./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor532556070
<...>
DUID 00:04:e6:bc:8e:bc:c3:7a:f3:fc:35:c5:a5:4f:9b:64:01:ce
forked to background, child pid 4658
[ 51.003487][ T4659] 8021q: adding VLAN 0 to HW filter on device bond0
[ 51.018198][ T4659] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts.
execve("./syz-executor532556070", ["./syz-executor532556070"], 0x7ffe8e5e5dd0 /* 10 vars */) = 0
brk(NULL) = 0x555556de3000
brk(0x555556de3c40) = 0x555556de3c40
arch_prctl(ARCH_SET_FS, 0x555556de3300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor532556070", 4096) = 27
brk(0x555556e04c40) = 0x555556e04c40
brk(0x555556e05000) = 0x555556e05000
mprotect(0x7fc13ab67000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 5084
mkdir("./syzkaller.woba9E", 0700) = 0
chmod("./syzkaller.woba9E", 0777) = 0
chdir("./syzkaller.woba9E") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556de35d0) = 5085
./strace-static-x86_64: Process 5085 attached
[pid 5085] chdir("./0") = 0
[pid 5085] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5085] setpgid(0, 0) = 0
[pid 5085] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5085] write(3, "1000", 4) = 4
[pid 5085] close(3) = 0
[pid 5085] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5085] memfd_create("syzkaller", 0) = 3
[pid 5085] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc1326ab000
syzkaller login: [ 75.918731][ T5085] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5085 'syz-executor532'
[pid 5085] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5085] munmap(0x7fc1326ab000, 4194304) = 0
[pid 5085] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5085] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5085] close(3) = 0
[pid 5085] mkdir("./file0", 0777) = 0
[ 75.995722][ T5085] loop0: detected capacity change from 0 to 8192
[ 76.009274][ T5085] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 76.022421][ T5085] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 76.032090][ T5085] REISERFS (device loop0): using ordered data mode
[ 76.038801][ T5085] reiserfs: using flush barriers
[ 76.045867][ T5085] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 76.062906][ T5085] REISERFS (device loop0): checking transaction log (loop0)
[pid 5085] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5085] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5085] chdir("./file0") = 0
[pid 5085] ioctl(4, LOOP_CLR_FD) = 0
[pid 5085] close(4) = 0
[pid 5085] open(".", O_RDONLY) = 4
[pid 5085] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5085] exit_group(0) = ?
[pid 5085] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5085, si_uid=0, si_status=0, si_utime=0, si_stime=15 /* 0.15 s */} ---
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555556de4620 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./0/binderfs") = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555556dec660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555556dec660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./0/file0") = 0
getdents64(3, 0x555556de4620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556de35d0) = 5088
./strace-static-x86_64: Process 5088 attached
[pid 5088] chdir("./1") = 0
[pid 5088] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5088] setpgid(0, 0) = 0
[pid 5088] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5088] write(3, "1000", 4) = 4
[pid 5088] close(3) = 0
[ 76.122391][ T5085] REISERFS (device loop0): Using r5 hash to sort names
[pid 5088] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5088] memfd_create("syzkaller", 0) = 3
[pid 5088] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc1326ab000
[pid 5088] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5088] munmap(0x7fc1326ab000, 4194304) = 0
[pid 5088] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5088] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5088] close(3) = 0
[pid 5088] mkdir("./file0", 0777) = 0
[ 76.266387][ T5088] loop0: detected capacity change from 0 to 8192
[ 76.277725][ T5088] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 76.291054][ T5088] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 76.300384][ T5088] REISERFS (device loop0): using ordered data mode
[ 76.307052][ T5088] reiserfs: using flush barriers
[ 76.313011][ T5088] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 76.329860][ T5088] REISERFS (device loop0): checking transaction log (loop0)
[pid 5088] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5088] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5088] chdir("./file0") = 0
[pid 5088] ioctl(4, LOOP_CLR_FD) = 0
[pid 5088] close(4) = 0
[pid 5088] open(".", O_RDONLY) = 4
[pid 5088] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5088] exit_group(0) = ?
