s */} --- umount2("./253", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./253", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [ 167.537185][ T5801] loop0: detected capacity change from 0 to 4096 [ 167.555232][ T5801] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 167.562491][ T5801] ntfs3: loop0: Failed to load $AttrDef (-22) newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./253/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./253/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./253/binderfs") = 0 umount2("\x2e\x2f\x32\x35\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x35\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x35\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x35\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x35\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./253") = 0 mkdir("./254", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5802 attached , child_tidptr=0x555555f17690) = 5802 [pid 5802] set_robust_list(0x555555f176a0, 24) = 0 [pid 5802] chdir("./254") = 0 [pid 5802] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5802] setpgid(0, 0) = 0 [pid 5802] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5802] write(3, "1000", 4) = 4 [pid 5802] close(3) = 0 [pid 5802] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5802] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5802] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5802] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5802] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5802] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5802] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5802] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5803]}, 88) = 5803 [pid 5802] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5802] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5803 attached ) = 0 [pid 5803] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5802] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5802] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5803] <... rseq resumed>) = 0 [pid 5803] set_robust_list(0x7f79473519a0, 24 [pid 5802] <... mmap resumed>) = 0x7f7947310000 [pid 5803] <... set_robust_list resumed>) = 0 [pid 5802] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5803] rt_sigprocmask(SIG_SETMASK, [], [pid 5802] <... mprotect resumed>) = 0 [pid 5803] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5802] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5802] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5804 attached [pid 5804] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5804] set_robust_list(0x7f79473309a0, 24 [pid 5803] memfd_create("syzkaller", 0 [pid 5802] <... clone3 resumed> => {parent_tid=[5804]}, 88) = 5804 [pid 5804] <... set_robust_list resumed>) = 0 [pid 5803] <... memfd_create resumed>) = 3 [pid 5802] rt_sigprocmask(SIG_SETMASK, [], [pid 5804] rt_sigprocmask(SIG_SETMASK, [], [pid 5802] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5804] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5802] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5804] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5803] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5802] <... futex resumed>) = 0 [pid 5802] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5803] <... mmap resumed>) = 0x7f793ef10000 [pid 5803] munmap(0x7f793ef10000, 138412032) = 0 [pid 5803] close(3) = 0 [pid 5803] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5803] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5804] <... openat resumed>) = 4 [pid 5804] write(4, "85", 2) = 2 [pid 5804] memfd_create("syzkaller", 0) = 3 [pid 5804] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 167.673091][ T5804] FAULT_INJECTION: forcing a failure. [ 167.673091][ T5804] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 167.687038][ T5804] CPU: 0 PID: 5804 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 167.697489][ T5804] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 167.707553][ T5804] Call Trace: [ 167.710833][ T5804] [ 167.713844][ T5804] dump_stack_lvl+0x1e7/0x2d0 [ 167.718537][ T5804] ? nf_tcp_handle_invalid+0x650/0x650 [ 167.724017][ T5804] ? panic+0x770/0x770 [ 167.728129][ T5804] should_fail_ex+0x3aa/0x4e0 [ 167.733176][ T5804] prepare_alloc_pages+0x1d9/0x5b0 [ 167.738383][ T5804] __alloc_pages+0x165/0x670 [ 167.742979][ T5804] ? zone_statistics+0x170/0x170 [ 167.748034][ T5804] ? verify_lock_unused+0x140/0x140 [ 167.753526][ T5804] ? handle_mm_fault+0x11d/0x62b0 [ 167.758549][ T5804] ? __lock_acquire+0x7f70/0x7f70 [ 167.763570][ T5804] ? pte_offset_map_nolock+0x137/0x1e0 [ 167.769033][ T5804] __folio_alloc+0x13/0x30 [ 167.773631][ T5804] vma_alloc_folio+0x48a/0x9a0 [ 167.778481][ T5804] handle_mm_fault+0x2376/0x62b0 [ 167.783428][ T5804] ? handle_mm_fault+0x11d/0x62b0 [ 167.788457][ T5804] ? numa_migrate_prep+0x380/0x380 [ 167.793582][ T5804] ? mtree_range_walk+0x6a0/0x7e0 [ 167.798632][ T5804] ? lock_vma_under_rcu+0x187/0x6f0 [ 167.803825][ T5804] ? __lock_acquire+0x7f70/0x7f70 [ 167.808843][ T5804] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 167.814047][ T5804] ? lock_vma_under_rcu+0x5df/0x6f0 [ 167.819245][ T5804] ? lock_vma_under_rcu+0x187/0x6f0 [ 167.824451][ T5804] ? exc_page_fault+0x10f/0x860 [ 167.829388][ T5804] exc_page_fault+0x455/0x860 [ 167.834070][ T5804] asm_exc_page_fault+0x26/0x30 [ 167.838913][ T5804] RIP: 0033:0x7f794735bc53 [ 167.843323][ T5804] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 167.862922][ T5804] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5804] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5804] munmap(0x7f793ef10000, 2097152) = 0 [pid 5804] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 167.868986][ T5804] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 167.876960][ T5804] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 167.884945][ T5804] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 167.892911][ T5804] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 167.900885][ T5804] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 167.908991][ T5804] [pid 5804] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5804] close(3) = 0 [pid 5804] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5804] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 167.945516][ T5804] loop0: detected capacity change from 0 to 4096 [ 167.964234][ T5804] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 167.971626][ T5804] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5804] ioctl(5, LOOP_CLR_FD) = 0 [pid 5804] close(5) = 0 [pid 5804] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5802] <... futex resumed>) = 0 [pid 5804] <... futex resumed>) = 1 [pid 5802] exit_group(0 [pid 5804] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5802] <... exit_group resumed>) = ? [pid 5804] +++ exited with 0 +++ [pid 5803] <... futex resumed>) = ? [pid 5803] +++ exited with 0 +++ [pid 5802] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5802, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./254", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./254", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./254/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./254/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./254/binderfs") = 0 umount2("\x2e\x2f\x32\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x35\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./254") = 0 mkdir("./255", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5805 attached , child_tidptr=0x555555f17690) = 5805 [pid 5805] set_robust_list(0x555555f176a0, 24) = 0 [pid 5805] chdir("./255") = 0 [pid 5805] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5805] setpgid(0, 0) = 0 [pid 5805] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5805] write(3, "1000", 4) = 4 [pid 5805] close(3) = 0 [pid 5805] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5805] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5805] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5805] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5805] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5805] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5805] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5805] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5806 attached [pid 5806] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5805] <... clone3 resumed> => {parent_tid=[5806]}, 88) = 5806 [pid 5806] <... rseq resumed>) = 0 [pid 5805] rt_sigprocmask(SIG_SETMASK, [], [pid 5806] set_robust_list(0x7f79473519a0, 24 [pid 5805] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5806] <... set_robust_list resumed>) = 0 [pid 5805] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5806] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5805] <... futex resumed>) = 0 [pid 5806] memfd_create("syzkaller", 0 [pid 5805] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5805] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5805] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5805] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5805] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5806] <... memfd_create resumed>) = 3 [pid 5806] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5805] <... clone3 resumed> => {parent_tid=[5807]}, 88) = 5807 [pid 5805] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ./strace-static-x86_64: Process 5807 attached [pid 5805] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5807] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5805] <... futex resumed>) = 0 [pid 5805] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5807] <... rseq resumed>) = 0 [pid 5807] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5807] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5807] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5807] write(4, "85", 2) = 2 [pid 5807] memfd_create("syzkaller", 0) = 5 [pid 5807] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5806] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 168.094169][ T5807] FAULT_INJECTION: forcing a failure. [ 168.094169][ T5807] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 168.108446][ T5807] CPU: 1 PID: 5807 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 168.118900][ T5807] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 168.128986][ T5807] Call Trace: [ 168.132278][ T5807] [ 168.135202][ T5807] dump_stack_lvl+0x1e7/0x2d0 [ 168.139873][ T5807] ? nf_tcp_handle_invalid+0x650/0x650 [ 168.145333][ T5807] ? panic+0x770/0x770 [ 168.149437][ T5807] should_fail_ex+0x3aa/0x4e0 [ 168.154149][ T5807] prepare_alloc_pages+0x1d9/0x5b0 [ 168.159360][ T5807] __alloc_pages+0x165/0x670 [ 168.163965][ T5807] ? zone_statistics+0x170/0x170 [ 168.168909][ T5807] ? verify_lock_unused+0x140/0x140 [ 168.174634][ T5807] ? handle_mm_fault+0x11d/0x62b0 [ 168.179659][ T5807] ? __lock_acquire+0x7f70/0x7f70 [ 168.184678][ T5807] ? pte_offset_map_nolock+0x137/0x1e0 [ 168.190135][ T5807] __folio_alloc+0x13/0x30 [ 168.194546][ T5807] vma_alloc_folio+0x48a/0x9a0 [ 168.199312][ T5807] handle_mm_fault+0x2376/0x62b0 [ 168.204253][ T5807] ? handle_mm_fault+0x11d/0x62b0 [ 168.209376][ T5807] ? numa_migrate_prep+0x380/0x380 [ 168.214487][ T5807] ? mtree_range_walk+0x6a0/0x7e0 [ 168.219507][ T5807] ? lock_vma_under_rcu+0x187/0x6f0 [ 168.224701][ T5807] ? __lock_acquire+0x7f70/0x7f70 [ 168.229719][ T5807] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 168.234923][ T5807] ? lock_vma_under_rcu+0x5df/0x6f0 [ 168.240118][ T5807] ? lock_vma_under_rcu+0x187/0x6f0 [ 168.245320][ T5807] ? exc_page_fault+0x10f/0x860 [ 168.250163][ T5807] exc_page_fault+0x455/0x860 [ 168.254841][ T5807] asm_exc_page_fault+0x26/0x30 [ 168.259684][ T5807] RIP: 0033:0x7f794735bc53 [ 168.264091][ T5807] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 168.283775][ T5807] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 168.289837][ T5807] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 168.297801][ T5807] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 168.305763][ T5807] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 168.313723][ T5807] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 168.321776][ T5807] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 168.330288][ T5807] [ 168.333885][ T5807] pagefault_out_of_memory: 2 callbacks suppressed [pid 5806] munmap(0x7f793ef10000, 2097152) = 0 [pid 5806] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5806] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5806] close(3) = 0 [pid 5806] mkdir("./file0", 0777) = 0 [pid 5806] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5806] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5807] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5806] chdir("./file0") = 0 [pid 5806] ioctl(6, LOOP_CLR_FD) = 0 [pid 5806] close(6) = 0 [pid 5806] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5806] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5807] <... write resumed>) = 2097152 [pid 5807] munmap(0x7f7936b10000, 2097152) = 0 [pid 5807] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 168.333899][ T5807] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 168.345493][ T5806] loop0: detected capacity change from 0 to 4096 [ 168.362797][ T5806] ntfs: volume version 12.0. [pid 5807] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5807] ioctl(6, LOOP_CLR_FD) = 0 [pid 5807] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5807] close(6) = 0 [pid 5807] close(5) = 0 [pid 5807] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5805] <... futex resumed>) = 0 [pid 5805] exit_group(0) = ? [pid 5806] <... futex resumed>) = ? [pid 5806] +++ exited with 0 +++ [pid 5807] <... futex resumed>) = ? [pid 5807] +++ exited with 0 +++ [pid 5805] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5805, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./255", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./255", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./255/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./255/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./255/binderfs") = 0 umount2("./255/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./255/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./255/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./255/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./255/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./255/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./255") = 0 mkdir("./256", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5808 attached , child_tidptr=0x555555f17690) = 5808 [pid 5808] set_robust_list(0x555555f176a0, 24) = 0 [pid 5808] chdir("./256") = 0 [pid 5808] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5808] setpgid(0, 0) = 0 [pid 5808] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5808] write(3, "1000", 4) = 4 [pid 5808] close(3) = 0 [pid 5808] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5808] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5808] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5808] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5808] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5808] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5808] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5808] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5809 attached => {parent_tid=[5809]}, 88) = 5809 [pid 5809] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5808] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5808] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5809] <... rseq resumed>) = 0 [pid 5808] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5809] set_robust_list(0x7f79473519a0, 24 [pid 5808] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5809] <... set_robust_list resumed>) = 0 [pid 5808] <... mmap resumed>) = 0x7f7947310000 [pid 5808] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5809] rt_sigprocmask(SIG_SETMASK, [], [pid 5808] <... mprotect resumed>) = 0 [pid 5808] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5809] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5808] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5808] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5810]}, 88) = 5810 [pid 5808] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5808] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5808] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5810 attached [pid 5810] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5809] memfd_create("syzkaller", 0 [pid 5810] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5810] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5810] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5809] <... memfd_create resumed>) = 3 [pid 5809] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5810] <... openat resumed>) = 4 [pid 5810] write(4, "85", 2) = 2 [pid 5810] memfd_create("syzkaller", 0 [pid 5809] munmap(0x7f793ef10000, 138412032 [pid 5810] <... memfd_create resumed>) = 5 [pid 5809] <... munmap resumed>) = 0 [pid 5810] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5809] close(3 [pid 5810] <... mmap resumed>) = 0x7f793ef10000 [pid 5809] <... close resumed>) = 0 [pid 5809] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 168.506690][ T5810] FAULT_INJECTION: forcing a failure. [ 168.506690][ T5810] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 168.519993][ T5810] CPU: 0 PID: 5810 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 168.530433][ T5810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 168.540481][ T5810] Call Trace: [ 168.543760][ T5810] [ 168.546693][ T5810] dump_stack_lvl+0x1e7/0x2d0 [ 168.551365][ T5810] ? nf_tcp_handle_invalid+0x650/0x650 [ 168.556815][ T5810] ? panic+0x770/0x770 [ 168.560972][ T5810] should_fail_ex+0x3aa/0x4e0 [ 168.565657][ T5810] prepare_alloc_pages+0x1d9/0x5b0 [ 168.570788][ T5810] __alloc_pages+0x165/0x670 [ 168.575382][ T5810] ? zone_statistics+0x170/0x170 [ 168.580327][ T5810] ? verify_lock_unused+0x140/0x140 [ 168.585527][ T5810] ? handle_mm_fault+0x11d/0x62b0 [ 168.590565][ T5810] ? __lock_acquire+0x7f70/0x7f70 [ 168.595595][ T5810] ? pte_offset_map_nolock+0x137/0x1e0 [ 168.601069][ T5810] __folio_alloc+0x13/0x30 [ 168.605498][ T5810] vma_alloc_folio+0x48a/0x9a0 [ 168.610351][ T5810] handle_mm_fault+0x2376/0x62b0 [ 168.615293][ T5810] ? handle_mm_fault+0x11d/0x62b0 [ 168.620332][ T5810] ? numa_migrate_prep+0x380/0x380 [ 168.625477][ T5810] ? mtree_range_walk+0x6a0/0x7e0 [ 168.630495][ T5810] ? lock_vma_under_rcu+0x187/0x6f0 [ 168.635704][ T5810] ? __lock_acquire+0x7f70/0x7f70 [ 168.640735][ T5810] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 168.645984][ T5810] ? lock_vma_under_rcu+0x5df/0x6f0 [ 168.651187][ T5810] ? lock_vma_under_rcu+0x187/0x6f0 [ 168.656399][ T5810] ? exc_page_fault+0x10f/0x860 [ 168.661247][ T5810] exc_page_fault+0x455/0x860 [ 168.666109][ T5810] asm_exc_page_fault+0x26/0x30 [ 168.670953][ T5810] RIP: 0033:0x7f794735bd00 [ 168.675360][ T5810] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 168.695135][ T5810] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5809] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5810] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5810] munmap(0x7f793ef10000, 2097152) = 0 [pid 5810] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 168.701209][ T5810] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 168.709282][ T5810] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 168.719020][ T5810] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 168.726991][ T5810] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 168.735048][ T5810] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 168.743045][ T5810] [ 168.748261][ T5810] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5810] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5810] close(5) = 