./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2401493061 <...> Warning: Permanently added '10.128.0.237' (ED25519) to the list of known hosts. execve("./syz-executor2401493061", ["./syz-executor2401493061"], 0x7ffe2d7a73f0 /* 10 vars */) = 0 brk(NULL) = 0x55558b8c0000 brk(0x55558b8c0d00) = 0x55558b8c0d00 arch_prctl(ARCH_SET_FS, 0x55558b8c0380) = 0 set_tid_address(0x55558b8c0650) = 5866 set_robust_list(0x55558b8c0660, 24) = 0 rseq(0x55558b8c0ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2401493061", 4096) = 28 getrandom("\x04\xfa\x61\xfc\x66\x3c\x61\x22", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558b8c0d00 brk(0x55558b8e1d00) = 0x55558b8e1d00 brk(0x55558b8e2000) = 0x55558b8e2000 mprotect(0x7f575ccd8000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.kFVGIl", 0700) = 0 chmod("./syzkaller.kFVGIl", 0777) = 0 chdir("./syzkaller.kFVGIl") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5867 attached [pid 5867] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5867 [pid 5867] chdir("./0") = 0 [pid 5867] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5867] setpgid(0, 0) = 0 [pid 5867] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5867] write(3, "1000", 4) = 4 [pid 5867] close(3) = 0 [pid 5867] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5867] write(1, "executing program\n", 18executing program ) = 18 [pid 5867] memfd_create("syzkaller", 0) = 3 [pid 5867] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5867] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5867] munmap(0x7f5754600000, 138412032) = 0 [pid 5867] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5867] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5867] close(3) = 0 [pid 5867] close(4) = 0 [pid 5867] mkdir("./file0", 0777) = 0 [ 93.554314][ T5867] loop0: detected capacity change from 0 to 32768 [ 93.596614][ T5867] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 93.605935][ T5867] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 93.630090][ T5867] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 93.641144][ T980] gfs2: fsid=loop0.0: jid=0, already locked for use [ 93.648866][ T980] gfs2: fsid=loop0.0: jid=0: Looking at journal... [ 93.684165][ T980] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 35ms [pid 5867] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5867] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5867] chdir("./file0") = 0 [pid 5867] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5867] memfd_create("syzkaller", 0) = 4 [ 93.693519][ T980] gfs2: fsid=loop0.0: jid=0: Done [ 93.699560][ T5867] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5867] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5867] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5867] munmap(0x7f5754600000, 138412032) = 0 [pid 5867] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5867] close(4) = 0 [pid 5867] exit_group(0) = ? [pid 5867] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5867, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=59 /* 0.59 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5872 attached , child_tidptr=0x55558b8c0650) = 5872 [pid 5872] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5872] chdir("./1") = 0 [pid 5872] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5872] setpgid(0, 0) = 0 [pid 5872] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5872] write(3, "1000", 4) = 4 [pid 5872] close(3) = 0 [pid 5872] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5872] write(1, "executing program\n", 18) = 18 [pid 5872] memfd_create("syzkaller", 0) = 3 [pid 5872] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5872] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5872] munmap(0x7f5754600000, 138412032) = 0 [pid 5872] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5872] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5872] close(3) = 0 [pid 5872] close(4) = 0 [pid 5872] mkdir("./file0", 0777) = 0 [ 94.851080][ T5872] loop0: detected capacity change from 0 to 32768 [ 94.893291][ T5872] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 94.903788][ T5872] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 94.918663][ T5872] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 94.931010][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 94.938582][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5872] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5872] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5872] chdir("./file0") = 0 [pid 5872] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5872] memfd_create("syzkaller", 0) = 4 [ 94.973636][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 35ms [ 94.981880][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 94.987552][ T5872] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5872] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5872] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5872] munmap(0x7f5754600000, 138412032) = 0 [pid 