[pid 5088] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5088, si_uid=0, si_status=0, si_utime=0, si_stime=15 /* 0.15 s */} ---
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555556de4620 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./1/binderfs") = 0
[ 76.388125][ T5088] REISERFS (device loop0): Using r5 hash to sort names
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555556dec660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555556dec660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./1/file0") = 0
getdents64(3, 0x555556de4620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556de35d0) = 5090
./strace-static-x86_64: Process 5090 attached
[pid 5090] chdir("./2") = 0
[pid 5090] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5090] setpgid(0, 0) = 0
[pid 5090] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5090] write(3, "1000", 4) = 4
[pid 5090] close(3) = 0
[pid 5090] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5090] memfd_create("syzkaller", 0) = 3
[pid 5090] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc1326ab000
[pid 5090] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5090] munmap(0x7fc1326ab000, 4194304) = 0
[pid 5090] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5090] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5090] close(3) = 0
[pid 5090] mkdir("./file0", 0777) = 0
[ 76.569667][ T5090] loop0: detected capacity change from 0 to 8192
[ 76.580305][ T5090] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 76.593927][ T5090] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 76.603577][ T5090] REISERFS (device loop0): using ordered data mode
[ 76.610442][ T5090] reiserfs: using flush barriers
[ 76.617325][ T5090] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 76.634097][ T5090] REISERFS (device loop0): checking transaction log (loop0)
[pid 5090] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5090] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5090] chdir("./file0") = 0
[pid 5090] ioctl(4, LOOP_CLR_FD) = 0
[pid 5090] close(4) = 0
[pid 5090] open(".", O_RDONLY) = 4
[pid 5090] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5090] exit_group(0) = ?
[pid 5090] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5090, si_uid=0, si_status=0, si_utime=0, si_stime=15 /* 0.15 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555556de4620 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./2/binderfs") = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555556dec660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555556dec660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./2/file0") = 0
getdents64(3, 0x555556de4620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5092 attached
, child_tidptr=0x555556de35d0) = 5092
[pid 5092] chdir("./3") = 0
[pid 5092] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5092] setpgid(0, 0) = 0
[pid 5092] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5092] write(3, "1000", 4) = 4
[pid 5092] close(3) = 0
[pid 5092] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5092] memfd_create("syzkaller", 0) = 3
[pid 5092] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc1326ab000
[ 76.700454][ T5090] REISERFS (device loop0): Using r5 hash to sort names
[pid 5092] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5092] munmap(0x7fc1326ab000, 4194304) = 0
[pid 5092] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5092] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5092] close(3) = 0
[pid 5092] mkdir("./file0", 0777) = 0
[ 76.841243][ T5092] loop0: detected capacity change from 0 to 8192
[ 76.853016][ T5092] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 76.866513][ T5092] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 76.875745][ T5092] REISERFS (device loop0): using ordered data mode
[ 76.882613][ T5092] reiserfs: using flush barriers
[ 76.888918][ T5092] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 76.905635][ T5092] REISERFS (device loop0): checking transaction log (loop0)
[pid 5092] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5092] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5092] chdir("./file0") = 0
[pid 5092] ioctl(4, LOOP_CLR_FD) = 0
[pid 5092] close(4) = 0
[pid 5092] open(".", O_RDONLY) = 4
[pid 5092] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5092] exit_group(0) = ?
[pid 5092] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5092, si_uid=0, si_status=0, si_utime=0, si_stime=16 /* 0.16 s */} ---
umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555556de4620 /* 4 entries */, 32768) = 112
umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./3/binderfs") = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555556dec660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555556dec660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./3/file0") = 0
getdents64(3, 0x555556de4620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
[ 76.964968][ T5092] REISERFS (device loop0): Using r5 hash to sort names
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556de35d0) = 5094
./strace-static-x86_64: Process 5094 attached
[pid 5094] chdir("./4") = 0
[pid 5094] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5094] setpgid(0, 0) = 0
[pid 5094] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5094] write(3, "1000", 4) = 4
[pid 5094] close(3) = 0
[pid 5094] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5094] memfd_create("syzkaller", 0) = 3
[pid 5094] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc1326ab000
[pid 5094] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5094] munmap(0x7fc1326ab000, 4194304) = 0
[pid 5094] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5094] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5094] close(3) = 0
[pid 5094] mkdir("./file0", 0777) = 0
[ 77.128766][ T5094] loop0: detected capacity change from 0 to 8192
[ 77.139609][ T5094] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 77.153033][ T5094] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 77.162959][ T5094] REISERFS (device loop0): using ordered data mode
[ 77.169917][ T5094] reiserfs: using flush barriers
[ 77.175917][ T5094] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 77.193531][ T5094] REISERFS (device loop0): checking transaction log (loop0)
[pid 5094] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5094] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5094] chdir("./file0") = 0
[pid 5094] ioctl(4, LOOP_CLR_FD) = 0
[pid 5094] close(4) = 0
[pid 5094] open(".", O_RDONLY) = 4
[pid 5094] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5094] exit_group(0) = ?