0 [pid 5810] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5810] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 168.787196][ T5810] loop0: detected capacity change from 0 to 4096 [ 168.805505][ T5810] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 168.812633][ T5810] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5810] ioctl(3, LOOP_CLR_FD) = 0 [pid 5810] close(3) = 0 [pid 5810] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5810] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5808] <... futex resumed>) = 0 [pid 5808] exit_group(0 [pid 5810] <... futex resumed>) = ? [pid 5809] <... futex resumed>) = ? [pid 5808] <... exit_group resumed>) = ? [pid 5810] +++ exited with 0 +++ [pid 5809] +++ exited with 0 +++ [pid 5808] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5808, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./256", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./256", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./256/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./256/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./256/binderfs") = 0 umount2("\x2e\x2f\x32\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x35\x36\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./256") = 0 mkdir("./257", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5811 attached [pid 5811] set_robust_list(0x555555f176a0, 24) = 0 [pid 5811] chdir("./257") = 0 [pid 5811] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5811] setpgid(0, 0) = 0 [pid 5811] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5811] write(3, "1000", 4) = 4 [pid 5811] close(3) = 0 [pid 5811] symlink("/dev/binderfs", "./binderfs" [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5811 [pid 5811] <... symlink resumed>) = 0 [pid 5811] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5811] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5811] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5811] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5811] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5811] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5811] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5812 attached [pid 5812] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5811] <... clone3 resumed> => {parent_tid=[5812]}, 88) = 5812 [pid 5812] set_robust_list(0x7f79473519a0, 24 [pid 5811] rt_sigprocmask(SIG_SETMASK, [], [pid 5812] <... set_robust_list resumed>) = 0 [pid 5811] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5812] rt_sigprocmask(SIG_SETMASK, [], [pid 5811] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5812] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5811] <... futex resumed>) = 0 [pid 5812] memfd_create("syzkaller", 0 [pid 5811] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5811] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5811] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5811] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5811] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5812] <... memfd_create resumed>) = 3 [pid 5811] <... clone3 resumed> => {parent_tid=[5813]}, 88) = 5813 [pid 5812] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5811] rt_sigprocmask(SIG_SETMASK, [], [pid 5812] <... mmap resumed>) = 0x7f793ef10000 [pid 5811] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5813 attached [pid 5813] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5813] set_robust_list(0x7f79473309a0, 24 [pid 5811] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5813] <... set_robust_list resumed>) = 0 [pid 5813] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5811] <... futex resumed>) = 0 [pid 5811] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5813] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5813] write(4, "85", 2) = 2 [pid 5813] memfd_create("syzkaller", 0) = 5 [pid 5813] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 168.967966][ T5813] FAULT_INJECTION: forcing a failure. [ 168.967966][ T5813] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 168.981391][ T5813] CPU: 0 PID: 5813 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 168.991823][ T5813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 169.001876][ T5813] Call Trace: [ 169.005148][ T5813] [ 169.008073][ T5813] dump_stack_lvl+0x1e7/0x2d0 [ 169.012748][ T5813] ? nf_tcp_handle_invalid+0x650/0x650 [ 169.018283][ T5813] ? panic+0x770/0x770 [ 169.022355][ T5813] should_fail_ex+0x3aa/0x4e0 [ 169.027036][ T5813] prepare_alloc_pages+0x1d9/0x5b0 [ 169.032169][ T5813] __alloc_pages+0x165/0x670 [ 169.036758][ T5813] ? zone_statistics+0x170/0x170 [ 169.041716][ T5813] ? verify_lock_unused+0x140/0x140 [ 169.046928][ T5813] ? handle_mm_fault+0x11d/0x62b0 [ 169.051945][ T5813] ? __lock_acquire+0x7f70/0x7f70 [ 169.057245][ T5813] ? pte_offset_map_nolock+0x137/0x1e0 [ 169.062728][ T5813] __folio_alloc+0x13/0x30 [ 169.067159][ T5813] vma_alloc_folio+0x48a/0x9a0 [ 169.071931][ T5813] handle_mm_fault+0x2376/0x62b0 [ 169.076883][ T5813] ? handle_mm_fault+0x11d/0x62b0 [ 169.081916][ T5813] ? numa_migrate_prep+0x380/0x380 [ 169.087052][ T5813] ? mtree_range_walk+0x6a0/0x7e0 [ 169.092161][ T5813] ? lock_vma_under_rcu+0x187/0x6f0 [ 169.097353][ T5813] ? __lock_acquire+0x7f70/0x7f70 [ 169.102384][ T5813] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 169.107627][ T5813] ? lock_vma_under_rcu+0x5df/0x6f0 [ 169.112831][ T5813] ? lock_vma_under_rcu+0x187/0x6f0 [ 169.118130][ T5813] ? exc_page_fault+0x10f/0x860 [ 169.123027][ T5813] exc_page_fault+0x455/0x860 [ 169.127721][ T5813] asm_exc_page_fault+0x26/0x30 [ 169.132572][ T5813] RIP: 0033:0x7f794735bc53 [ 169.136982][ T5813] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 169.156611][ T5813] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5812] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 169.162764][ T5813] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 169.170730][ T5813] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 169.178695][ T5813] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 169.186671][ T5813] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 169.194632][ T5813] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 169.202606][ T5813] [ 169.211425][ T5813] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5812] munmap(0x7f793ef10000, 2097152) = 0 [pid 5812] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5812] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5812] close(3) = 0 [pid 5812] mkdir("./file0", 0777) = 0 [pid 5812] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5813] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5812] <... mount resumed>) = 0 [pid 5812] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5812] chdir("./file0") = 0 [pid 5812] ioctl(6, LOOP_CLR_FD) = 0 [pid 5812] close(6) = 0 [pid 5812] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5812] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5813] <... write resumed>) = 2097152 [pid 5813] munmap(0x7f7936b10000, 2097152) = 0 [pid 5813] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5813] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5813] ioctl(6, LOOP_CLR_FD) = 0 [ 169.224825][ T5812] loop0: detected capacity change from 0 to 4096 [ 169.238536][ T5812] ntfs: volume version 12.0. [pid 5813] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5813] close(6) = 0 [pid 5813] close(5) = 0 [pid 5813] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5811] <... futex resumed>) = 0 [pid 5813] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5811] exit_group(0 [pid 5813] <... futex resumed>) = ? [pid 5812] <... futex resumed>) = ? [pid 5811] <... exit_group resumed>) = ? [pid 5813] +++ exited with 0 +++ [pid 5812] +++ exited with 0 +++ [pid 5811] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5811, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=18 /* 0.18 s */} --- umount2("./257", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./257", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./257/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./257/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./257/binderfs") = 0 umount2("./257/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./257/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./257/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./257/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./257/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./257/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./257") = 0 mkdir("./258", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5814 attached , child_tidptr=0x555555f17690) = 5814 [pid 5814] set_robust_list(0x555555f176a0, 24) = 0 [pid 5814] chdir("./258") = 0 [pid 5814] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5814] setpgid(0, 0) = 0 [pid 5814] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5814] write(3, "1000", 4) = 4 [pid 5814] close(3) = 0 [pid 5814] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5814] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5814] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5814] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5814] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5814] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5814] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5814] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5815 attached => {parent_tid=[5815]}, 88) = 5815 [pid 5815] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5814] rt_sigprocmask(SIG_SETMASK, [], [pid 5815] set_robust_list(0x7f79473519a0, 24 [pid 5814] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5815] <... set_robust_list resumed>) = 0 [pid 5814] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5815] rt_sigprocmask(SIG_SETMASK, [], [pid 5814] <... futex resumed>) = 0 [pid 5815] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5814] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5814] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5814] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5814] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5814] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5816 attached => {parent_tid=[5816]}, 88) = 5816 [pid 5814] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5814] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5816] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5815] memfd_create("syzkaller", 0 [pid 5816] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5816] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5815] <... memfd_create resumed>) = 3 [pid 5814] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5815] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5816] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5815] <... mmap resumed>) = 0x7f793ef10000 [pid 5815] munmap(0x7f793ef10000, 138412032) = 0 [pid 5816] <... openat resumed>) = 4 [pid 5816] write(4, "85", 2) = 2 [pid 5816] memfd_create("syzkaller", 0 [pid 5815] close(3 [pid 5816] <... memfd_create resumed>) = 5 [pid 5816] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5815] <... close resumed>) = 0 [pid 5816] <... mmap resumed>) = 0x7f793ef10000 [pid 5815] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 169.373336][ T5816] FAULT_INJECTION: forcing a failure. [ 169.373336][ T5816] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 169.387029][ T5816] CPU: 1 PID: 5816 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 169.397436][ T5816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 169.407480][ T5816] Call Trace: [ 169.410749][ T5816] [ 169.413676][ T5816] dump_stack_lvl+0x1e7/0x2d0 [ 169.418460][ T5816] ? nf_tcp_handle_invalid+0x650/0x650 [ 169.423913][ T5816] ? panic+0x770/0x770 [ 169.427989][ T5816] should_fail_ex+0x3aa/0x4e0 [ 169.432687][ T5816] prepare_alloc_pages+0x1d9/0x5b0 [ 169.437798][ T5816] __alloc_pages+0x165/0x670 [ 169.442512][ T5816] ? zone_statistics+0x170/0x170 [ 169.447461][ T5816] ? verify_lock_unused+0x140/0x140 [ 169.452853][ T5816] ? handle_mm_fault+0x11d/0x62b0 [ 169.457897][ T5816] ? __lock_acquire+0x7f70/0x7f70 [ 169.462920][ T5816] ? pte_offset_map_nolock+0x137/0x1e0 [ 169.468389][ T5816] __folio_alloc+0x13/0x30 [ 169.472818][ T5816] vma_alloc_folio+0x48a/0x9a0 [ 169.477577][ T5816] handle_mm_fault+0x2376/0x62b0 [ 169.482515][ T5816] ? handle_mm_fault+0x11d/0x62b0 [ 169.487554][ T5816] ? numa_migrate_prep+0x380/0x380 [ 169.494203][ T5816] ? mtree_range_walk+0x6a0/0x7e0 [ 169.499230][ T5816] ? lock_vma_under_rcu+0x187/0x6f0 [ 169.504433][ T5816] ? __lock_acquire+0x7f70/0x7f70 [ 169.509541][ T5816] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 169.514922][ T5816] ? lock_vma_under_rcu+0x5df/0x6f0 [ 169.520207][ T5816] ? lock_vma_under_rcu+0x187/0x6f0 [ 169.525412][ T5816] ? exc_page_fault+0x10f/0x860 [ 169.530261][ T5816] exc_page_fault+0x455/0x860 [ 169.534966][ T5816] asm_exc_page_fault+0x26/0x30 [ 169.539816][ T5816] RIP: 0033:0x7f794735bd00 [ 169.544506][ T5816] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 169.564106][ T5816] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5815] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5816] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5816] munmap(0x7f793ef10000, 2097152) = 0 [pid 5816] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 169.570188][ T5816] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 169.578155][ T5816] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 169.586118][ T5816] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 169.594085][ T5816] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 169.602050][ T5816] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 169.610028][ T5816] [ 169.613399][ T5816] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5816] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5816] close(5) = 0 [pid 5816] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5816] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 169.649941][ T5816] loop0: detected capacity change from 0 to 4096 [ 169.667706][ T5816] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 169.674776][ T5816] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5816] ioctl(3, LOOP_CLR_FD) = 0 [pid 5816] close(3) = 0 [pid 5816] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5816] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5814] <... futex resumed>) = 0 [pid 5814] exit_group(0) = ? [pid 5816] <... futex resumed>) = ? [pid 5815] <... futex resumed>) = ? [pid 5816] +++ exited with 0 +++ [pid 5815] +++ exited with 0 +++ [pid 5814] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5814, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./258", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./258", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./258/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./258/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./258/binderfs") = 0 umount2("\x2e\x2f\x32\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x35\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./258") = 0 mkdir("./259", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5817 attached , child_tidptr=0x555555f17690) = 5817 [pid 5817] set_robust_list(0x555555f176a0, 24) = 0 [pid 5817] chdir("./259") = 0 [pid 5817] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5817] setpgid(0, 0) = 0 [pid 5817] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5817] write(3, "1000", 4) = 4 [pid 5817] close(3) = 0 [pid 5817] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5817] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5817] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5817] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5817] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5817] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5817] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5817] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5818 attached [pid 5818] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5818] set_robust_list(0x7f79473519a0, 24 [pid 5817] <... clone3 resumed> => {parent_tid=[5818]}, 88) = 5818 [pid 5818] <... set_robust_list resumed>) = 0 [pid 5817] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5818] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5817] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5818] memfd_create("syzkaller", 0 [pid 5817] <... futex resumed>) = 0 [pid 5818] <... memfd_create resumed>) = 3 [pid 5817] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5818] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5817] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5817] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5818] <... mmap resumed>) = 0x7f793ef10000 [pid 5817] <... mprotect resumed>) = 0 [pid 5817] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5817] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5819 attached => {parent_tid=[5819]}, 88) = 5819 [pid 5819] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5817] rt_sigprocmask(SIG_SETMASK, [], [pid 5819] <... rseq resumed>) = 0 [pid 5817] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5819] set_robust_list(0x7f79473309a0, 24 [pid 5817] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5819] <... set_robust_list resumed>) = 0 [pid 5817] <... futex resumed>) = 0 [pid 5819] rt_sigprocmask(SIG_SETMASK, [], [pid 5817] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5819] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5819] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5819] write(4, "85", 2) = 2 [pid 5819] memfd_create("syzkaller", 0) = 5 [pid 5819] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5818] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 169.816360][ T5819] FAULT_INJECTION: forcing a failure. [ 169.816360][ T5819] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 169.829840][ T5819] CPU: 1 PID: 5819 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 169.840293][ T5819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 169.850608][ T5819] Call Trace: [ 169.853900][ T5819] [ 169.856850][ T5819] dump_stack_lvl+0x1e7/0x2d0 [ 169.861538][ T5819] ? nf_tcp_handle_invalid+0x650/0x650 [ 169.867079][ T5819] ? panic+0x770/0x770 [ 169.871235][ T5819] should_fail_ex+0x3aa/0x4e0 [ 169.875921][ T5819] prepare_alloc_pages+0x1d9/0x5b0 [ 169.881040][ T5819] __alloc_pages+0x165/0x670 [ 169.885643][ T5819] ? zone_statistics+0x170/0x170 [ 169.890680][ T5819] ? verify_lock_unused+0x140/0x140 [ 169.895892][ T5819] ? handle_mm_fault+0x11d/0x62b0 [ 169.900925][ T5819] ? __lock_acquire+0x7f70/0x7f70 [ 169.906039][ T5819] ? pte_offset_map_nolock+0x137/0x1e0 [ 169.911506][ T5819] __folio_alloc+0x13/0x30 [ 169.915927][ T5819] vma_alloc_folio+0x48a/0x9a0 [ 169.920693][ T5819] handle_mm_fault+0x2376/0x62b0 [ 169.925636][ T5819] ? handle_mm_fault+0x11d/0x62b0 [ 169.930665][ T5819] ? numa_migrate_prep+0x380/0x380 [ 169.935782][ T5819] ? mtree_range_walk+0x6a0/0x7e0 [ 169.940816][ T5819] ? lock_vma_under_rcu+0x187/0x6f0 [ 169.946016][ T5819] ? __lock_acquire+0x7f70/0x7f70 [ 169.951046][ T5819] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 169.956264][ T5819] ? lock_vma_under_rcu+0x5df/0x6f0 [ 169.961473][ T5819] ? lock_vma_under_rcu+0x187/0x6f0 [ 169.966690][ T5819] ? exc_page_fault+0x10f/0x860 [ 169.971543][ T5819] exc_page_fault+0x455/0x860 [ 169.976224][ T5819] asm_exc_page_fault+0x26/0x30 [ 169.981071][ T5819] RIP: 0033:0x7f794735bc53 [ 169.985572][ T5819] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 170.005274][ T5819] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5818] munmap(0x7f793ef10000, 2097152) = 0 [ 170.011357][ T5819] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 170.019328][ T5819] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 170.027305][ T5819] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 170.035275][ T5819] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 170.043259][ T5819] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 170.051330][ T5819] [ 170.054590][ T5819] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5818] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5818] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5818] close(3) = 0 [pid 5818] mkdir("./file0", 0777) = 0 [pid 5818] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5818] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5818] chdir("./file0") = 0 [pid 5818] ioctl(6, LOOP_CLR_FD) = 0 [pid 5818] close(6) = 0 [pid 5818] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5818] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5819] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5819] munmap(0x7f7936b10000, 2097152) = 0 [pid 5819] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5819] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5819] ioctl(6, LOOP_CLR_FD) = 0 [pid 5819] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5819] close(6) = 0 [ 170.067068][ T5818] loop0: detected capacity change from 0 to 4096 [ 170.082467][ T5818] ntfs: volume version 12.0. [pid 5819] close(5) = 0 [pid 5819] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5817] <... futex resumed>) = 0 [pid 5819] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5817] exit_group(0 [pid 5819] <... futex resumed>) = ? [pid 5818] <... futex resumed>) = ? [pid 5817] <... exit_group resumed>) = ? [pid 5819] +++ exited with 0 +++ [pid 5818] +++ exited with 0 +++ [pid 5817] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5817, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=18 /* 0.18 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./259", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./259", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./259/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./259/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./259/binderfs") = 0 umount2("./259/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./259/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./259/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./259/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./259/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./259/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./259") = 0 mkdir("./260", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5820 attached , child_tidptr=0x555555f17690) = 5820 [pid 5820] set_robust_list(0x555555f176a0, 24) = 0 [pid 5820] chdir("./260") = 0 [pid 5820] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5820] setpgid(0, 0) = 0 [pid 5820] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5820] write(3, "1000", 4) = 4 [pid 5820] close(3) = 0 [pid 5820] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5820] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5820] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5820] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5820] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5820] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5820] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5820] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5821 attached => {parent_tid=[5821]}, 88) = 5821 [pid 5821] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5821] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5821] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5821] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5820] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5820] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5821] <... futex resumed>) = 0 [pid 5820] <... futex resumed>) = 1 [pid 5820] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5820] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5821] memfd_create("syzkaller", 0 [pid 5820] <... mmap resumed>) = 0x7f7947310000 [pid 5820] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5821] <... memfd_create resumed>) = 3 [pid 5820] <... mprotect resumed>) = 0 [pid 5821] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5820] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5820] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5822 attached [pid 5822] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5820] <... clone3 resumed> => {parent_tid=[5822]}, 88) = 5822 [pid 5822] <... rseq resumed>) = 0 [pid 5820] rt_sigprocmask(SIG_SETMASK, [], [pid 5822] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5820] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5822] rt_sigprocmask(SIG_SETMASK, [], [pid 5820] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5822] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5822] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5820] <... futex resumed>) = 0 [pid 5821] munmap(0x7f793ef10000, 138412032 [pid 5820] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5822] <... openat resumed>) = 4 [pid 5822] write(4, "85", 2) = 2 [pid 5822] memfd_create("syzkaller", 0) = 5 [pid 5822] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5821] <... munmap resumed>) = 0 [pid 5821] close(3) = 0 [pid 5822] <... mmap resumed>) = 0x7f793ef10000 [pid 5821] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 170.200003][ T5822] FAULT_INJECTION: forcing a failure. [ 170.200003][ T5822] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 170.214074][ T5822] CPU: 1 PID: 5822 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 170.224608][ T5822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 170.234921][ T5822] Call Trace: [ 170.238208][ T5822] [ 170.241127][ T5822] dump_stack_lvl+0x1e7/0x2d0 [ 170.245817][ T5822] ? nf_tcp_handle_invalid+0x650/0x650 [ 170.251267][ T5822] ? panic+0x770/0x770 [ 170.255333][ T5822] should_fail_ex+0x3aa/0x4e0 [ 170.260060][ T5822] prepare_alloc_pages+0x1d9/0x5b0 [ 170.265192][ T5822] __alloc_pages+0x165/0x670 [ 170.269783][ T5822] ? zone_statistics+0x170/0x170 [ 170.274753][ T5822] ? verify_lock_unused+0x140/0x140 [ 170.280026][ T5822] ? handle_mm_fault+0x11d/0x62b0 [ 170.285036][ T5822] ? __lock_acquire+0x7f70/0x7f70 [ 170.290042][ T5822] ? pte_offset_map_nolock+0x137/0x1e0 [ 170.295575][ T5822] __folio_alloc+0x13/0x30 [ 170.300101][ T5822] vma_alloc_folio+0x48a/0x9a0 [ 170.305062][ T5822] handle_mm_fault+0x2376/0x62b0 [ 170.310010][ T5822] ? handle_mm_fault+0x11d/0x62b0 [ 170.315211][ T5822] ? numa_migrate_prep+0x380/0x380 [ 170.320322][ T5822] ? mtree_range_walk+0x6a0/0x7e0 [ 170.325339][ T5822] ? lock_vma_under_rcu+0x187/0x6f0 [ 170.330527][ T5822] ? __lock_acquire+0x7f70/0x7f70 [ 170.335806][ T5822] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 170.341032][ T5822] ? lock_vma_under_rcu+0x5df/0x6f0 [ 170.346260][ T5822] ? lock_vma_under_rcu+0x187/0x6f0 [ 170.351508][ T5822] ? exc_page_fault+0x10f/0x860 [ 170.356373][ T5822] exc_page_fault+0x455/0x860 [ 170.361049][ T5822] asm_exc_page_fault+0x26/0x30 [ 170.365904][ T5822] RIP: 0033:0x7f794735bd00 [ 170.370333][ T5822] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 170.389965][ T5822] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5821] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5822] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5822] munmap(0x7f793ef10000, 2097152) = 0 [pid 5822] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 170.396032][ T5822] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 170.404341][ T5822] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 170.412399][ T5822] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 170.421584][ T5822] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 170.429626][ T5822] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 170.437650][ T5822] [ 170.442424][ T5822] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5822] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5822] close(5) = 0 [pid 5822] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5822] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5822] ioctl(3, LOOP_CLR_FD) = 0 [pid 5822] close(3) = 0 [pid 5822] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5822] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5820] <... futex resumed>) = 0 [pid 5820] exit_group(0) = ? [pid 5822] <... futex resumed>) = ? [ 170.481077][ T5822] loop0: detected capacity change from 0 to 4096 [ 170.498931][ T5822] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 170.505992][ T5822] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5821] <... futex resumed>) = ? [pid 5821] +++ exited with 0 +++ [pid 5822] +++ exited with 0 +++ [pid 5820] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5820, si_uid=0, si_status=0, si_utime=0, si_stime=12 /* 0.12 s */} --- umount2("./260", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./260", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./260/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./260/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./260/binderfs") = 0 umount2("\x2e\x2f\x32\x36\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x36\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x36\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x36\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x36\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./260") = 0 mkdir("./261", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5823 ./strace-static-x86_64: Process 5823 attached [pid 5823] set_robust_list(0x555555f176a0, 24) = 0 [pid 5823] chdir("./261") = 0 [pid 5823] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5823] setpgid(0, 0) = 0 [pid 5823] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5823] write(3, "1000", 4) = 4 [pid 5823] close(3) = 0 [pid 5823] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5823] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5823] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5823] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5823] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5823] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5823] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5823] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5824]}, 88) = 5824 ./strace-static-x86_64: Process 5824 attached [pid 5824] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5823] rt_sigprocmask(SIG_SETMASK, [], [pid 5824] set_robust_list(0x7f79473519a0, 24 [pid 5823] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5823] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5823] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5823] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5824] <... set_robust_list resumed>) = 0 [pid 5823] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5824] rt_sigprocmask(SIG_SETMASK, [], [pid 5823] <... mprotect resumed>) = 0 [pid 5823] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5824] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5823] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5823] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5825]}, 88) = 5825 [pid 5823] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5823] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5825 attached ) = 0 [pid 5825] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5823] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5825] <... rseq resumed>) = 0 [pid 5825] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5825] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5825] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3 [pid 5824] memfd_create("syzkaller", 0 [pid 5825] write(3, "85", 2 [pid 5824] <... memfd_create resumed>) = 4 [pid 5825] <... write resumed>) = 2 [pid 5825] memfd_create("syzkaller", 0 [pid 5824] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5825] <... memfd_create resumed>) = 5 [pid 5825] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5824] <... mmap resumed>) = 0x7f793ef10000 [pid 5825] <... mmap resumed>) = 0x7f7936b10000 [pid 5824] munmap(0x7f793ef10000, 138412032) = 0 [pid 5824] close(4) = 0 [pid 5824] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 170.619870][ T5825] FAULT_INJECTION: forcing a failure. [ 170.619870][ T5825] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 170.633294][ T5825] CPU: 1 PID: 5825 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 170.643701][ T5825] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 170.654544][ T5825] Call Trace: [ 170.657830][ T5825] [ 170.660753][ T5825] dump_stack_lvl+0x1e7/0x2d0 [ 170.666233][ T5825] ? nf_tcp_handle_invalid+0x650/0x650 [ 170.671714][ T5825] ? panic+0x770/0x770 [ 170.675796][ T5825] should_fail_ex+0x3aa/0x4e0 [ 170.680472][ T5825] prepare_alloc_pages+0x1d9/0x5b0 [ 170.685672][ T5825] __alloc_pages+0x165/0x670 [ 170.690343][ T5825] ? zone_statistics+0x170/0x170 [ 170.695298][ T5825] ? verify_lock_unused+0x140/0x140 [ 170.700499][ T5825] ? handle_mm_fault+0x11d/0x62b0 [ 170.705713][ T5825] ? __lock_acquire+0x7f70/0x7f70 [ 170.710912][ T5825] ? pte_offset_map_nolock+0x137/0x1e0 [ 170.716452][ T5825] __folio_alloc+0x13/0x30 [ 170.720863][ T5825] vma_alloc_folio+0x48a/0x9a0 [ 170.725735][ T5825] handle_mm_fault+0x2376/0x62b0 [ 170.730689][ T5825] ? handle_mm_fault+0x11d/0x62b0 [ 170.736277][ T5825] ? numa_migrate_prep+0x380/0x380 [ 170.741425][ T5825] ? mtree_range_walk+0x6a0/0x7e0 [ 170.746475][ T5825] ? lock_vma_under_rcu+0x187/0x6f0 [ 170.751712][ T5825] ? __lock_acquire+0x7f70/0x7f70 [ 170.757171][ T5825] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 170.762646][ T5825] ? lock_vma_under_rcu+0x5df/0x6f0 [ 170.768284][ T5825] ? lock_vma_under_rcu+0x187/0x6f0 [ 170.773704][ T5825] ? exc_page_fault+0x10f/0x860 [ 170.778925][ T5825] exc_page_fault+0x455/0x860 [ 170.783609][ T5825] asm_exc_page_fault+0x26/0x30 [ 170.788459][ T5825] RIP: 0033:0x7f794735bc53 [ 170.792885][ T5825] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 170.813053][ T5825] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 170.819407][ T5825] RAX: 0000000000087000 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 170.827386][ T5825] RDX: 00007f794732f8f0 RSI: 0000000000000002 RDI: 00007f794732f7f0 [ 170.835474][ T5825] RBP: 00000000000000ac R08: 0000000000000009 R09: 0000000000000127 [ 170.843548][ T5825] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 170.852133][ T5825] R13: 00007f7947427f80 R14: 00000000000000f0 R15: 00007f794732f7f0 [ 170.860221][ T5825] [ 170.863548][ T5825] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5824] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5825] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5825] munmap(0x7f7936b10000, 2106600) = 0 [pid 5825] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5825] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5825] close(5) = 0 [pid 5825] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5825] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 170.900403][ T5825] loop0: detected capacity change from 0 to 4114 [ 170.916498][ T5825] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5825] ioctl(4, LOOP_CLR_FD) = 0 [pid 5825] close(4) = 0 [pid 5825] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5823] <... futex resumed>) = 0 [pid 5825] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5823] exit_group(0 [pid 5825] <... futex resumed>) = ? [pid 5825] +++ exited with 0 +++ [pid 5824] <... futex resumed>) = ? [pid 5823] <... exit_group resumed>) = ? [pid 5824] +++ exited with 0 +++ [pid 5823] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5823, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./261", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./261", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./261/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./261/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./261/binderfs") = 0 umount2("\x2e\x2f\x32\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x36\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./261") = 0 mkdir("./262", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5826 attached , child_tidptr=0x555555f17690) = 5826 [pid 5826] set_robust_list(0x555555f176a0, 24) = 0 [pid 5826] chdir("./262") = 0 [pid 5826] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5826] setpgid(0, 0) = 0 [pid 5826] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5826] write(3, "1000", 4) = 4 [pid 5826] close(3) = 0 [pid 5826] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5826] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5826] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5826] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5826] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5826] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5826] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5826] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5827 attached => {parent_tid=[5827]}, 88) = 5827 [pid 5826] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5826] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5826] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5826] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5826] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5826] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5826] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5827] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5826] <... clone3 resumed> => {parent_tid=[5828]}, 88) = 5828 [pid 5826] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5826] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5826] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5828 attached [pid 5827] <... rseq resumed>) = 0 [pid 5827] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5827] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5827] memfd_create("syzkaller", 0 [pid 5828] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5828] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5828] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5827] <... memfd_create resumed>) = 3 [pid 5827] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5828] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5828] write(4, "85", 2) = 2 [pid 5828] memfd_create("syzkaller", 0) = 5 [pid 5828] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 171.037777][ T5828] FAULT_INJECTION: forcing a failure. [ 171.037777][ T5828] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 171.052294][ T5828] CPU: 1 PID: 5828 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 171.062729][ T5828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 171.072873][ T5828] Call Trace: [ 171.076149][ T5828] [ 171.079074][ T5828] dump_stack_lvl+0x1e7/0x2d0 [ 171.083750][ T5828] ? nf_tcp_handle_invalid+0x650/0x650 [ 171.089222][ T5828] ? panic+0x770/0x770 [ 171.093323][ T5828] should_fail_ex+0x3aa/0x4e0 [ 171.098273][ T5828] prepare_alloc_pages+0x1d9/0x5b0 [ 171.103463][ T5828] __alloc_pages+0x165/0x670 [ 171.108090][ T5828] ? zone_statistics+0x170/0x170 [ 171.113043][ T5828] ? verify_lock_unused+0x140/0x140 [ 171.118245][ T5828] ? handle_mm_fault+0x11d/0x62b0 [ 171.123279][ T5828] ? __lock_acquire+0x7f70/0x7f70 [ 171.128913][ T5828] ? pte_offset_map_nolock+0x137/0x1e0 [ 171.134812][ T5828] __folio_alloc+0x13/0x30 [ 171.139229][ T5828] vma_alloc_folio+0x48a/0x9a0 [ 171.143996][ T5828] handle_mm_fault+0x2376/0x62b0 [ 171.148939][ T5828] ? handle_mm_fault+0x11d/0x62b0 [ 171.154079][ T5828] ? numa_migrate_prep+0x380/0x380 [ 171.159212][ T5828] ? mtree_range_walk+0x6a0/0x7e0 [ 171.164233][ T5828] ? lock_vma_under_rcu+0x187/0x6f0 [ 171.169436][ T5828] ? __lock_acquire+0x7f70/0x7f70 [ 171.174668][ T5828] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 171.180153][ T5828] ? lock_vma_under_rcu+0x5df/0x6f0 [ 171.185467][ T5828] ? lock_vma_under_rcu+0x187/0x6f0 [ 171.190673][ T5828] ? exc_page_fault+0x10f/0x860 [ 171.195619][ T5828] exc_page_fault+0x455/0x860 [ 171.200297][ T5828] asm_exc_page_fault+0x26/0x30 [ 171.205140][ T5828] RIP: 0033:0x7f794735bc53 [ 