5872] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5872] close(4) = 0 [pid 5872] exit_group(0) = ? [pid 5872] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5872, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=59 /* 0.59 s */} --- umount2("./1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 umount2("./1/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5875 attached , child_tidptr=0x55558b8c0650) = 5875 [pid 5875] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5875] chdir("./2") = 0 [pid 5875] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5875] setpgid(0, 0) = 0 [pid 5875] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5875] write(3, "1000", 4) = 4 [pid 5875] close(3) = 0 [pid 5875] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5875] write(1, "executing program\n", 18) = 18 [pid 5875] memfd_create("syzkaller", 0) = 3 [pid 5875] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5875] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5875] munmap(0x7f5754600000, 138412032) = 0 [pid 5875] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5875] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5875] close(3) = 0 [pid 5875] close(4) = 0 [pid 5875] mkdir("./file0", 0777) = 0 [ 96.115296][ T5875] loop0: detected capacity change from 0 to 32768 [ 96.156974][ T5875] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 96.168401][ T5875] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 96.186463][ T5875] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 96.198008][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 96.205188][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [ 96.231235][ T55] kworker/0:2: attempt to access beyond end of device [ 96.231235][ T55] loop0: rw=0, sector=67113728, nr_sectors = 8 limit=32768 [pid 5875] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = -1 EIO (Input/output error) [pid 5875] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5875] ioctl(3, LOOP_CLR_FD) = 0 [ 96.259615][ T55] gfs2: fsid=loop0.0: jid=0: Failed [ 96.266093][ T5875] gfs2: fsid=loop0.0: error recovering journal 0: -5 [pid 5875] close(3) = 0 [pid 5875] memfd_create("syzkaller", 0) = 3 [pid 5875] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5875] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5875] munmap(0x7f5754600000, 138412032) = 0 [pid 5875] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5875] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5875] close(3) = 0 [pid 5875] close(4) = 0 [pid 5875] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 96.685149][ T5875] loop0: detected capacity change from 0 to 32768 [ 96.713026][ T5875] gfs2: fsid=norecovery: Trying to join cluster "lock_nolock", "norecovery" [ 96.724766][ T5875] gfs2: fsid=norecovery: Now mounting FS (format 0)... [ 96.739598][ T5875] syz-executor240: attempt to access beyond end of device [ 96.739598][ T5875] loop0: rw=12288, sector=18446744073709551608, nr_sectors = 8 limit=32768 [ 96.759492][ T5875] gfs2: fsid=norecovery.s: fatal: filesystem consistency error - inode = 1 19, function = gfs2_jdesc_check, file = fs/gfs2/super.c, line = 119 [ 96.775196][ T5875] gfs2: fsid=norecovery.s: G: s:SH n:2/13 f:aqob t:SH d:EX/0 a:0 v:0 r:2 m:20 p:2 [ 96.785413][ T5875] gfs2: fsid=norecovery.s: H: s:SH f:eEcH e:0 p:5875 [syz-executor240] init_journal+0x17f8/0x2260 [ 96.796664][ T5875] gfs2: fsid=norecovery.s: I: n:1/19 t:8 f:0x00 d:0x00000200 s:8388608 p:0 [ 96.805827][ T5875] gfs2: fsid=norecovery.s: about to withdraw this file system [ 96.813683][ T5875] gfs2: fsid=norecovery.s: Journal recovery skipped for jid 0 until next mount. [ 96.823161][ T5875] gfs2: fsid=norecovery.s: Glock dequeues delayed: 0 [ 96.830840][ T5875] gfs2: fsid=norecovery.s: File system withdrawn [ 96.837946][ T5875] CPU: 1 UID: 0 PID: 5875 Comm: syz-executor240 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) [ 96.837975][ T5875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 96.837996][ T5875] Call Trace: [ 96.838008][ T5875] [ 96.838019][ T5875] dump_stack_lvl+0x189/0x250 [ 96.838055][ T5875] ? __pfx_dump_stack_lvl+0x10/0x10 [ 96.838077][ T5875] ? __pfx__printk+0x10/0x10 [ 96.838104][ T5875] ? kobject_uevent_env+0x36b/0x8c0 [ 96.838140][ T5875] gfs2_withdraw+0xb30/0x1430 [ 96.838183][ T5875] ? __pfx_gfs2_withdraw+0x10/0x10 [ 96.838211][ T5875] ? __pfx_wake_up_bit+0x10/0x10 [ 96.838241][ T5875] ? gfs2_consist_inode_i+0xf5/0x110 [ 96.838270][ T5875] gfs2_jdesc_check+0x17d/0x2f0 [ 96.838303][ T5875] check_journal_clean+0x158/0x310 [ 96.838332][ T5875] ? __pfx_check_journal_clean+0x10/0x10 [ 96.838359][ T5875] ? init_journal+0x17f8/0x2260 [ 96.838394][ T5875] ? do_raw_spin_unlock+0x122/0x240 [ 96.838422][ T5875] ? _raw_spin_unlock+0x28/0x50 [ 96.838445][ T5875] ? gfs2_jdesc_find+0xab/0xc0 [ 96.838475][ T5875] init_journal+0x17f8/0x2260 [ 96.838511][ T5875] ? init_inodes+0xdb/0x320 [ 96.838543][ T5875] ? __pfx_init_journal+0x10/0x10 [ 96.838574][ T5875] ? vsnprintf+0xe11/0xf00 [ 96.838689][ T5875] ? snprintf+0xda/0x120 [ 96.838751][ T5875] ? init_inodes+0xdb/0x320 [ 96.838783][ T5875] ? __pfx_snprintf+0x10/0x10 [ 96.838811][ T5875] ? gfs2_glock_nq_num+0x13d/0x170 [ 96.838843][ T5875] init_inodes+0xdb/0x320 [ 96.838874][ T5875] gfs2_fill_super+0x1923/0x20d0 [ 96.838942][ T5875] ? __pfx_gfs2_fill_super+0x10/0x10 [ 96.838978][ T5875] ? init_locking+0xb8/0x210 [ 96.839003][ T5875] ? sb_set_blocksize+0x104/0x180 [ 96.839034][ T5875] ? setup_bdev_super+0x4c1/0x5b0 [ 96.839073][ T5875] get_tree_bdev_flags+0x40e/0x4d0 [ 96.839101][ T5875] ? __pfx_gfs2_fill_super+0x10/0x10 [ 96.839129][ T5875] ? __pfx_get_tree_bdev_flags+0x10/0x10 [ 96.839170][ T5875] gfs2_get_tree+0x51/0x1e0 [ 96.839200][ T5875] vfs_get_tree+0x92/0x2b0 [ 96.839231][ T5875] do_new_mount+0x2a2/0x9e0 [ 96.839266][ T5875] ? ns_capable+0x8a/0xf0 [ 96.839304][ T5875] ? __pfx_do_new_mount+0x10/0x10 [ 96.839335][ T5875] ? path_mount+0x61c/0xfe0 [ 96.839363][ T5875] ? user_path_at+0x44/0x60 [ 96.839397][ T5875] __se_sys_mount+0x317/0x410 [ 96.839436][ T5875] ? __pfx___se_sys_mount+0x10/0x10 [ 96.839464][ T5875] ? rcu_is_watching+0x15/0xb0 [ 96.839492][ T5875] ? __x64_sys_mount+0x20/0xc0 [ 96.839526][ T5875] do_syscall_64+0xfa/0x3b0 [ 96.839556][ T5875] ? lockdep_hardirqs_on+0x9c/0x150 [ 96.839584][ T5875] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 96.839606][ T5875] ? clear_bhb_loop+0x60/0xb0 [ 96.839630][ T5875] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 96.839649][ T5875] RIP: 0033:0x7f575cc41a6a [ 96.839689][ T5875] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 96.839714][ T5875] RSP: 002b:00007ffd8687bd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 96.839736][ T5875] RAX: ffffffffffffffda RBX: 00007ffd8687bdc0 RCX: 00007f575cc41a6a [ 96.839751][ T5875] RDX: 0000200000000400 RSI: 0000200000012500 RDI: 00007ffd8687bdc0 [pid 5875] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_RELATIME, "norecovery,suiddir,noloccookie,norecovery,quota=off,data=writeback,data=writeback,upgrade,loccookie,"...) = -1 EIO (Input/output error) [pid 5875] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5875] ioctl(3, LOOP_CLR_FD) = 0 [ 96.839765][ T5875] RBP: 0000200000012500 R08: 00007ffd8687be00 R09: 00007ffd8687be00 [ 96.839779][ T5875] R10: 0000000000200001 R11: 0000000000000246 R12: 0000200000000400 [ 96.839792][ T5875] R13: 00007ffd8687be00 R14: 00000000000125bb R15: 0000200000000180 [ 96.839826][ T5875] [ 96.839835][ T5875] gfs2: fsid=norecovery.s: Error checking journal for spectator mount. [pid 5875] close(3) = 0 [pid 5875] exit_group(0) = ? [pid 5875] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5875, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=123 /* 1.23 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./2/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 umount2("./2/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 97.479225][ T43] cfg80211: failed to load regulatory.db unlink("./2/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5884 attached [pid 5884] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5884 [pid 5884] chdir("./3") = 0 [pid 5884] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5884] setpgid(0, 0) = 0 [pid 5884] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5884] write(3, "1000", 4) = 4 [pid 5884] close(3) = 0 [pid 5884] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5884] write(1, "executing program\n", 18) = 18 [pid 5884] memfd_create("syzkaller", 0) = 3 [pid 5884] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5884] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5884] munmap(0x7f5754600000, 138412032) = 0 [pid 5884] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5884] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5884] close(3) = 0 [pid 5884] close(4) = 0 [pid 5884] mkdir("./file0", 0777) = 0 [ 97.981545][ T5884] loop0: detected capacity change from 0 to 32768 [ 98.023875][ T5884] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 98.033679][ T5884] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 98.058266][ T5884] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 2ms [ 98.069549][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 98.077005][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5884] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5884] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5884] chdir("./file0") = 0 [pid 5884] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 98.121200][ T43] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 44ms [ 98.130886][ T43] gfs2: fsid=loop0.0: jid=0: Done [ 98.136231][ T5884] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5884] memfd_create("syzkaller", 0) = 4 [pid 5884] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5884] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5884] munmap(0x7f5754600000, 138412032) = 0 [pid 5884] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5884] close(4) = 0 [pid 5884] exit_group(0) = ? [pid 5884] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5884, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=57 /* 0.57 s */} --- umount2("./3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./3/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 umount2("./3/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5889 attached , child_tidptr=0x55558b8c0650) = 5889 [pid 5889] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5889] chdir("./4") = 0 [pid 5889] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5889] setpgid(0, 0) = 0 [pid 5889] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5889] write(3, "1000", 4) = 4 [pid 5889] close(3) = 0 [pid 5889] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5889] write(1, "executing program\n", 18) = 18 [pid 5889] memfd_create("syzkaller", 0) = 3 [pid 5889] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5889] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5889] munmap(0x7f5754600000, 138412032) = 0 [pid 5889] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5889] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5889] close(3) = 0 [pid 5889] close(4) = 0 [pid 5889] mkdir("./file0", 0777) = 0 [ 99.372676][ T5889] loop0: detected capacity change from 0 to 32768 [ 99.410952][ T5889] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 99.424842][ T5889] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 99.450977][ T5889] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 99.461478][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 99.469365][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5889] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5889] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5889] chdir("./file0") = 0 [pid 5889] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5889] memfd_create("syzkaller", 0) = 4 [ 99.501255][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 31ms [ 99.510095][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 99.516375][ T5889] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5889] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5889] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5889] munmap(0x7f5754600000, 138412032) = 0 [pid 5889] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5889] close(4) = 0 [pid 5889] exit_group(0) = ? [pid 5889] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5889, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=60 /* 0.60 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./4/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 umount2("./4/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5892 attached [pid 5892] set_robust_list(0x55558b8c0660, 24 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5892 [pid 5892] <... set_robust_list resumed>) = 0 [pid 5892] chdir("./5") = 0 [pid 5892] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5892] setpgid(0, 0) = 0 [pid 5892] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5892] write(3, "1000", 4) = 4 [pid 5892] close(3) = 0 [pid 5892] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5892] write(1, "executing program\n", 18executing program ) = 18 [pid 5892] memfd_create("syzkaller", 0) = 3 [pid 5892] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5892] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5892] munmap(0x7f5754600000, 138412032) = 0 [pid 5892] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5892] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5892] close(3) = 0 [pid 5892] close(4) = 0 [pid 5892] mkdir("./file0", 0777) = 0 [ 100.673362][ T5892] loop0: detected capacity change from 0 to 32768 [ 100.708856][ T5892] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 100.720141][ T5892] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 100.736408][ T5892] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 100.747600][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 100.755877][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5892] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5892] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5892] chdir("./file0") = 0 [pid 5892] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5892] memfd_create("syzkaller", 0) = 4 [pid 5892] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [ 100.788186][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 32ms [ 100.796148][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 100.801980][ T5892] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5892] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5892] munmap(0x7f5754600000, 138412032) = 0 [pid 5892] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5892] close(4) = 0 [pid 5892] exit_group(0) = ? [pid 5892] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5892, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=59 /* 0.59 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./5/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 umount2("./5/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5895 attached [pid 5895] set_robust_list(0x55558b8c0660, 24 