[pid 5094] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5094, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=14 /* 0.14 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555556de4620 /* 4 entries */, 32768) = 112
umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./4/binderfs") = 0
[ 77.248978][ T5094] REISERFS (device loop0): Using r5 hash to sort names
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555556dec660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555556dec660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./4/file0") = 0
getdents64(3, 0x555556de4620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./4") = 0
mkdir("./5", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556de35d0) = 5096
./strace-static-x86_64: Process 5096 attached
[pid 5096] chdir("./5") = 0
[pid 5096] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5096] setpgid(0, 0) = 0
[pid 5096] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5096] write(3, "1000", 4) = 4
[pid 5096] close(3) = 0
[pid 5096] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5096] memfd_create("syzkaller", 0) = 3
[pid 5096] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc1326ab000
[pid 5096] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5096] munmap(0x7fc1326ab000, 4194304) = 0
[pid 5096] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5096] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5096] close(3) = 0
[pid 5096] mkdir("./file0", 0777) = 0
[ 77.421492][ T5096] loop0: detected capacity change from 0 to 8192
[ 77.432691][ T5096] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 77.445792][ T5096] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 77.455125][ T5096] REISERFS (device loop0): using ordered data mode
[ 77.461958][ T5096] reiserfs: using flush barriers
[ 77.468295][ T5096] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 77.484887][ T5096] REISERFS (device loop0): checking transaction log (loop0)
[pid 5096] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5096] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5096] chdir("./file0") = 0
[pid 5096] ioctl(4, LOOP_CLR_FD) = 0
[pid 5096] close(4) = 0
[pid 5096] open(".", O_RDONLY) = 4
[ 77.544540][ T5096] REISERFS (device loop0): Using r5 hash to sort names
[ 77.579124][ T5096] ==================================================================
[ 77.587264][ T5096] BUG: KASAN: use-after-free in reiserfs_readdir_inode+0xb0d/0x13b0
[ 77.595284][ T5096] Read of size 8 at addr ffff88807384d000 by task syz-executor532/5096
[ 77.603528][ T5096]
[ 77.605868][ T5096] CPU: 0 PID: 5096 Comm: syz-executor532 Not tainted 6.3.0-rc2-next-20230317-syzkaller #0
[ 77.615766][ T5096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 77.625827][ T5096] Call Trace:
[ 77.629141][ T5096]
[ 77.632104][ T5096] dump_stack_lvl+0xd9/0x150
[ 77.636750][ T5096] print_address_description.constprop.0+0x2c/0x3c0
[ 77.643392][ T5096] ? reiserfs_readdir_inode+0xb0d/0x13b0
[ 77.649220][ T5096] kasan_report+0x11c/0x130
[ 77.653746][ T5096] ? reiserfs_readdir_inode+0xb0d/0x13b0
[ 77.659428][ T5096] kasan_check_range+0x141/0x190
[ 77.664401][ T5096] reiserfs_readdir_inode+0xb0d/0x13b0
[ 77.669925][ T5096] ? reiserfs_dir_fsync+0x140/0x140
[ 77.675165][ T5096] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 77.681171][ T5096] ? __down_read_common+0x884/0xf30