171.209561][ T5828] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 171.229336][ T5828] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 171.235499][ T5828] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 171.243476][ T5828] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 171.251443][ T5828] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 171.259407][ T5828] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 171.267580][ T5828] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 171.275754][ T5828] [pid 5827] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2028777) = 2028777 [pid 5827] munmap(0x7f793ef10000, 2028777 [pid 5828] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5827] <... munmap resumed>) = 0 [pid 5827] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 171.283771][ T5828] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5827] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5827] close(3) = 0 [pid 5827] mkdir("./file0", 0777) = 0 [pid 5827] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = -1 EINVAL (Invalid argument) [pid 5827] ioctl(6, LOOP_CLR_FD [pid 5828] <... write resumed>) = 2097152 [pid 5828] munmap(0x7f7936b10000, 2097152) = 0 [pid 5828] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5828] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5828] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5828] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5828] close(3) = 0 [pid 5828] close(5) = 0 [pid 5828] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5828] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5826] <... futex resumed>) = 0 [ 171.313698][ T5827] loop0: detected capacity change from 0 to 3962 [pid 5827] <... ioctl resumed>) = 0 [pid 5827] close(6) = 0 [pid 5827] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5827] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5826] exit_group(0 [pid 5827] <... futex resumed>) = ? [pid 5826] <... exit_group resumed>) = ? [pid 5827] +++ exited with 0 +++ [pid 5828] <... futex resumed>) = ? [pid 5828] +++ exited with 0 +++ [pid 5826] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5826, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./262", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./262", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./262/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./262/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./262/binderfs") = 0 umount2("./262/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./262/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./262/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./262/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./262/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./262") = 0 mkdir("./263", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5829 ./strace-static-x86_64: Process 5829 attached [ 171.381507][ T5238] I/O error, dev loop0, sector 3712 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 5829] set_robust_list(0x555555f176a0, 24) = 0 [pid 5829] chdir("./263") = 0 [pid 5829] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5829] setpgid(0, 0) = 0 [pid 5829] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5829] write(3, "1000", 4) = 4 [pid 5829] close(3) = 0 [pid 5829] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5829] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5829] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5829] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5829] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5829] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5829] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5829] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5830 attached => {parent_tid=[5830]}, 88) = 5830 [pid 5829] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5829] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5830] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5829] <... futex resumed>) = 0 [pid 5830] <... rseq resumed>) = 0 [pid 5829] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5830] set_robust_list(0x7f79473519a0, 24 [pid 5829] <... futex resumed>) = 0 [pid 5829] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5830] <... set_robust_list resumed>) = 0 [pid 5829] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5830] rt_sigprocmask(SIG_SETMASK, [], [pid 5829] <... mprotect resumed>) = 0 [pid 5829] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5829] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5831 attached [pid 5831] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5829] <... clone3 resumed> => {parent_tid=[5831]}, 88) = 5831 [pid 5831] <... rseq resumed>) = 0 [pid 5829] rt_sigprocmask(SIG_SETMASK, [], [pid 5831] set_robust_list(0x7f79473309a0, 24 [pid 5829] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5831] <... set_robust_list resumed>) = 0 [pid 5831] rt_sigprocmask(SIG_SETMASK, [], [pid 5829] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5831] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5829] <... futex resumed>) = 0 [pid 5830] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5829] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5831] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5830] memfd_create("syzkaller", 0 [pid 5831] <... openat resumed>) = 3 [pid 5831] write(3, "85", 2 [pid 5830] <... memfd_create resumed>) = 4 [pid 5831] <... write resumed>) = 2 [pid 5830] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5831] memfd_create("syzkaller", 0 [pid 5830] <... mmap resumed>) = 0x7f793ef10000 [pid 5830] munmap(0x7f793ef10000, 138412032) = 0 [pid 5830] close(4 [pid 5831] <... memfd_create resumed>) = 5 [pid 5831] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5830] <... close resumed>) = 0 [pid 5831] <... mmap resumed>) = 0x7f793ef10000 [pid 5830] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 171.468973][ T5831] FAULT_INJECTION: forcing a failure. [ 171.468973][ T5831] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 171.482373][ T5831] CPU: 1 PID: 5831 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 171.492814][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 171.502859][ T5831] Call Trace: [ 171.506128][ T5831] [ 171.509048][ T5831] dump_stack_lvl+0x1e7/0x2d0 [ 171.513722][ T5831] ? nf_tcp_handle_invalid+0x650/0x650 [ 171.519169][ T5831] ? panic+0x770/0x770 [ 171.523260][ T5831] should_fail_ex+0x3aa/0x4e0 [ 171.527929][ T5831] prepare_alloc_pages+0x1d9/0x5b0 [ 171.533042][ T5831] __alloc_pages+0x165/0x670 [ 171.537621][ T5831] ? zone_statistics+0x170/0x170 [ 171.542636][ T5831] ? verify_lock_unused+0x140/0x140 [ 171.547819][ T5831] ? handle_mm_fault+0x11d/0x62b0 [ 171.552830][ T5831] ? __lock_acquire+0x7f70/0x7f70 [ 171.557845][ T5831] ? pte_offset_map_nolock+0x137/0x1e0 [ 171.563415][ T5831] __folio_alloc+0x13/0x30 [ 171.567913][ T5831] vma_alloc_folio+0x48a/0x9a0 [ 171.572666][ T5831] handle_mm_fault+0x2376/0x62b0 [ 171.577601][ T5831] ? handle_mm_fault+0x11d/0x62b0 [ 171.582631][ T5831] ? numa_migrate_prep+0x380/0x380 [ 171.587999][ T5831] ? mtree_range_walk+0x6a0/0x7e0 [ 171.593404][ T5831] ? lock_vma_under_rcu+0x187/0x6f0 [ 171.598644][ T5831] ? __lock_acquire+0x7f70/0x7f70 [ 171.603741][ T5831] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 171.608938][ T5831] ? lock_vma_under_rcu+0x5df/0x6f0 [ 171.614124][ T5831] ? lock_vma_under_rcu+0x187/0x6f0 [ 171.619340][ T5831] ? exc_page_fault+0x10f/0x860 [ 171.624183][ T5831] exc_page_fault+0x455/0x860 [ 171.628876][ T5831] asm_exc_page_fault+0x26/0x30 [ 171.633738][ T5831] RIP: 0033:0x7f794735bd00 [ 171.638237][ T5831] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 171.657958][ T5831] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5830] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5831] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2106600) = 2106600 [pid 5831] munmap(0x7f793ef10000, 2106600) = 0 [pid 5831] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 171.664020][ T5831] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 171.672015][ T5831] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 171.679993][ T5831] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 171.687950][ T5831] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 171.695993][ T5831] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 171.703965][ T5831] [ 171.711168][ T5831] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5831] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5831] close(5) = 0 [pid 5831] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5831] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 171.748712][ T5831] loop0: detected capacity change from 0 to 4114 [ 171.766569][ T5831] ntfs3: loop0: failed to replay log file. Can't mount rw! [pid 5831] ioctl(4, LOOP_CLR_FD) = 0 [pid 5831] close(4) = 0 [pid 5831] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5829] <... futex resumed>) = 0 [pid 5831] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5829] exit_group(0 [pid 5831] <... futex resumed>) = ? [pid 5830] <... futex resumed>) = ? [pid 5831] +++ exited with 0 +++ [pid 5830] +++ exited with 0 +++ [pid 5829] <... exit_group resumed>) = ? [pid 5829] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5829, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- umount2("./263", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./263", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./263/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./263/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./263/binderfs") = 0 umount2("\x2e\x2f\x32\x36\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x36\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x36\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x36\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x36\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./263") = 0 mkdir("./264", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5832 attached , child_tidptr=0x555555f17690) = 5832 [pid 5832] set_robust_list(0x555555f176a0, 24) = 0 [pid 5832] chdir("./264") = 0 [pid 5832] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5832] setpgid(0, 0) = 0 [pid 5832] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5832] write(3, "1000", 4) = 4 [pid 5832] close(3) = 0 [pid 5832] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5832] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5832] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5832] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5832] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5832] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5832] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5832] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5833 attached => {parent_tid=[5833]}, 88) = 5833 [pid 5832] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5832] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5833] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5832] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5833] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5832] <... futex resumed>) = 0 [pid 5833] rt_sigprocmask(SIG_SETMASK, [], [pid 5832] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5833] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5832] <... mmap resumed>) = 0x7f7947310000 [pid 5832] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5832] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5832] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5834]}, 88) = 5834 [pid 5832] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5832] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5833] memfd_create("syzkaller", 0 [pid 5832] <... futex resumed>) = 0 [pid 5832] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5834 attached [pid 5833] <... memfd_create resumed>) = 3 [pid 5834] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5834] set_robust_list(0x7f79473309a0, 24 [pid 5833] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5834] <... set_robust_list resumed>) = 0 [pid 5834] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5834] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5833] <... mmap resumed>) = 0x7f793ef10000 [pid 5833] munmap(0x7f793ef10000, 138412032) = 0 [pid 5834] <... openat resumed>) = 4 [pid 5834] write(4, "85", 2 [pid 5833] close(3 [pid 5834] <... write resumed>) = 2 [pid 5834] memfd_create("syzkaller", 0) = 5 [pid 5833] <... close resumed>) = 0 [pid 5834] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5833] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5834] <... mmap resumed>) = 0x7f793ef10000 [pid 5833] <... futex resumed>) = 0 [ 171.898121][ T5834] FAULT_INJECTION: forcing a failure. [ 171.898121][ T5834] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 171.911595][ T5834] CPU: 1 PID: 5834 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 171.922341][ T5834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 171.932415][ T5834] Call Trace: [ 171.935744][ T5834] [ 171.938683][ T5834] dump_stack_lvl+0x1e7/0x2d0 [ 171.943359][ T5834] ? nf_tcp_handle_invalid+0x650/0x650 [ 171.948811][ T5834] ? panic+0x770/0x770 [ 171.952891][ T5834] should_fail_ex+0x3aa/0x4e0 [ 171.957587][ T5834] prepare_alloc_pages+0x1d9/0x5b0 [ 171.962729][ T5834] __alloc_pages+0x165/0x670 [ 171.967430][ T5834] ? zone_statistics+0x170/0x170 [ 171.972378][ T5834] ? verify_lock_unused+0x140/0x140 [ 171.977702][ T5834] ? handle_mm_fault+0x11d/0x62b0 [ 171.982833][ T5834] ? __lock_acquire+0x7f70/0x7f70 [ 171.987886][ T5834] ? pte_offset_map_nolock+0x137/0x1e0 [ 171.993351][ T5834] __folio_alloc+0x13/0x30 [ 171.998206][ T5834] vma_alloc_folio+0x48a/0x9a0 [ 172.002979][ T5834] handle_mm_fault+0x2376/0x62b0 [ 172.007927][ T5834] ? handle_mm_fault+0x11d/0x62b0 [ 172.013045][ T5834] ? numa_migrate_prep+0x380/0x380 [ 172.018161][ T5834] ? mtree_range_walk+0x6a0/0x7e0 [ 172.023184][ T5834] ? lock_vma_under_rcu+0x187/0x6f0 [ 172.028378][ T5834] ? __lock_acquire+0x7f70/0x7f70 [ 172.033392][ T5834] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 172.038592][ T5834] ? lock_vma_under_rcu+0x5df/0x6f0 [ 172.044581][ T5834] ? lock_vma_under_rcu+0x187/0x6f0 [ 172.049874][ T5834] ? exc_page_fault+0x10f/0x860 [ 172.054718][ T5834] exc_page_fault+0x455/0x860 [ 172.059412][ T5834] asm_exc_page_fault+0x26/0x30 [ 172.064281][ T5834] RIP: 0033:0x7f794735bd00 [ 172.068706][ T5834] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 172.088359][ T5834] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5833] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5834] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5834] munmap(0x7f793ef10000, 2097152) = 0 [pid 5834] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 172.094462][ T5834] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 172.102447][ T5834] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 172.110422][ T5834] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 172.118387][ T5834] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 172.126526][ T5834] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 172.134548][ T5834] [ 172.138290][ T5834] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5834] ioctl(3, LOOP_SET_FD, 5) = 0 [pid 5834] close(5) = 0 [pid 5834] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5834] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [ 172.180054][ T5834] loop0: detected capacity change from 0 to 4096 [ 172.198904][ T5834] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 172.206020][ T5834] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5834] ioctl(3, LOOP_CLR_FD) = 0 [pid 5834] close(3) = 0 [pid 5834] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5832] <... futex resumed>) = 0 [pid 5834] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5832] exit_group(0 [pid 5833] <... futex resumed>) = ? [pid 5832] <... exit_group resumed>) = ? [pid 5833] +++ exited with 0 +++ [pid 5834] <... futex resumed>) = ? [pid 5834] +++ exited with 0 +++ [pid 5832] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5832, si_uid=0, si_status=0, si_utime=0, si_stime=8 /* 0.08 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./264", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./264", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./264/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./264/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./264/binderfs") = 0 umount2("\x2e\x2f\x32\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x36\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./264") = 0 mkdir("./265", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5835 attached , child_tidptr=0x555555f17690) = 5835 [pid 5835] set_robust_list(0x555555f176a0, 24) = 0 [pid 5835] chdir("./265") = 0 [pid 5835] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5835] setpgid(0, 0) = 0 [pid 5835] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5835] write(3, "1000", 4) = 4 [pid 5835] close(3) = 0 [pid 5835] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5835] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5835] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5835] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5835] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5835] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5835] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5835] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5836 attached [pid 5836] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5836] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5835] <... clone3 resumed> => {parent_tid=[5836]}, 88) = 5836 [pid 5835] rt_sigprocmask(SIG_SETMASK, [], [pid 5836] rt_sigprocmask(SIG_SETMASK, [], [pid 5835] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5836] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5835] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5835] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5835] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5835] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5836] memfd_create("syzkaller", 0 [pid 5835] <... mprotect resumed>) = 0 [pid 5835] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5835] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5836] <... memfd_create resumed>) = 3 ./strace-static-x86_64: Process 5837 attached [pid 5835] <... clone3 resumed> => {parent_tid=[5837]}, 88) = 5837 [pid 5835] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5835] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5835] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5836] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5837] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5836] <... mmap resumed>) = 0x7f793ef10000 [pid 5837] <... rseq resumed>) = 0 [pid 5837] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5837] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5837] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5837] write(4, "85", 2) = 2 [pid 5837] memfd_create("syzkaller", 0) = 5 [pid 5837] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 172.362243][ T5837] FAULT_INJECTION: forcing a failure. [ 172.362243][ T5837] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 172.377078][ T5837] CPU: 0 PID: 5837 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 172.387510][ T5837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 172.397649][ T5837] Call Trace: [ 172.401037][ T5837] [ 172.403960][ T5837] dump_stack_lvl+0x1e7/0x2d0 [ 172.408659][ T5837] ? nf_tcp_handle_invalid+0x650/0x650 [ 172.414123][ T5837] ? panic+0x770/0x770 [ 172.418197][ T5837] should_fail_ex+0x3aa/0x4e0 [ 172.422875][ T5837] prepare_alloc_pages+0x1d9/0x5b0 [ 172.427990][ T5837] __alloc_pages+0x165/0x670 [ 172.432577][ T5837] ? zone_statistics+0x170/0x170 [ 172.437514][ T5837] ? verify_lock_unused+0x140/0x140 [ 172.442718][ T5837] ? handle_mm_fault+0x11d/0x62b0 [ 172.447829][ T5837] ? __lock_acquire+0x7f70/0x7f70 [ 172.452844][ T5837] ? pte_offset_map_nolock+0x137/0x1e0 [ 172.458390][ T5837] __folio_alloc+0x13/0x30 [ 172.462799][ T5837] vma_alloc_folio+0x48a/0x9a0 [ 172.467562][ T5837] handle_mm_fault+0x2376/0x62b0 [ 172.472509][ T5837] ? handle_mm_fault+0x11d/0x62b0 [ 172.477539][ T5837] ? numa_migrate_prep+0x380/0x380 [ 172.482657][ T5837] ? mtree_range_walk+0x6a0/0x7e0 [ 172.487680][ T5837] ? lock_vma_under_rcu+0x187/0x6f0 [ 172.492876][ T5837] ? __lock_acquire+0x7f70/0x7f70 [ 172.497891][ T5837] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 172.503102][ T5837] ? lock_vma_under_rcu+0x5df/0x6f0 [ 172.508297][ T5837] ? lock_vma_under_rcu+0x187/0x6f0 [ 172.513498][ T5837] ? exc_page_fault+0x10f/0x860 [ 172.518346][ T5837] exc_page_fault+0x455/0x860 [ 172.523022][ T5837] asm_exc_page_fault+0x26/0x30 [ 172.527864][ T5837] RIP: 0033:0x7f794735bc53 [ 172.532272][ T5837] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 172.551869][ T5837] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5836] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2276295 [pid 5837] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5836] <... write resumed>) = 2276295 [pid 5836] munmap(0x7f793ef10000, 2276295) = 0 [pid 5836] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 172.557930][ T5837] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 172.565895][ T5837] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 172.573858][ T5837] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 172.581825][ T5837] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 172.589964][ T5837] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 172.598027][ T5837] [pid 5836] ioctl(6, LOOP_SET_FD, 3 [pid 5837] <... write resumed>) = 2097152 [pid 5837] munmap(0x7f7936b10000, 2097152 [pid 5836] <... ioctl resumed>) = 0 [pid 5836] close(3) = 0 [pid 5836] mkdir("./file0", 0777 [pid 5837] <... munmap resumed>) = 0 [pid 5837] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5836] <... mkdir resumed>) = 0 [pid 5837] <... openat resumed>) = 3 [pid 5836] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5837] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5837] ioctl(3, LOOP_CLR_FD) = 0 [pid 5837] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5837] close(3) = 0 [pid 5837] close(5) = 0 [pid 5837] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5835] <... futex resumed>) = 0 [pid 5837] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5836] <... mount resumed>) = -1 EINVAL (Invalid argument) [pid 5836] ioctl(6, LOOP_CLR_FD) = 0 [pid 5836] close(6) = 0 [pid 5836] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5836] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5835] exit_group(0 [pid 5836] <... futex resumed>) = ? [pid 5835] <... exit_group resumed>) = ? [pid 5836] +++ exited with 0 +++ [pid 5837] <... futex resumed>) = ? [pid 5837] +++ exited with 0 +++ [pid 5835] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5835, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=36 /* 0.36 s */} --- umount2("./265", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./265", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./265/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./265/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./265/binderfs") = 0 umount2("./265/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./265/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./265/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./265/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./265/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./265") = 0 mkdir("./266", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5838 attached , child_tidptr=0x555555f17690) = 5838 [pid 5838] set_robust_list(0x555555f176a0, 24) = 0 [pid 5838] chdir("./266") = 0 [pid 5838] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5838] setpgid(0, 0) = 0 [pid 5838] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5838] write(3, "1000", 4) = 4 [pid 5838] close(3) = 0 [pid 5838] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5838] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5838] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5838] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5838] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5838] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5838] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5838] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5839 attached [pid 5839] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5838] <... clone3 resumed> => {parent_tid=[5839]}, 88) = 5839 [pid 5839] <... rseq resumed>) = 0 [pid 5838] rt_sigprocmask(SIG_SETMASK, [], [pid 5839] set_robust_list(0x7f79473519a0, 24 [pid 5838] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5839] <... set_robust_list resumed>) = 0 [pid 5839] rt_sigprocmask(SIG_SETMASK, [], [pid 5838] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5839] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5838] <... futex resumed>) = 0 [pid 5839] memfd_create("syzkaller", 0 [pid 5838] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5838] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5838] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5838] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5838] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5839] <... memfd_create resumed>) = 3 [pid 5838] <... clone3 resumed> => {parent_tid=[5840]}, 88) = 5840 [pid 5839] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5838] rt_sigprocmask(SIG_SETMASK, [], [pid 5839] <... mmap resumed>) = 0x7f793ef10000 [pid 5838] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5838] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 172.641181][ T5836] loop0: detected capacity change from 0 to 4445 [ 172.653754][ T5836] __ntfs_error: 76 callbacks suppressed [ 172.653770][ T5836] ntfs: (device loop0): ntfs_read_inode_mount(): Incorrect mft record size 67372036 in superblock, should be 1024. [ 172.672434][ T5836] ntfs: (device loop0): ntfs_read_inode_mount(): Failed. Marking inode as bad. ./strace-static-x86_64: Process 5840 attached [pid 5838] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5840] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5840] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5840] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5840] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5840] write(4, "85", 2) = 2 [pid 5840] memfd_create("syzkaller", 0) = 5 [pid 5840] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5839] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 172.744057][ T5840] FAULT_INJECTION: forcing a failure. [ 172.744057][ T5840] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 172.776914][ T5840] CPU: 0 PID: 5840 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 172.787665][ T5840] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 172.797720][ T5840] Call Trace: [ 172.801009][ T5840] [ 172.803933][ T5840] dump_stack_lvl+0x1e7/0x2d0 [ 172.808640][ T5840] ? nf_tcp_handle_invalid+0x650/0x650 [ 172.814265][ T5840] ? panic+0x770/0x770 [ 172.818336][ T5840] should_fail_ex+0x3aa/0x4e0 [ 172.823017][ T5840] prepare_alloc_pages+0x1d9/0x5b0 [ 172.828128][ T5840] __alloc_pages+0x165/0x670 [ 172.832721][ T5840] ? zone_statistics+0x170/0x170 [ 172.837669][ T5840] ? verify_lock_unused+0x140/0x140 [ 172.842871][ T5840] ? handle_mm_fault+0x11d/0x62b0 [ 172.847908][ T5840] ? __lock_acquire+0x7f70/0x7f70 [ 172.852940][ T5840] ? pte_offset_map_nolock+0x137/0x1e0 [ 172.858513][ T5840] __folio_alloc+0x13/0x30 [ 172.862978][ T5840] vma_alloc_folio+0x48a/0x9a0 [ 172.867854][ T5840] handle_mm_fault+0x2376/0x62b0 [ 172.872895][ T5840] ? handle_mm_fault+0x11d/0x62b0 [ 172.877943][ T5840] ? numa_migrate_prep+0x380/0x380 [ 172.883054][ T5840] ? mtree_range_walk+0x6a0/0x7e0 [ 172.888085][ T5840] ? lock_vma_under_rcu+0x187/0x6f0 [ 172.893296][ T5840] ? __lock_acquire+0x7f70/0x7f70 [ 172.898313][ T5840] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 172.903537][ T5840] ? lock_vma_under_rcu+0x5df/0x6f0 [ 172.908784][ T5840] ? lock_vma_under_rcu+0x187/0x6f0 [ 172.913988][ T5840] ? exc_page_fault+0x10f/0x860 [ 172.918837][ T5840] exc_page_fault+0x455/0x860 [ 172.923526][ T5840] asm_exc_page_fault+0x26/0x30 [ 172.928385][ T5840] RIP: 0033:0x7f794735bc53 [ 172.932882][ T5840] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 172.952574][ T5840] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 172.958745][ T5840] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 172.967079][ T5840] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 172.975082][ T5840] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 172.983065][ T5840] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [pid 5839] munmap(0x7f793ef10000, 2097152) = 0 [pid 5839] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5839] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5839] close(3) = 0 [pid 5839] mkdir("./file0", 0777) = 0 [pid 5839] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [ 172.991069][ T5840] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 172.999076][ T5840] [ 173.012572][ T5839] loop0: detected capacity change from 0 to 4096 [ 173.028325][ T5839] ntfs: (device loop0): ntfs_read_locked_inode(): Corrupt standard information attribute in inode. [pid 5840] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5840] munmap(0x7f7936b10000, 2097152) = 0 [pid 5840] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5840] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5840] ioctl(3, LOOP_CLR_FD) = 0 [pid 5840] ioctl(3, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5840] close(3) = 0 [pid 5840] close(5) = 0 [pid 5840] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5838] <... futex resumed>) = 0 [pid 5840] <... futex resumed>) = 1 [ 173.039585][ T5839] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 173.053314][ T5839] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Will not be able to remount read-write. Run ntfsfix and/or chkdsk. [ 173.069208][ T5839] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [pid 5840] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5839] <... mount resumed>) = 0 [pid 5839] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5839] chdir("./file0") = 0 [pid 5839] ioctl(6, LOOP_CLR_FD) = 0 [pid 5839] close(6) = 0 [pid 5839] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5838] exit_group(0 [pid 5839] <... futex resumed>) = 0 [pid 5839] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5838] <... exit_group resumed>) = ? [pid 5839] <... futex resumed>) = ? [pid 5840] <... futex resumed>) = ? [pid 5840] +++ exited with 0 +++ [pid 5839] +++ exited with 0 +++ [pid 5838] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5838, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=24 /* 0.24 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./266", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./266", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 [ 173.089836][ T5839] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 173.098814][ T5839] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 173.112537][ T5839] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 173.125714][ T5839] ntfs: volume version 12.0. [ 173.131054][ T5839] ntfs: (device loop0): ntfs_attr_find(): Inode is corrupt. Run chkdsk. umount2("./266/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./266/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./266/binderfs") = 0 umount2("./266/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./266/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./266/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./266/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./266/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./266/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./266") = 0 mkdir("./267", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5841 attached [pid 5841] set_robust_list(0x555555f176a0, 24) = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5841 [pid 5841] chdir("./267") = 0 [pid 5841] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5841] setpgid(0, 0) = 0 [pid 5841] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5841] write(3, "1000", 4) = 4 [pid 5841] close(3) = 0 [pid 5841] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5841] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5841] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5841] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5841] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5841] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5841] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5841] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5842 attached [pid 5842] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5842] set_robust_list(0x7f79473519a0, 24 [pid 5841] <... clone3 resumed> => {parent_tid=[5842]}, 88) = 5842 [pid 5842] <... set_robust_list resumed>) = 0 [pid 5841] rt_sigprocmask(SIG_SETMASK, [], [pid 5842] rt_sigprocmask(SIG_SETMASK, [], [pid 5841] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5842] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5841] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5842] memfd_create("syzkaller", 0 [pid 5841] <... futex resumed>) = 0 [pid 5841] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5841] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5841] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5841] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5841] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5843 attached [pid 5842] <... memfd_create resumed>) = 3 [pid 5841] <... clone3 resumed> => {parent_tid=[5843]}, 88) = 5843 [pid 5842] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5841] rt_sigprocmask(SIG_SETMASK, [], [pid 5842] <... mmap resumed>) = 0x7f793ef10000 [pid 5841] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5841] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5843] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5841] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5843] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5843] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5843] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5843] write(4, "85", 2) = 2 [pid 5843] memfd_create("syzkaller", 0) = 5 [pid 5843] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5842] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 173.248328][ T5843] FAULT_INJECTION: forcing a failure. [ 173.248328][ T5843] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 173.262146][ T5843] CPU: 0 PID: 5843 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 173.272607][ T5843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 173.282688][ T5843] Call Trace: [ 173.286065][ T5843] [ 173.288988][ T5843] dump_stack_lvl+0x1e7/0x2d0 [ 173.293665][ T5843] ? nf_tcp_handle_invalid+0x650/0x650 [ 173.299118][ T5843] ? panic+0x770/0x770 [ 173.303189][ T5843] should_fail_ex+0x3aa/0x4e0 [ 173.307879][ T5843] prepare_alloc_pages+0x1d9/0x5b0 [ 173.313012][ T5843] __alloc_pages+0x165/0x670 [ 173.317649][ T5843] ? zone_statistics+0x170/0x170 [ 173.322606][ T5843] ? verify_lock_unused+0x140/0x140 [ 173.327804][ T5843] ? handle_mm_fault+0x11d/0x62b0 [ 173.332861][ T5843] ? __lock_acquire+0x7f70/0x7f70 [ 173.337885][ T5843] ? pte_offset_map_nolock+0x137/0x1e0 [ 173.343341][ T5843] __folio_alloc+0x13/0x30 [ 173.347759][ T5843] vma_alloc_folio+0x48a/0x9a0 [ 173.352530][ T5843] handle_mm_fault+0x2376/0x62b0 [ 173.357473][ T5843] ? handle_mm_fault+0x11d/0x62b0 [ 173.362512][ T5843] ? numa_migrate_prep+0x380/0x380 [ 173.367636][ T5843] ? mtree_range_walk+0x6a0/0x7e0 [ 173.372661][ T5843] ? lock_vma_under_rcu+0x187/0x6f0 [ 173.377864][ T5843] ? __lock_acquire+0x7f70/0x7f70 [ 173.382878][ T5843] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 173.388255][ T5843] ? lock_vma_under_rcu+0x5df/0x6f0 [ 173.393449][ T5843] ? lock_vma_under_rcu+0x187/0x6f0 [ 173.398652][ T5843] ? exc_page_fault+0x10f/0x860 [ 173.403501][ T5843] exc_page_fault+0x455/0x860 [ 173.408181][ T5843] asm_exc_page_fault+0x26/0x30 [ 173.413027][ T5843] RIP: 0033:0x7f794735bc53 [ 173.417520][ T5843] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 173.437117][ T5843] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 173.443177][ T5843] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 173.451149][ T5843] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 173.459116][ T5843] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 173.467078][ T5843] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 173.475130][ T5843] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 173.483113][ T5843] [ 173.486582][ T5843] pagefault_out_of_memory: 2 callbacks suppressed [pid 5842] munmap(0x7f793ef10000, 2097152) = 0 [pid 5842] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5842] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5842] close(3) = 0 [pid 5842] mkdir("./file0", 0777) = 0 [pid 5842] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5843] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5842] <... mount resumed>) = 0 [pid 5842] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5843] <... write resumed>) = 2097152 [pid 5842] chdir("./file0") = 0 [pid 5842] ioctl(6, LOOP_CLR_FD) = 0 [pid 5842] close(6 [pid 5843] munmap(0x7f7936b10000, 2097152 [pid 5842] <... close resumed>) = 0 [pid 5842] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5842] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5843] <... munmap resumed>) = 0 [pid 5843] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5843] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5843] ioctl(6, LOOP_CLR_FD) = 0 [pid 5843] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5843] close(6) = 0 [pid 5843] close(5) = 0 [pid 5843] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5841] <... futex resumed>) = 0 [pid 5841] exit_group(0) = ? [pid 5842] <... futex resumed>) = ? [pid 5842] +++ exited with 0 +++ [pid 5843] <... futex resumed>) = ? [pid 5843] +++ exited with 0 +++ [pid 5841] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5841, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=13 /* 0.13 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./267", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./267", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [ 173.486593][ T5843] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 173.506924][ T5842] loop0: detected capacity change from 0 to 4096 [ 173.523518][ T5842] ntfs: volume version 12.0. newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./267/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./267/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./267/binderfs") = 0 umount2("./267/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./267/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./267/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./267/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./267/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./267/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./267") = 0 mkdir("./268", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5844 ./strace-static-x86_64: Process 5844 attached [pid 5844] set_robust_list(0x555555f176a0, 24) = 0 [pid 5844] chdir("./268") = 0 [pid 5844] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5844] setpgid(0, 0) = 0 [pid 5844] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5844] write(3, "1000", 4) = 4 [pid 5844] close(3) = 0 [pid 5844] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5844] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5844] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5844] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5844] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5844] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5844] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5844] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5845 attached => {parent_tid=[5845]}, 88) = 5845 [pid 5844] rt_sigprocmask(SIG_SETMASK, [], [pid 5845] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5844] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5844] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5844] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5845] <... rseq resumed>) = 0 [pid 5844] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5845] set_robust_list(0x7f79473519a0, 24 [pid 5844] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5844] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5844] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5845] <... set_robust_list resumed>) = 0 [pid 5845] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5844] <... clone3 resumed> => {parent_tid=[5846]}, 88) = 5846 [pid 5844] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5844] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5844] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5846 attached [pid 5846] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5846] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5845] memfd_create("syzkaller", 0 [pid 5846] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5845] <... memfd_create resumed>) = 3 [pid 5846] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5845] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5845] munmap(0x7f793ef10000, 138412032) = 0 [pid 5846] <... openat resumed>) = 4 [pid 5845] close(3) = 0 [pid 5845] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5846] write(4, "85", 2 [pid 5845] <... futex resumed>) = 0 [pid 5846] <... write resumed>) = 2 [pid 5845] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5846] memfd_create("syzkaller", 0) = 3 [pid 5846] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [ 173.654069][ T5846] FAULT_INJECTION: forcing a failure. [ 173.654069][ T5846] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 173.667620][ T5846] CPU: 1 PID: 5846 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 173.678052][ T5846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 173.688173][ T5846] Call Trace: [ 173.691457][ T5846] [ 173.694406][ T5846] dump_stack_lvl+0x1e7/0x2d0 [ 173.699089][ T5846] ? nf_tcp_handle_invalid+0x650/0x650 [ 173.704573][ T5846] ? panic+0x770/0x770 [ 173.708637][ T5846] should_fail_ex+0x3aa/0x4e0 [ 173.713306][ T5846] prepare_alloc_pages+0x1d9/0x5b0 [ 173.718506][ T5846] __alloc_pages+0x165/0x670 [ 173.723116][ T5846] ? zone_statistics+0x170/0x170 [ 173.728096][ T5846] ? verify_lock_unused+0x140/0x140 [ 173.733307][ T5846] ? handle_mm_fault+0x11d/0x62b0 [ 173.738436][ T5846] ? __lock_acquire+0x7f70/0x7f70 [ 173.743461][ T5846] ? pte_offset_map_nolock+0x137/0x1e0 [ 173.749009][ T5846] __folio_alloc+0x13/0x30 [ 173.753423][ T5846] vma_alloc_folio+0x48a/0x9a0 [ 173.758193][ T5846] handle_mm_fault+0x2376/0x62b0 [ 173.763126][ T5846] ? handle_mm_fault+0x11d/0x62b0 [ 173.768151][ T5846] ? numa_migrate_prep+0x380/0x380 [ 173.773291][ T5846] ? mtree_range_walk+0x6a0/0x7e0 [ 173.778415][ T5846] ? lock_vma_under_rcu+0x187/0x6f0 [ 173.783625][ T5846] ? __lock_acquire+0x7f70/0x7f70 [ 173.788653][ T5846] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 173.793883][ T5846] ? lock_vma_under_rcu+0x5df/0x6f0 [ 173.799092][ T5846] ? lock_vma_under_rcu+0x187/0x6f0 [ 173.804303][ T5846] ? exc_page_fault+0x10f/0x860 [ 173.809168][ T5846] exc_page_fault+0x455/0x860 [ 173.813869][ T5846] asm_exc_page_fault+0x26/0x30 [ 173.818743][ T5846] RIP: 0033:0x7f794735bd00 [ 173.823252][ T5846] Code: 39 4f 08 72 4c 8d 4d ff 85 ed 74 33 66 0f 1f 44 00 00 48 39 f0 72 1b 4d 8b 07 49 89 c1 49 29 f1 47 0f b6 0c 08 45 84 c9 74 08 <45> 88 0c 00 49 8b 47 10 48 83 c0 01 49 89 47 10 83 e9 01 73 d3 41 [ 173.842866][ T5846] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5846] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5846] munmap(0x7f793ef10000, 2097152) = 0 [pid 5846] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 173.849203][ T5846] RAX: 0000000000046000 RBX: 00007f794732f750 RCX: 0000000000000003 [ 173.857356][ T5846] RDX: 000000000000004d RSI: 0000000000000c4e RDI: 00007f794732f7f0 [ 173.865332][ T5846] RBP: 0000000000000004 R08: 00007f793ef10000 R09: 0000000000000024 [ 173.873296][ T5846] R10: 0000000020020942 R11: 000000000001f76e R12: 0000000000000c01 [ 173.881264][ T5846] R13: 00007f7947427f80 R14: 0000000000000017 R15: 00007f794732f7f0 [ 173.889350][ T5846] [ 173.892624][ T5846] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5846] ioctl(5, LOOP_SET_FD, 3) = 0 [pid 5846] close(3) = 0 [pid 5846] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0 [pid 5846] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "ntfs3", MS_MANDLOCK|MS_REC|MS_SILENT, "") = -1 EINVAL (Invalid argument) [pid 5846] ioctl(5, LOOP_CLR_FD) = 0 [pid 5846] close(5) = 0 [pid 5846] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5846] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5844] <... futex resumed>) = 0 [ 173.931680][ T5846] loop0: detected capacity change from 0 to 4096 [ 173.948306][ T5846] ntfs3: loop0: Mark volume as dirty due to NTFS errors [ 173.955554][ T5846] ntfs3: loop0: Failed to load $AttrDef (-22) [pid 5844] exit_group(0 [pid 5846] <... futex resumed>) = ? [pid 5845] <... futex resumed>) = ? [pid 5844] <... exit_group resumed>) = ? [pid 5846] +++ exited with 0 +++ [pid 5845] +++ exited with 0 +++ [pid 5844] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5844, si_uid=0, si_status=0, si_utime=0, si_stime=9 /* 0.09 s */} --- umount2("./268", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./268", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 176 umount2("./268/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./268/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./268/binderfs") = 0 umount2("\x2e\x2f\x32\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x36\x38\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./268") = 0 mkdir("./269", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5847 attached [pid 5847] set_robust_list(0x555555f176a0, 24) = 0 [pid 5847] chdir("./269") = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5847 [pid 5847] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5847] setpgid(0, 0) = 0 [pid 5847] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5847] write(3, "1000", 4) = 4 [pid 5847] close(3) = 0 [pid 5847] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5847] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5847] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5847] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5847] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5847] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5847] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5847] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5848]}, 88) = 5848 [pid 5847] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5847] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5847] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5847] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5847] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5847] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5847] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5848 attached ./strace-static-x86_64: Process 5849 attached [pid 5849] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5849] set_robust_list(0x7f79473309a0, 24 [pid 5847] <... clone3 resumed> => {parent_tid=[5849]}, 88) = 5849 [pid 5849] <... set_robust_list resumed>) = 0 [pid 5847] rt_sigprocmask(SIG_SETMASK, [], [pid 5849] rt_sigprocmask(SIG_SETMASK, [], [pid 5847] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5849] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5847] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5849] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5848] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5847] <... futex resumed>) = 0 [pid 5848] <... rseq resumed>) = 0 [pid 5848] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5847] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5848] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5849] <... openat resumed>) = 3 [pid 5849] write(3, "85", 2) = 2 [pid 5848] memfd_create("syzkaller", 0 [pid 5849] memfd_create("syzkaller", 0 [pid 5848] <... memfd_create resumed>) = 4 [pid 5848] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5849] <... memfd_create resumed>) = 5 [pid 5849] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5848] <... mmap resumed>) = 0x7f793ef10000 [pid 5849] <... mmap resumed>) = 0x7f7936b10000 [ 174.052228][ T5849] FAULT_INJECTION: forcing a failure. [ 174.052228][ T5849] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 174.067130][ T5849] CPU: 1 PID: 5849 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 174.077594][ T5849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 174.088024][ T5849] Call Trace: [ 174.091314][ T5849] [ 174.094271][ T5849] dump_stack_lvl+0x1e7/0x2d0 [ 174.099587][ T5849] ? nf_tcp_handle_invalid+0x650/0x650 [ 174.105043][ T5849] ? panic+0x770/0x770 [ 174.109120][ T5849] should_fail_ex+0x3aa/0x4e0 [ 174.113808][ T5849] prepare_alloc_pages+0x1d9/0x5b0 [ 174.119012][ T5849] __alloc_pages+0x165/0x670 [ 174.123602][ T5849] ? zone_statistics+0x170/0x170 [ 174.128546][ T5849] ? verify_lock_unused+0x140/0x140 [ 174.133758][ T5849] ? handle_mm_fault+0x11d/0x62b0 [ 174.138779][ T5849] ? __lock_acquire+0x7f70/0x7f70 [ 174.143794][ T5849] ? pte_offset_map_nolock+0x137/0x1e0 [ 174.149253][ T5849] __folio_alloc+0x13/0x30 [ 174.153755][ T5849] vma_alloc_folio+0x48a/0x9a0 [ 174.158521][ T5849] handle_mm_fault+0x2376/0x62b0 [ 174.163466][ T5849] ? handle_mm_fault+0x11d/0x62b0 [ 174.168498][ T5849] ? numa_migrate_prep+0x380/0x380 [ 174.173614][ T5849] ? mtree_range_walk+0x6a0/0x7e0 [ 174.178640][ T5849] ? lock_vma_under_rcu+0x187/0x6f0 [ 174.183870][ T5849] ? __lock_acquire+0x7f70/0x7f70 [ 174.188976][ T5849] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 174.194182][ T5849] ? lock_vma_under_rcu+0x5df/0x6f0 [ 174.199379][ T5849] ? lock_vma_under_rcu+0x187/0x6f0 [ 174.204597][ T5849] ? exc_page_fault+0x10f/0x860 [ 174.209463][ T5849] exc_page_fault+0x455/0x860 [ 174.214158][ T5849] asm_exc_page_fault+0x26/0x30 [ 174.219010][ T5849] RIP: 0033:0x7f794735bc53 [ 174.223523][ T5849] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 174.243248][ T5849] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5848] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5848] munmap(0x7f793ef10000, 2097152 [pid 5849] munmap(0x7f7936b10000, 138412032 [pid 5848] <... munmap resumed>) = 0 [pid 5848] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 174.249406][ T5849] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 174.257373][ T5849] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 174.265602][ T5849] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 174.273572][ T5849] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 174.281591][ T5849] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 174.289765][ T5849] [ 174.294391][ T5849] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5848] ioctl(6, LOOP_SET_FD, 4 [pid 5849] <... munmap resumed>) = 0 [pid 5849] close(5) = 0 [pid 5849] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5849] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5847] <... futex resumed>) = 0 [pid 5848] <... ioctl resumed>) = 0 [pid 5848] close(4) = 0 [pid 5848] mkdir("./file0", 0777) = 0 [pid 5848] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5848] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 4 [pid 5848] chdir("./file0") = 0 [pid 5848] ioctl(6, LOOP_CLR_FD) = 0 [pid 5848] close(6) = 0 [pid 5848] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5848] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5847] exit_group(0) = ? [pid 5849] <... futex resumed>) = ? [pid 5849] +++ exited with 0 +++ [pid 5848] <... futex resumed>) = ? [pid 5848] +++ exited with 0 +++ [pid 5847] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5847, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./269", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./269", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./269/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./269/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./269/binderfs") = 0 [ 174.322417][ T5848] loop0: detected capacity change from 0 to 4096 [ 174.334750][ T5848] ntfs: volume version 12.0. umount2("./269/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./269/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./269/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./269/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./269/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./269/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./269") = 0 mkdir("./270", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5850 attached , child_tidptr=0x555555f17690) = 5850 [pid 5850] set_robust_list(0x555555f176a0, 24) = 0 [pid 5850] chdir("./270") = 0 [pid 5850] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5850] setpgid(0, 0) = 0 [pid 5850] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5850] write(3, "1000", 4) = 4 [pid 5850] close(3) = 0 [pid 5850] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5850] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5850] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5850] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5850] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5850] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5850] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5850] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5851]}, 88) = 5851 [pid 5850] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5850] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5850] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5850] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5850] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5850] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5850] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5852 attached [pid 5852] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5850] <... clone3 resumed> => {parent_tid=[5852]}, 88) = 5852 [pid 5852] <... rseq resumed>) = 0 [pid 5850] rt_sigprocmask(SIG_SETMASK, [], [pid 5852] set_robust_list(0x7f79473309a0, 24 [pid 5850] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5852] <... set_robust_list resumed>) = 0 [pid 5850] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5852] rt_sigprocmask(SIG_SETMASK, [], [pid 5850] <... futex resumed>) = 0 [pid 5852] <... rt_sigprocmask resumed>NULL, 8) = 0 ./strace-static-x86_64: Process 5851 attached [pid 5852] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5850] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5851] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053 [pid 5852] <... openat resumed>) = 3 [pid 5851] <... rseq resumed>) = 0 [pid 5851] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5851] rt_sigprocmask(SIG_SETMASK, [], [pid 5852] write(3, "85", 2 [pid 5851] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5852] <... write resumed>) = 2 [pid 5852] memfd_create("syzkaller", 0) = 4 [pid 5852] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5851] memfd_create("syzkaller", 0) = 5 [pid 5851] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 174.423870][ T5852] FAULT_INJECTION: forcing a failure. [ 174.423870][ T5852] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 174.437519][ T5852] CPU: 1 PID: 5852 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 174.447952][ T5852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 174.458090][ T5852] Call Trace: [ 174.461366][ T5852] [ 174.464292][ T5852] dump_stack_lvl+0x1e7/0x2d0 [ 174.468970][ T5852] ? nf_tcp_handle_invalid+0x650/0x650 [ 174.474420][ T5852] ? panic+0x770/0x770 [ 174.478673][ T5852] should_fail_ex+0x3aa/0x4e0 [ 174.483353][ T5852] prepare_alloc_pages+0x1d9/0x5b0 [ 174.488478][ T5852] __alloc_pages+0x165/0x670 [ 174.493065][ T5852] ? zone_statistics+0x170/0x170 [ 174.498019][ T5852] ? verify_lock_unused+0x140/0x140 [ 174.503389][ T5852] ? handle_mm_fault+0x11d/0x62b0 [ 174.508410][ T5852] ? __lock_acquire+0x7f70/0x7f70 [ 174.513424][ T5852] ? pte_offset_map_nolock+0x137/0x1e0 [ 174.518884][ T5852] __folio_alloc+0x13/0x30 [ 174.523298][ T5852] vma_alloc_folio+0x48a/0x9a0 [ 174.528070][ T5852] handle_mm_fault+0x2376/0x62b0 [ 174.533014][ T5852] ? handle_mm_fault+0x11d/0x62b0 [ 174.538057][ T5852] ? numa_migrate_prep+0x380/0x380 [ 174.543176][ T5852] ? mtree_range_walk+0x6a0/0x7e0 [ 174.548200][ T5852] ? lock_vma_under_rcu+0x187/0x6f0 [ 174.553483][ T5852] ? __lock_acquire+0x7f70/0x7f70 [ 174.558501][ T5852] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 174.563707][ T5852] ? lock_vma_under_rcu+0x5df/0x6f0 [ 174.568906][ T5852] ? lock_vma_under_rcu+0x187/0x6f0 [ 174.574111][ T5852] ? exc_page_fault+0x10f/0x860 [ 174.578976][ T5852] exc_page_fault+0x455/0x860 [ 174.585050][ T5852] asm_exc_page_fault+0x26/0x30 [ 174.589897][ T5852] RIP: 0033:0x7f794735bc53 [ 174.594329][ T5852] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 174.613950][ T5852] RSP: 002b:00007f794732f6b0 EFLAGS: 00010202 [pid 5852] munmap(0x7f793ef10000, 138412032 [pid 5851] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5852] <... munmap resumed>) = 0 [pid 5852] close(4) = 0 [pid 5852] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5852] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5850] <... futex resumed>) = 0 [pid 5851] <... write resumed>) = 2097152 [ 174.620014][ T5852] RAX: 0000000000045000 RBX: 00007f794732f750 RCX: 00007f793ef10000 [ 174.628071][ T5852] RDX: 00007f794732f8f0 RSI: 0000000000000005 RDI: 00007f794732f7f0 [ 174.636038][ T5852] RBP: 00000000000000cc R08: 0000000000000009 R09: 00000000000000b3 [ 174.644010][ T5852] R10: 0000000000000132 R11: 00007f794732f750 R12: 0000000000000001 [ 174.651980][ T5852] R13: 00007f7947427f80 R14: 0000000000000049 R15: 00007f794732f7f0 [ 174.660129][ T5852] [ 174.663557][ T5852] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5851] munmap(0x7f7936b10000, 2097152) = 0 [pid 5851] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5851] ioctl(4, LOOP_SET_FD, 5) = 0 [pid 5851] close(5) = 0 [pid 5851] mkdir("./file0", 0777) = 0 [pid 5851] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5851] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 5851] chdir("./file0") = 0 [pid 5851] ioctl(4, LOOP_CLR_FD) = 0 [pid 5851] close(4) = 0 [pid 5851] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5850] exit_group(0) = ? [pid 5851] +++ exited with 0 +++ [pid 5852] <... futex resumed>) = ? [pid 5852] +++ exited with 0 +++ [pid 5850] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5850, si_uid=0, si_status=0, si_utime=0, si_stime=32 /* 0.32 s */} --- umount2("./270", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./270", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./270/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./270/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./270/binderfs") = 0 umount2("./270/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./270/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./270/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./270/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./270/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./270/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./270") = 0 mkdir("./271", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5853 attached [pid 5853] set_robust_list(0x555555f176a0, 24) = 0 [pid 5853] chdir("./271") = 0 [pid 5031] <... clone