[ 77.686404][ T5096] ? trace_lock_acquire+0x12d/0x180
[ 77.691649][ T5096] ? iterate_dir+0xd1/0x6f0
[ 77.696436][ T5096] ? lock_acquire+0x32/0xc0
[ 77.700974][ T5096] ? iterate_dir+0xd1/0x6f0
[ 77.705548][ T5096] iterate_dir+0x56e/0x6f0
[ 77.710035][ T5096] __x64_sys_getdents64+0x13e/0x2c0
[ 77.715282][ T5096] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 77.720690][ T5096] ? compat_filldir+0x6b0/0x6b0
[ 77.725566][ T5096] ? lockdep_hardirqs_on+0x7d/0x100
[ 77.730811][ T5096] ? _raw_spin_unlock_irq+0x2e/0x50
[ 77.736069][ T5096] ? ptrace_notify+0xfe/0x140
[ 77.740888][ T5096] do_syscall_64+0x39/0xb0
[ 77.745346][ T5096] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 77.751282][ T5096] RIP: 0033:0x7fc13aaf8939
[ 77.755724][ T5096] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 77.775374][ T5096] RSP: 002b:00007ffe499b2a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 77.783909][ T5096] RAX: ffffffffffffffda RBX: 0000000000012701 RCX: 00007fc13aaf8939
[ 77.791899][ T5096] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 77.799884][ T5096] RBP: 0000000000000000 R08: 00007ffe499b2a90 R09: 00007ffe499b2a90
[ 77.807871][ T5096] R10: 0000000000001131 R11: 0000000000000246 R12: 00007ffe499b2a8c
[ 77.815855][ T5096] R13: 00007ffe499b2ac0 R14: 00007ffe499b2aa0 R15: 0000000000000005
[ 77.823867][ T5096]
[ 77.826905][ T5096]
[ 77.829240][ T5096] The buggy address belongs to the physical page:
[ 77.835677][ T5096] page:ffffea0001ce1340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7384d
[ 77.845852][ T5096] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 77.852977][ T5096] page_type: 0xffffffff()
[ 77.857343][ T5096] raw: 00fff00000000000 ffffea0001ce1388 ffff8880b9943620 0000000000000000
[ 77.865957][ T5096] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 77.874565][ T5096] page dumped because: kasan: bad access detected
[ 77.880987][ T5096] page_owner tracks the page as freed
[ 77.886363][ T5096] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5086, tgid 5086 (udevd), ts 77632421048, free_ts 77634242475
[ 77.903490][ T5096] get_page_from_freelist+0xf75/0x2ab0
[ 77.908978][ T5096] __alloc_pages+0x1cb/0x4a0
[ 77.913627][ T5096] __folio_alloc+0x16/0x40
[ 77.918068][ T5096] vma_alloc_folio+0x155/0x850
[ 77.922854][ T5096] shmem_alloc_folio+0x119/0x1e0
[ 77.927810][ T5096] shmem_alloc_and_acct_folio+0x15e/0x5d0
[ 77.933789][ T5096] shmem_get_folio_gfp+0xa86/0x1a80
[ 77.939135][ T5096] shmem_write_begin+0x14a/0x380
[ 77.944185][ T5096] generic_perform_write+0x256/0x570
[ 77.950275][ T5096] __generic_file_write_iter+0x2ae/0x500
[ 77.955946][ T5096] generic_file_write_iter+0xe3/0x350
[ 77.961352][ T5096] vfs_write+0x9f6/0xe20
[ 77.965635][ T5096] ksys_write+0x12b/0x250
[ 77.970031][ T5096] do_syscall_64+0x39/0xb0
[ 77.974465][ T5096] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 77.980494][ T5096] page last free stack trace:
[ 77.985178][ T5096] free_unref_page_prepare+0x4d1/0xb60
[ 77.990849][ T5096] free_unref_page_list+0xe3/0xa70
[ 77.996002][ T5096] release_pages+0xcd7/0x1380
[ 78.000710][ T5096] __pagevec_release+0x77/0xe0
[ 78.005510][ T5096] shmem_undo_range+0x5c0/0x1350
[ 78.010477][ T5096] shmem_evict_inode+0x32f/0xb60
[ 78.015475][ T5096] evict+0x2ed/0x6b0
[ 78.019404][ T5096] iput+0x4a7/0x7a0
[ 78.023244][ T5096] dentry_unlink_inode+0x2b1/0x460
[ 78.028389][ T5096] __dentry_kill+0x3c0/0x640