resumed>, child_tidptr=0x555555f17690) = 5853 [ 174.709027][ T5851] loop0: detected capacity change from 0 to 4096 [ 174.721347][ T5851] ntfs: volume version 12.0. [pid 5853] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5853] setpgid(0, 0) = 0 [pid 5853] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5853] write(3, "1000", 4) = 4 [pid 5853] close(3) = 0 [pid 5853] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5853] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5853] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5853] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5853] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5853] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5853] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5853] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5854 attached => {parent_tid=[5854]}, 88) = 5854 [pid 5854] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5853] rt_sigprocmask(SIG_SETMASK, [], [pid 5854] set_robust_list(0x7f79473519a0, 24 [pid 5853] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5854] <... set_robust_list resumed>) = 0 [pid 5853] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5854] rt_sigprocmask(SIG_SETMASK, [], [pid 5853] <... futex resumed>) = 0 [pid 5854] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5854] memfd_create("syzkaller", 0 [pid 5853] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5853] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5853] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5853] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5854] <... memfd_create resumed>) = 3 [pid 5854] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5853] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5854] <... mmap resumed>) = 0x7f793ef10000 [pid 5853] <... clone3 resumed> => {parent_tid=[5855]}, 88) = 5855 ./strace-static-x86_64: Process 5855 attached [pid 5853] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5853] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5853] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5855] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5855] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5855] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5855] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5855] write(4, "85", 2) = 2 [pid 5855] memfd_create("syzkaller", 0) = 5 [pid 5855] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5854] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 174.804394][ T5855] FAULT_INJECTION: forcing a failure. [ 174.804394][ T5855] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 174.826983][ T5855] CPU: 0 PID: 5855 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 174.837445][ T5855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 174.847529][ T5855] Call Trace: [ 174.850819][ T5855] [ 174.853746][ T5855] dump_stack_lvl+0x1e7/0x2d0 [ 174.858424][ T5855] ? nf_tcp_handle_invalid+0x650/0x650 [ 174.863898][ T5855] ? panic+0x770/0x770 [ 174.867966][ T5855] should_fail_ex+0x3aa/0x4e0 [ 174.872652][ T5855] prepare_alloc_pages+0x1d9/0x5b0 [ 174.877783][ T5855] __alloc_pages+0x165/0x670 [ 174.882388][ T5855] ? zone_statistics+0x170/0x170 [ 174.887354][ T5855] ? verify_lock_unused+0x140/0x140 [ 174.892659][ T5855] ? handle_mm_fault+0x11d/0x62b0 [ 174.897683][ T5855] ? __lock_acquire+0x7f70/0x7f70 [ 174.902728][ T5855] ? pte_offset_map_nolock+0x137/0x1e0 [ 174.908189][ T5855] __folio_alloc+0x13/0x30 [ 174.912602][ T5855] vma_alloc_folio+0x48a/0x9a0 [ 174.917379][ T5855] handle_mm_fault+0x2376/0x62b0 [ 174.922363][ T5855] ? handle_mm_fault+0x11d/0x62b0 [ 174.927417][ T5855] ? numa_migrate_prep+0x380/0x380 [ 174.932559][ T5855] ? mtree_range_walk+0x6a0/0x7e0 [ 174.937587][ T5855] ? lock_vma_under_rcu+0x187/0x6f0 [ 174.942790][ T5855] ? __lock_acquire+0x7f70/0x7f70 [ 174.947852][ T5855] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 174.953143][ T5855] ? lock_vma_under_rcu+0x5df/0x6f0 [ 174.958339][ T5855] ? lock_vma_under_rcu+0x187/0x6f0 [ 174.963550][ T5855] ? exc_page_fault+0x10f/0x860 [ 174.968410][ T5855] exc_page_fault+0x455/0x860 [ 174.973103][ T5855] asm_exc_page_fault+0x26/0x30 [ 174.977956][ T5855] RIP: 0033:0x7f794735bc53 [ 174.982477][ T5855] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 175.002357][ T5855] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 175.008609][ T5855] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 175.017545][ T5855] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 175.025519][ T5855] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 175.033513][ T5855] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 175.041508][ T5855] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 175.049627][ T5855] [pid 5854] munmap(0x7f793ef10000, 2097152) = 0 [pid 5854] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5854] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5854] close(3) = 0 [pid 5854] mkdir("./file0", 0777) = 0 [pid 5854] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5854] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5854] chdir("./file0") = 0 [pid 5854] ioctl(6, LOOP_CLR_FD) = 0 [pid 5854] close(6) = 0 [pid 5854] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5854] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5855] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5855] munmap(0x7f7936b10000, 2097152) = 0 [pid 5855] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5855] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5855] ioctl(6, LOOP_CLR_FD) = 0 [pid 5855] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5855] close(6) = 0 [pid 5855] close(5) = 0 [pid 5855] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5853] <... futex resumed>) = 0 [pid 5855] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5853] exit_group(0) = ? [pid 5854] <... futex resumed>) = ? [pid 5854] +++ exited with 0 +++ [pid 5855] <... futex resumed>) = ? [ 175.053700][ T5855] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 175.067711][ T5854] loop0: detected capacity change from 0 to 4096 [ 175.082225][ T5854] ntfs: volume version 12.0. [pid 5855] +++ exited with 0 +++ [pid 5853] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5853, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=15 /* 0.15 s */} --- umount2("./271", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./271", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./271/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./271/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./271/binderfs") = 0 umount2("./271/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./271/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./271/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./271/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./271/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./271/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./271") = 0 mkdir("./272", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5856 attached , child_tidptr=0x555555f17690) = 5856 [pid 5856] set_robust_list(0x555555f176a0, 24) = 0 [pid 5856] chdir("./272") = 0 [pid 5856] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5856] setpgid(0, 0) = 0 [pid 5856] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5856] write(3, "1000", 4) = 4 [pid 5856] close(3) = 0 [pid 5856] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5856] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5856] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5856] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5856] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5856] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5856] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5856] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5857 attached [pid 5857] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5857] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5857] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5857] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5856] <... clone3 resumed> => {parent_tid=[5857]}, 88) = 5857 [pid 5856] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5856] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5857] <... futex resumed>) = 0 [pid 5856] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5857] memfd_create("syzkaller", 0 [pid 5856] <... futex resumed>) = 0 [pid 5856] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5856] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5856] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5857] <... memfd_create resumed>) = 3 [pid 5856] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} [pid 5857] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0./strace-static-x86_64: Process 5858 attached ) = 0x7f793ef10000 [pid 5858] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5856] <... clone3 resumed> => {parent_tid=[5858]}, 88) = 5858 [pid 5858] <... rseq resumed>) = 0 [pid 5856] rt_sigprocmask(SIG_SETMASK, [], [pid 5858] set_robust_list(0x7f79473309a0, 24 [pid 5856] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5858] <... set_robust_list resumed>) = 0 [pid 5856] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5858] rt_sigprocmask(SIG_SETMASK, [], [pid 5856] <... futex resumed>) = 0 [pid 5858] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5856] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5858] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5858] write(4, "85", 2) = 2 [pid 5858] memfd_create("syzkaller", 0) = 5 [pid 5858] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5857] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 175.233056][ T5858] FAULT_INJECTION: forcing a failure. [ 175.233056][ T5858] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 175.246427][ T5858] CPU: 1 PID: 5858 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 175.256863][ T5858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 175.266936][ T5858] Call Trace: [ 175.270266][ T5858] [ 175.273202][ T5858] dump_stack_lvl+0x1e7/0x2d0 [ 175.277881][ T5858] ? nf_tcp_handle_invalid+0x650/0x650 [ 175.283332][ T5858] ? panic+0x770/0x770 [ 175.287399][ T5858] should_fail_ex+0x3aa/0x4e0 [ 175.292088][ T5858] prepare_alloc_pages+0x1d9/0x5b0 [ 175.297269][ T5858] __alloc_pages+0x165/0x670 [ 175.302200][ T5858] ? zone_statistics+0x170/0x170 [ 175.307142][ T5858] ? verify_lock_unused+0x140/0x140 [ 175.312337][ T5858] ? handle_mm_fault+0x11d/0x62b0 [ 175.317360][ T5858] ? __lock_acquire+0x7f70/0x7f70 [ 175.322375][ T5858] ? pte_offset_map_nolock+0x137/0x1e0 [ 175.327840][ T5858] __folio_alloc+0x13/0x30 [ 175.332264][ T5858] vma_alloc_folio+0x48a/0x9a0 [ 175.337034][ T5858] handle_mm_fault+0x2376/0x62b0 [ 175.341977][ T5858] ? handle_mm_fault+0x11d/0x62b0 [ 175.347014][ T5858] ? numa_migrate_prep+0x380/0x380 [ 175.352219][ T5858] ? mtree_range_walk+0x6a0/0x7e0 [ 175.357243][ T5858] ? lock_vma_under_rcu+0x187/0x6f0 [ 175.362440][ T5858] ? __lock_acquire+0x7f70/0x7f70 [ 175.367456][ T5858] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 175.372664][ T5858] ? lock_vma_under_rcu+0x5df/0x6f0 [ 175.377863][ T5858] ? lock_vma_under_rcu+0x187/0x6f0 [ 175.383068][ T5858] ? exc_page_fault+0x10f/0x860 [ 175.387918][ T5858] exc_page_fault+0x455/0x860 [ 175.392618][ T5858] asm_exc_page_fault+0x26/0x30 [ 175.397473][ T5858] RIP: 0033:0x7f794735bc53 [ 175.402013][ T5858] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 175.422588][ T5858] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5857] munmap(0x7f793ef10000, 2097152) = 0 [pid 5857] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [ 175.428999][ T5858] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 175.437405][ T5858] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 175.445465][ T5858] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 175.453435][ T5858] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 175.461399][ T5858] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 175.469375][ T5858] [ 175.472909][ T5858] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5857] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5857] close(3) = 0 [pid 5857] mkdir("./file0", 0777) = 0 [pid 5857] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "" [pid 5858] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5857] <... mount resumed>) = 0 [pid 5857] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5857] chdir("./file0") = 0 [pid 5857] ioctl(6, LOOP_CLR_FD) = 0 [pid 5857] close(6) = 0 [pid 5857] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5858] <... write resumed>) = 2097152 [pid 5857] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5858] munmap(0x7f7936b10000, 2097152) = 0 [pid 5858] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5858] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5858] ioctl(6, LOOP_CLR_FD) = 0 [pid 5858] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5858] close(6) = 0 [pid 5858] close(5) = 0 [pid 5858] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5856] <... futex resumed>) = 0 [pid 5856] exit_group(0) = ? [pid 5857] <... futex resumed>) = ? [pid 5857] +++ exited with 0 +++ [pid 5858] <... futex resumed>) = ? [pid 5858] +++ exited with 0 +++ [pid 5856] +++ exited with 0 +++ [ 175.487725][ T5857] loop0: detected capacity change from 0 to 4096 [ 175.506523][ T5857] ntfs: volume version 12.0. --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5856, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=13 /* 0.13 s */} --- umount2("./272", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./272", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./272/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./272/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./272/binderfs") = 0 umount2("./272/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./272/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./272/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./272/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./272/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./272/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./272") = 0 mkdir("./273", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5859 attached , child_tidptr=0x555555f17690) = 5859 [pid 5859] set_robust_list(0x555555f176a0, 24) = 0 [pid 5859] chdir("./273") = 0 [pid 5859] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5859] setpgid(0, 0) = 0 [pid 5859] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5859] write(3, "1000", 4) = 4 [pid 5859] close(3) = 0 [pid 5859] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5859] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5859] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5859] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5859] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5859] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5859] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5859] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0}./strace-static-x86_64: Process 5860 attached [pid 5860] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5859] <... clone3 resumed> => {parent_tid=[5860]}, 88) = 5860 [pid 5860] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5860] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5860] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5859] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5859] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5860] <... futex resumed>) = 0 [pid 5859] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5859] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5859] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE [pid 5860] memfd_create("syzkaller", 0 [pid 5859] <... mprotect resumed>) = 0 [pid 5860] <... memfd_create resumed>) = 3 [pid 5860] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f793ef10000 [pid 5859] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5859] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0} => {parent_tid=[5861]}, 88) = 5861 [pid 5859] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5859] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5859] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5861 attached [pid 5861] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053) = 0 [pid 5861] set_robust_list(0x7f79473309a0, 24) = 0 [pid 5861] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5861] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5861] write(4, "85", 2) = 2 [pid 5861] memfd_create("syzkaller", 0) = 5 [pid 5861] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [pid 5860] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [ 175.631441][ T5861] FAULT_INJECTION: forcing a failure. [ 175.631441][ T5861] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 175.646528][ T5861] CPU: 1 PID: 5861 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 175.657151][ T5861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 175.667305][ T5861] Call Trace: [ 175.670580][ T5861] [ 175.673542][ T5861] dump_stack_lvl+0x1e7/0x2d0 [ 175.678228][ T5861] ? nf_tcp_handle_invalid+0x650/0x650 [ 175.683703][ T5861] ? panic+0x770/0x770 [ 175.687790][ T5861] should_fail_ex+0x3aa/0x4e0 [ 175.692469][ T5861] prepare_alloc_pages+0x1d9/0x5b0 [ 175.697592][ T5861] __alloc_pages+0x165/0x670 [ 175.702204][ T5861] ? zone_statistics+0x170/0x170 [ 175.707746][ T5861] ? verify_lock_unused+0x140/0x140 [ 175.712946][ T5861] ? handle_mm_fault+0x11d/0x62b0 [ 175.717991][ T5861] ? __lock_acquire+0x7f70/0x7f70 [ 175.723015][ T5861] ? pte_offset_map_nolock+0x137/0x1e0 [ 175.728489][ T5861] __folio_alloc+0x13/0x30 [ 175.732918][ T5861] vma_alloc_folio+0x48a/0x9a0 [ 175.737702][ T5861] handle_mm_fault+0x2376/0x62b0 [ 175.742641][ T5861] ? handle_mm_fault+0x11d/0x62b0 [ 175.747668][ T5861] ? numa_migrate_prep+0x380/0x380 [ 175.752782][ T5861] ? mtree_range_walk+0x6a0/0x7e0 [ 175.757809][ T5861] ? lock_vma_under_rcu+0x187/0x6f0 [ 175.763038][ T5861] ? __lock_acquire+0x7f70/0x7f70 [ 175.768052][ T5861] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 175.773252][ T5861] ? lock_vma_under_rcu+0x5df/0x6f0 [ 175.778447][ T5861] ? lock_vma_under_rcu+0x187/0x6f0 [ 175.783663][ T5861] ? exc_page_fault+0x10f/0x860 [ 175.788548][ T5861] exc_page_fault+0x455/0x860 [ 175.793263][ T5861] asm_exc_page_fault+0x26/0x30 [ 175.798117][ T5861] RIP: 0033:0x7f794735bc53 [ 175.802542][ T5861] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 175.822146][ T5861] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [ 175.828296][ T5861] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 175.836257][ T5861] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 175.844227][ T5861] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 175.852193][ T5861] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 175.860181][ T5861] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 175.868175][ T5861] [ 175.871514][ T5861] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5860] munmap(0x7f793ef10000, 2097152) = 0 [pid 5860] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5860] ioctl(6, LOOP_SET_FD, 3) = 0 [pid 5860] close(3) = 0 [pid 5860] mkdir("./file0", 0777) = 0 [pid 5860] mount("/dev/loop0", "./file0", "ntfs", MS_RDONLY|MS_NOSUID|MS_NOSYMFOLLOW|MS_NOATIME|MS_SILENT|0x200, "") = 0 [pid 5860] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5860] chdir("./file0" [pid 5861] write(5, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5860] <... chdir resumed>) = 0 [pid 5860] ioctl(6, LOOP_CLR_FD) = 0 [pid 5860] close(6) = 0 [pid 5860] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5860] futex(0x7f794745b6a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5861] <... write resumed>) = 2097152 [pid 5861] munmap(0x7f7936b10000, 2097152) = 0 [pid 5861] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 6 [pid 5861] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5861] ioctl(6, LOOP_CLR_FD) = 0 [ 175.883122][ T5860] loop0: detected capacity change from 0 to 4096 [ 175.901104][ T5860] ntfs: volume version 12.0. [pid 5861] ioctl(6, LOOP_SET_FD, 5) = -1 EBUSY (Device or resource busy) [pid 5861] close(6) = 0 [pid 5861] close(5) = 0 [pid 5861] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5859] <... futex resumed>) = 0 [pid 5861] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5859] exit_group(0) = ? [pid 5860] <... futex resumed>) = ? [pid 5861] <... futex resumed>) = ? [pid 5861] +++ exited with 0 +++ [pid 5860] +++ exited with 0 +++ [pid 5859] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5859, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=16 /* 0.16 s */} --- umount2("./273", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./273", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555555f18730 /* 4 entries */, 32768) = 112 umount2("./273/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./273/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./273/binderfs") = 0 umount2("./273/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./273/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./273/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./273/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./273/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555555f20770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555555f20770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./273/file0") = 0 getdents64(3, 0x555555f18730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./273") = 0 mkdir("./274", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555f17690) = 5862 ./strace-static-x86_64: Process 5862 attached [pid 5862] set_robust_list(0x555555f176a0, 24) = 0 [pid 5862] chdir("./274") = 0 [pid 5862] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5862] setpgid(0, 0) = 0 [pid 5862] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5862] write(3, "1000", 4) = 4 [pid 5862] close(3) = 0 [pid 5862] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5862] futex(0x7f794745b6ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5862] rt_sigaction(SIGRT_1, {sa_handler=0x7f79473bb070, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79473ac220}, NULL, 8) = 0 [pid 5862] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5862] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947331000 [pid 5862] mprotect(0x7f7947332000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5862] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5862] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947351990, parent_tid=0x7f7947351990, exit_signal=0, stack=0x7f7947331000, stack_size=0x20300, tls=0x7f79473516c0} => {parent_tid=[5863]}, 88) = 5863 [pid 5862] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5862] futex(0x7f794745b6a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5862] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5862] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7947310000 [pid 5862] mprotect(0x7f7947311000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5862] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5862] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7947330990, parent_tid=0x7f7947330990, exit_signal=0, stack=0x7f7947310000, stack_size=0x20300, tls=0x7f79473306c0}./strace-static-x86_64: Process 5864 attached [pid 5864] rseq(0x7f7947330fe0, 0x20, 0, 0x53053053 [pid 5862] <... clone3 resumed> => {parent_tid=[5864]}, 88) = 5864 [pid 5864] <... rseq resumed>) = 0 [pid 5862] rt_sigprocmask(SIG_SETMASK, [], [pid 5864] set_robust_list(0x7f79473309a0, 24 [pid 5862] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5864] <... set_robust_list resumed>) = 0 [pid 5864] rt_sigprocmask(SIG_SETMASK, [], [pid 5862] futex(0x7f794745b6b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5864] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5862] <... futex resumed>) = 0 ./strace-static-x86_64: Process 5863 attached [pid 5864] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 5862] futex(0x7f794745b6bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5863] rseq(0x7f7947351fe0, 0x20, 0, 0x53053053) = 0 [pid 5863] set_robust_list(0x7f79473519a0, 24) = 0 [pid 5863] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5864] <... openat resumed>) = 3 [pid 5864] write(3, "85", 2 [pid 5863] memfd_create("syzkaller", 0 [pid 5864] <... write resumed>) = 2 [pid 5863] <... memfd_create resumed>) = 4 [pid 5864] memfd_create("syzkaller", 0 [pid 5863] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5864] <... memfd_create resumed>) = 5 [pid 5863] <... mmap resumed>) = 0x7f793ef10000 [pid 5864] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7936b10000 [ 176.036635][ T5864] FAULT_INJECTION: forcing a failure. [ 176.036635][ T5864] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 176.050202][ T5864] CPU: 0 PID: 5864 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 176.060632][ T5864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 176.070692][ T5864] Call Trace: [ 176.073963][ T5864] [ 176.076889][ T5864] dump_stack_lvl+0x1e7/0x2d0 [ 176.081570][ T5864] ? nf_tcp_handle_invalid+0x650/0x650 [ 176.087021][ T5864] ? panic+0x770/0x770 [ 176.091093][ T5864] should_fail_ex+0x3aa/0x4e0 [ 176.095803][ T5864] prepare_alloc_pages+0x1d9/0x5b0 [ 176.100950][ T5864] __alloc_pages+0x165/0x670 [ 176.105561][ T5864] ? zone_statistics+0x170/0x170 [ 176.110504][ T5864] ? verify_lock_unused+0x140/0x140 [ 176.115702][ T5864] ? handle_mm_fault+0x11d/0x62b0 [ 176.120728][ T5864] ? __lock_acquire+0x7f70/0x7f70 [ 176.125753][ T5864] ? pte_offset_map_nolock+0x137/0x1e0 [ 176.131213][ T5864] __folio_alloc+0x13/0x30 [ 176.135625][ T5864] vma_alloc_folio+0x48a/0x9a0 [ 176.140393][ T5864] handle_mm_fault+0x2376/0x62b0 [ 176.145335][ T5864] ? handle_mm_fault+0x11d/0x62b0 [ 176.150363][ T5864] ? numa_migrate_prep+0x380/0x380 [ 176.155476][ T5864] ? mtree_range_walk+0x6a0/0x7e0 [ 176.160501][ T5864] ? lock_vma_under_rcu+0x187/0x6f0 [ 176.165700][ T5864] ? __lock_acquire+0x7f70/0x7f70 [ 176.170716][ T5864] ? lock_vma_under_rcu+0x2f6/0x6f0 [ 176.175923][ T5864] ? lock_vma_under_rcu+0x5df/0x6f0 [ 176.181205][ T5864] ? lock_vma_under_rcu+0x187/0x6f0 [ 176.186409][ T5864] ? exc_page_fault+0x10f/0x860 [ 176.191255][ T5864] exc_page_fault+0x455/0x860 [ 176.195930][ T5864] asm_exc_page_fault+0x26/0x30 [ 176.200857][ T5864] RIP: 0033:0x7f794735bc53 [ 176.205297][ T5864] Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c [ 176.224989][ T5864] RSP: 002b:00007f794732f6b0 EFLAGS: 00010206 [pid 5863] write(4, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152 [pid 5864] munmap(0x7f7936b10000, 138412032) = 0 [pid 5864] close(5) = 0 [pid 5864] futex(0x7f794745b6bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5862] <... futex resumed>) = 0 [pid 5864] <... futex resumed>) = 1 [pid 5864] futex(0x7f794745b6b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5863] <... write resumed>) = 2097152 [pid 5863] munmap(0x7f793ef10000, 2097152) = 0 [pid 5863] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [ 176.231052][ T5864] RAX: 000000000008b001 RBX: 00007f794732f750 RCX: 00007f7936b10000 [ 176.239013][ T5864] RDX: 00007f794732f8f0 RSI: 0000000000000009 RDI: 00007f794732f7f0 [ 176.247023][ T5864] RBP: 0000000000000133 R08: 0000000000000006 R09: 00000000ffffffee [ 176.255079][ T5864] R10: 0000000000000004 R11: 00007f794732f750 R12: 00007f794732f750 [ 176.263042][ T5864] R13: 00007f7947427f80 R14: 000000000000001e R15: 00007f794732f7f0 [ 176.271017][ T5864] [ 176.274453][ T5864] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 5863] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 5863] close(4) = 0 [pid 5863] mkdir("./file0", 0777) = 0 [ 176.307685][ T5863] loop0: detected capacity change from 0 to 4096 [ 176.330011][ T5863] ================================================================== [ 176.338104][ T5863] BUG: KASAN: slab-out-of-bounds in ntfs_test_inode+0x7f/0x2e0 [ 176.345645][ T5863] Read of size 8 at addr ffff888077b1df60 by task syz-executor108/5863 [ 176.353880][ T5863] [ 176.356291][ T5863] CPU: 0 PID: 5863 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 176.366693][ T5863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 176.376744][ T5863] Call Trace: [ 176.380022][ T5863] [ 176.382953][ T5863] dump_stack_lvl+0x1e7/0x2d0 [ 176.387639][ T5863] ? nf_tcp_handle_invalid+0x650/0x650 [ 176.393087][ T5863] ? panic+0x770/0x770 [ 176.397145][ T5863] ? _printk+0xd5/0x120 [ 176.401293][ T5863] print_report+0x163/0x540 [ 176.405794][ T5863] ? __virt_addr_valid+0x22f/0x2e0 [ 176.410905][ T5863] ? __phys_addr+0xba/0x170 [ 176.415394][ T5863] ? ntfs_test_inode+0x7f/0x2e0 [ 176.420232][ T5863] kasan_report+0x175/0x1b0 [ 176.424728][ T5863] ? ntfs_test_inode+0x7f/0x2e0 [ 176.429566][ T5863] kasan_check_range+0x27e/0x290 [ 176.434501][ T5863] ntfs_test_inode+0x7f/0x2e0 [ 176.439176][ T5863] find_inode+0x16f/0x430 [ 176.443507][ T5863] ? _compound_head+0x120/0x120 [ 176.448413][ T5863] ? inode_insert5+0x500/0x500 [ 176.453170][ T5863] ? __rwlock_init+0x150/0x150 [ 176.457924][ T5863] ? _compound_head+0x120/0x120 [ 176.462761][ T5863] ? _compound_head+0x120/0x120 [ 176.467598][ T5863] ilookup5+0xa1/0x200 [ 176.471656][ T5863] ? _compound_head+0x120/0x120 [ 176.476491][ T5863] ? ntfs_iget+0x190/0x190 [ 176.480894][ T5863] iget5_locked+0x37/0x270 [ 176.485300][ T5863] ntfs_attr_iget+0x1b5/0x2420 [ 176.490053][ T5863] ? __ntfs_warning+0xce/0x230 [ 176.494806][ T5863] ? _compound_head+0x120/0x120 [ 176.499642][ T5863] ? ntfs_read_locked_inode+0x4980/0x4980 [ 176.505348][ T5863] ? evict+0x56e/0x620 [ 176.509413][ T5863] load_system_files+0x1333/0x4840 [ 176.514520][ T5863] ? __mutex_unlock_slowpath+0x21c/0x750 [ 176.520144][ T5863] ? free_vm_area+0x50/0x50 [ 176.524634][ T5863] ? ntfs_setup_allocators+0x2d0/0x2d0 [ 176.530081][ T5863] ? mutex_unlock+0x10/0x10 [ 176.534573][ T5863] ? __asan_memset+0x23/0x40 [ 176.539152][ T5863] ? generate_default_upcase+0x8ed/0x940 [ 176.544862][ T5863] ntfs_fill_super+0x19b3/0x2bd0 [ 176.549798][ T5863] mount_bdev+0x237/0x300 [ 176.554163][ T5863] ? ntfs_mount+0x40/0x40 [ 176.558478][ T5863] ? get_tree_bdev+0x5b0/0x5b0 [ 176.563236][ T5863] ? vfs_parse_fs_string+0x190/0x230 [ 176.568525][ T5863] ? vfs_parse_fs_param+0x410/0x410 [ 176.573746][ T5863] ? cap_capable+0x1b4/0x240 [ 176.578324][ T5863] legacy_get_tree+0xef/0x190 [ 176.583034][ T5863] ? ntfs_rl_punch_nolock+0x15b0/0x15b0 [ 176.588575][ T5863] vfs_get_tree+0x8c/0x280 [ 176.592991][ T5863] do_new_mount+0x28f/0xae0 [ 176.597486][ T5863] ? do_move_mount_old+0x170/0x170 [ 176.602588][ T5863] ? user_path_at_empty+0x12f/0x180 [ 176.607776][ T5863] __se_sys_mount+0x2d9/0x3c0 [ 176.612441][ T5863] ? __x64_sys_mount+0xc0/0xc0 [ 176.617192][ T5863] ? syscall_enter_from_user_mode+0x32/0x230 [ 176.623162][ T5863] ? __x64_sys_mount+0x20/0xc0 [ 176.628009][ T5863] do_syscall_64+0x41/0xc0 [ 176.632416][ T5863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 176.638294][ T5863] RIP: 0033:0x7f79473960aa [ 176.642697][ T5863] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 176.662287][ T5863] RSP: 002b:00007f7947351028 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 176.670688][ T5863] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f79473960aa [ 176.678648][ T5863] RDX: 000000002001f6c0 RSI: 000000002001f640 RDI: 00007f7947351080 [ 176.686613][ T5863] RBP: 000000002001f6c0 R08: 00007f79473510c0 R09: 000000000001f63f [ 176.694570][ T5863] R10: 0000000000008703 R11: 0000000000000286 R12: 00007f7947351080 [ 176.702532][ T5863] R13: 000000002001f640 R14: 000000000001f646 R15: 00007f79473510c0 [ 176.710510][ T5863] [ 176.713520][ T5863] [ 176.715826][ T5863] Allocated by task 5059: [ 176.720137][ T5863] kasan_set_track+0x4f/0x70 [ 176.724718][ T5863] __kasan_slab_alloc+0x66/0x70 [ 176.729558][ T5863] slab_post_alloc_hook+0x67/0x3d0 [ 176.734657][ T5863] kmem_cache_alloc_lru+0x122/0x300 [ 176.739930][ T5863] ntfs_alloc_inode+0x28/0x80 [ 176.744604][ T5863] iget5_locked+0xa0/0x270 [ 176.749011][ T5863] ntfs_iget5+0xc6/0x38e0 [ 176.753322][ T5863] ntfs_fill_super+0x2dec/0x4c30 [ 176.758246][ T5863] get_tree_bdev+0x416/0x5b0 [ 176.762820][ T5863] vfs_get_tree+0x8c/0x280 [ 176.767223][ T5863] do_new_mount+0x28f/0xae0 [ 176.771714][ T5863] __se_sys_mount+0x2d9/0x3c0 [ 176.776375][ T5863] do_syscall_64+0x41/0xc0 [ 176.780774][ T5863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 176.786664][ T5863] [ 176.788975][ T5863] The buggy address belongs to the object at ffff888077b1d880 [ 176.788975][ T5863] which belongs to the cache ntfs_inode_cache of size 1760 [ 176.803620][ T5863] The buggy address is located 0 bytes to the right of [ 176.803620][ T5863] allocated 1760-byte region [ffff888077b1d880, ffff888077b1df60) [ 176.818181][ T5863] [ 176.820489][ T5863] The buggy address belongs to the physical page: [ 176.826894][ T5863] page:ffffea0001dec600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77b18 [ 176.837050][ T5863] head:ffffea0001dec600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 176.846749][ T5863] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 176.854725][ T5863] page_type: 0xffffffff() [ 176.859049][ T5863] raw: 00fff00000000840 ffff888141666c80 dead000000000100 dead000000000122 [ 176.867638][ T5863] raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000 [ 176.876300][ T5863] page dumped because: kasan: bad access detected [ 176.882709][ T5863] page_owner tracks the page as allocated [ 176.888409][ T5863] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5056, tgid 5054 (syz-executor108), ts 62202039156, free_ts 18025050030 [ 176.911071][ T5863] post_alloc_hook+0x1e6/0x210 [ 176.915837][ T5863] get_page_from_freelist+0x31db/0x3360 [ 176.921402][ T5863] __alloc_pages+0x255/0x670 [ 176.926011][ T5863] alloc_slab_page+0x6a/0x160 [ 176.930779][ T5863] new_slab+0x84/0x2f0 [ 176.934849][ T5863] ___slab_alloc+0xc85/0x1310 [ 176.939515][ T5863] kmem_cache_alloc_lru+0x1bf/0x300 [ 176.944710][ T5863] ntfs_alloc_inode+0x28/0x80 [ 176.949395][ T5863] iget5_locked+0xa0/0x270 [ 176.953807][ T5863] ntfs_iget5+0xc6/0x38e0 [ 176.958135][ T5863] ntfs_fill_super+0x2459/0x4c30 [ 176.963064][ T5863] get_tree_bdev+0x416/0x5b0 [ 176.967660][ T5863] vfs_get_tree+0x8c/0x280 [ 176.972194][ T5863] do_new_mount+0x28f/0xae0 [ 176.976780][ T5863] __se_sys_mount+0x2d9/0x3c0 [ 176.981531][ T5863] do_syscall_64+0x41/0xc0 [ 176.985937][ T5863] page last free stack trace: [ 176.990591][ T5863] free_unref_page_prepare+0x8c3/0x9f0 [ 176.996058][ T5863] free_unref_page+0x37/0x3f0 [ 177.000878][ T5863] free_contig_range+0x9e/0x150 [ 177.005714][ T5863] destroy_args+0x95/0x7c0 [ 177.010128][ T5863] debug_vm_pgtable+0x4ba/0x540 [ 177.014966][ T5863] do_one_initcall+0x23d/0x7d0 [ 177.019715][ T5863] do_initcall_level+0x157/0x210 [ 177.024726][ T5863] do_initcalls+0x3f/0x80 [ 177.029045][ T5863] kernel_init_freeable+0x429/0x5c0 [ 177.034230][ T5863] kernel_init+0x1d/0x2a0 [ 177.038546][ T5863] ret_from_fork+0x48/0x80 [ 177.043783][ T5863] ret_from_fork_asm+0x11/0x20 [ 177.048535][ T5863] [ 177.050843][ T5863] Memory state around the buggy address: [ 177.056489][ T5863] ffff888077b1de00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 177.065347][ T5863] ffff888077b1de80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 177.073401][ T5863] >ffff888077b1df00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 177.081450][ T5863] ^ [ 177.088634][ T5863] ffff888077b1df80: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [ 177.096688][ T5863] ffff888077b1e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 177.104904][ T5863] ================================================================== [ 177.113199][ T5863] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 177.120490][ T5863] CPU: 0 PID: 5863 Comm: syz-executor108 Not tainted 6.6.0-rc2-syzkaller-00386-g3aba70aed91f #0 [ 177.130905][ T5863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 177.140955][ T5863] Call Trace: [ 177.144225][ T5863] [ 177.147150][ T5863] dump_stack_lvl+0x1e7/0x2d0 [ 177.151848][ T5863] ? nf_tcp_handle_invalid+0x650/0x650 [ 177.157306][ T5863] ? panic+0x770/0x770 [ 177.161374][ T5863] ? lock_release+0xbf/0x9d0 [ 177.165954][ T5863] ? vscnprintf+0x5d/0x80 [ 177.170273][ T5863] panic+0x30f/0x770 [ 177.174155][ T5863] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 177.180331][ T5863] ? check_panic_on_warn+0x21/0xa0 [ 177.185430][ T5863] ? __memcpy_flushcache+0x2b0/0x2b0 [ 177.190705][ T5863] ? mark_lock+0x9a/0x340 [ 177.195023][ T5863] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 177.200905][ T5863] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 177.206838][ T5863] ? _raw_spin_unlock+0x40/0x40 [ 177.211701][ T5863] check_panic_on_warn+0x82/0xa0 [ 177.216626][ T5863] ? ntfs_test_inode+0x7f/0x2e0 [ 177.221464][ T5863] end_report+0x6e/0x130 [ 177.225697][ T5863] kasan_report+0x186/0x1b0 [ 177.230192][ T5863] ? ntfs_test_inode+0x7f/0x2e0 [ 177.235049][ T5863] kasan_check_range+0x27e/0x290 [ 177.239977][ T5863] ntfs_test_inode+0x7f/0x2e0 [ 177.244645][ T5863] find_inode+0x16f/0x430 [ 177.248975][ T5863] ? _compound_head+0x120/0x120 [ 177.253836][ T5863] ? inode_insert5+0x500/0x500 [ 177.258595][ T5863] ? __rwlock_init+0x150/0x150 [ 177.263356][ T5863] ? _compound_head+0x120/0x120 [ 177.268191][ T5863] ? _compound_head+0x120/0x120 [ 177.273026][ T5863] ilookup5+0xa1/0x200 [ 177.277086][ T5863] ? _compound_head+0x120/0x120 [ 177.281920][ T5863] ? ntfs_iget+0x190/0x190 [ 177.286322][ T5863] iget5_locked+0x37/0x270 [ 177.290819][ T5863] ntfs_attr_iget+0x1b5/0x2420 [ 177.295574][ T5863] ? __ntfs_warning+0xce/0x230 [ 177.300368][ T5863] ? _compound_head+0x120/0x120 [ 177.305206][ T5863] ? ntfs_read_locked_inode+0x4980/0x4980 [ 177.310915][ T5863] ? evict+0x56e/0x620 [ 177.314979][ T5863] load_system_files+0x1333/0x4840 [ 177.320084][ T5863] ? __mutex_unlock_slowpath+0x21c/0x750 [ 177.325704][ T5863] ? free_vm_area+0x50/0x50 [ 177.330195][ T5863] ? ntfs_setup_allocators+0x2d0/0x2d0 [ 177.335752][ T5863] ? mutex_unlock+0x10/0x10 [ 177.340248][ T5863] ? __asan_memset+0x23/0x40 [ 177.344832][ T5863] ? generate_default_upcase+0x8ed/0x940 [ 177.350460][ T5863] ntfs_fill_super+0x19b3/0x2bd0 [ 177.355394][ T5863] mount_bdev+0x237/0x300 [ 177.359718][ T5863] ? ntfs_mount+0x40/0x40 [ 177.364040][ T5863] ? get_tree_bdev+0x5b0/0x5b0 [ 177.368793][ T5863] ? vfs_parse_fs_string+0x190/0x230 [ 177.374072][ T5863] ? vfs_parse_fs_param+0x410/0x410 [ 177.379286][ T5863] ? cap_capable+0x1b4/0x240 [ 177.383874][ T5863] legacy_get_tree+0xef/0x190 [ 177.388543][ T5863] ? ntfs_rl_punch_nolock+0x15b0/0x15b0 [ 177.394075][ T5863] vfs_get_tree+0x8c/0x280 [ 177.398481][ T5863] do_new_mount+0x28f/0xae0 [ 177.402983][ T5863] ? do_move_mount_old+0x170/0x170 [ 177.408086][ T5863] ? user_path_at_empty+0x12f/0x180 [ 177.413272][ T5863] __se_sys_mount+0x2d9/0x3c0 [ 177.417943][ T5863] ? __x64_sys_mount+0xc0/0xc0 [ 177.422694][ T5863] ? syscall_enter_from_user_mode+0x32/0x230 [ 177.428668][ T5863] ? __x64_sys_mount+0x20/0xc0 [ 177.433421][ T5863] do_syscall_64+0x41/0xc0 [ 177.437828][ T5863] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 177.443805][ T5863] RIP: 0033:0x7f79473960aa [ 177.448338][ T5863] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 177.468192][ T5863] RSP: 002b:00007f7947351028 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 177.476593][ T5863] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f79473960aa [ 177.484724][ T5863] RDX: 000000002001f6c0 RSI: 000000002001f640 RDI: 00007f7947351080 [ 177.492683][ T5863] RBP: 000000002001f6c0 R08: 00007f79473510c0 R09: 000000000001f63f [ 177.500641][ T5863] R10: 0000000000008703 R11: 0000000000000286 R12: 00007f7947351080 [ 177.508601][ T5863] R13: 000000002001f640 R14: 000000000001f646 R15: 00007f79473510c0 [ 177.516568][ T5863] [ 177.519766][ T5863] Kernel Offset: disabled [ 177.524077][ T5863] Rebooting in 86400 seconds..