[ 78.033015][ T5096] dput+0x6ac/0xe10
[ 78.036872][ T5096] do_renameat2+0xb72/0xc90
[ 78.041397][ T5096] __x64_sys_rename+0x81/0xa0
[ 78.046098][ T5096] do_syscall_64+0x39/0xb0
[ 78.050532][ T5096] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 78.056477][ T5096]
[ 78.058813][ T5096] Memory state around the buggy address:
[ 78.064480][ T5096] ffff88807384cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 78.072559][ T5096] ffff88807384cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 78.080645][ T5096] >ffff88807384d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 78.088727][ T5096] ^
[ 78.092814][ T5096] ffff88807384d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 78.100903][ T5096] ffff88807384d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 78.108989][ T5096] ==================================================================
[ 78.120543][ T5096] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 78.127874][ T5096] CPU: 0 PID: 5096 Comm: syz-executor532 Not tainted 6.3.0-rc2-next-20230317-syzkaller #0
[ 78.137787][ T5096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 78.147853][ T5096] Call Trace:
[ 78.151140][ T5096]
[ 78.154108][ T5096] dump_stack_lvl+0xd9/0x150
[ 78.158727][ T5096] panic+0x688/0x730
[ 78.162645][ T5096] ? panic_smp_self_stop+0x90/0x90
[ 78.167781][ T5096] ? preempt_schedule_thunk+0x1a/0x20
[ 78.173184][ T5096] ? preempt_schedule_common+0x45/0xb0
[ 78.178766][ T5096] check_panic_on_warn+0xb1/0xc0
[ 78.183739][ T5096] end_report+0xe9/0x120
[ 78.188010][ T5096] ? reiserfs_readdir_inode+0xb0d/0x13b0
[ 78.193668][ T5096] kasan_report+0xf9/0x130
[ 78.198138][ T5096] ? reiserfs_readdir_inode+0xb0d/0x13b0
[ 78.203812][ T5096] kasan_check_range+0x141/0x190
[ 78.208778][ T5096] reiserfs_readdir_inode+0xb0d/0x13b0
[ 78.214277][ T5096] ? reiserfs_dir_fsync+0x140/0x140
[ 78.219512][ T5096] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 78.225520][ T5096] ? __down_read_common+0x884/0xf30
[ 78.230753][ T5096] ? trace_lock_acquire+0x12d/0x180
[ 78.236002][ T5096] ? iterate_dir+0xd1/0x6f0
[ 78.240527][ T5096] ? lock_acquire+0x32/0xc0
[ 78.245052][ T5096] ? iterate_dir+0xd1/0x6f0
[ 78.249580][ T5096] iterate_dir+0x56e/0x6f0
[ 78.254036][ T5096] __x64_sys_getdents64+0x13e/0x2c0
[ 78.259267][ T5096] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 78.264577][ T5096] ? compat_filldir+0x6b0/0x6b0
[ 78.269453][ T5096] ? lockdep_hardirqs_on+0x7d/0x100
[ 78.274708][ T5096] ? _raw_spin_unlock_irq+0x2e/0x50
[ 78.279938][ T5096] ? ptrace_notify+0xfe/0x140
[ 78.284635][ T5096] do_syscall_64+0x39/0xb0
[ 78.289066][ T5096] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 78.294991][ T5096] RIP: 0033:0x7fc13aaf8939
[ 78.299419][ T5096] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 78.319039][ T5096] RSP: 002b:00007ffe499b2a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 78.327470][ T5096] RAX: ffffffffffffffda RBX: 0000000000012701 RCX: 00007fc13aaf8939
[ 78.335558][ T5096] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 78.343543][ T5096] RBP: 0000000000000000 R08: 00007ffe499b2a90 R09: 00007ffe499b2a90
[ 78.351530][ T5096] R10: 0000000000001131 R11: 0000000000000246 R12: 00007ffe499b2a8c
[ 78.359516][ T5096] R13: 00007ffe499b2ac0 R14: 00007ffe499b2aa0 R15: 0000000000000005
[ 78.367532][ T5096]
[ 78.370799][ T5096] Kernel Offset: disabled
[ 78.375143][ T5096] Rebooting in 86400 seconds..