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5895 [pid 5895] <... set_robust_list resumed>) = 0 [pid 5895] chdir("./6") = 0 [pid 5895] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5895] setpgid(0, 0) = 0 [pid 5895] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5895] write(3, "1000", 4) = 4 [pid 5895] close(3) = 0 [pid 5895] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5895] write(1, "executing program\n", 18) = 18 [pid 5895] memfd_create("syzkaller", 0) = 3 [pid 5895] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5895] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5895] munmap(0x7f5754600000, 138412032) = 0 [pid 5895] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5895] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5895] close(3) = 0 [pid 5895] close(4) = 0 [pid 5895] mkdir("./file0", 0777) = 0 [ 101.965825][ T5895] loop0: detected capacity change from 0 to 32768 [ 102.017914][ T5895] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 102.026204][ T5895] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 102.043327][ T5895] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 102.054572][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 102.061778][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5895] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5895] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5895] chdir("./file0") = 0 [pid 5895] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5895] memfd_create("syzkaller", 0) = 4 [pid 5895] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [ 102.092880][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 31ms [ 102.101149][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 102.123733][ T5895] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5895] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5895] munmap(0x7f5754600000, 138412032) = 0 [pid 5895] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5895] close(4) = 0 [pid 5895] exit_group(0) = ? [pid 5895] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5895, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=59 /* 0.59 s */} --- umount2("./6", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./6/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 umount2("./6/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5898 attached , child_tidptr=0x55558b8c0650) = 5898 [pid 5898] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5898] chdir("./7") = 0 [pid 5898] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5898] setpgid(0, 0) = 0 [pid 5898] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5898] write(3, "1000", 4) = 4 [pid 5898] close(3) = 0 [pid 5898] symlink("/dev/binderfs", "./binderfs"executing program ) = 0 [pid 5898] write(1, "executing program\n", 18) = 18 [pid 5898] memfd_create("syzkaller", 0) = 3 [pid 5898] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5898] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5898] munmap(0x7f5754600000, 138412032) = 0 [pid 5898] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5898] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5898] close(3) = 0 [pid 5898] close(4) = 0 [pid 5898] mkdir("./file0", 0777) = 0 [ 103.282321][ T5898] loop0: detected capacity change from 0 to 32768 [ 103.328230][ T5898] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 103.336763][ T5898] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 103.353708][ T5898] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 103.366457][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 103.374129][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5898] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5898] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5898] chdir("./file0") = 0 [ 103.406968][ T43] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 32ms [ 103.415220][ T43] gfs2: fsid=loop0.0: jid=0: Done [ 103.420582][ T5898] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5898] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5898] memfd_create("syzkaller", 0) = 4 [pid 5898] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5898] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5898] munmap(0x7f5754600000, 138412032) = 0 [pid 5898] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5898] close(4) = 0 [pid 5898] exit_group(0) = ? [pid 5898] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5898, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=56 /* 0.56 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./7", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./7/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./7/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file0") = 0 umount2("./7/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5901 attached , child_tidptr=0x55558b8c0650) = 5901 [pid 5901] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5901] chdir("./8") = 0 [pid 5901] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5901] setpgid(0, 0) = 0 [pid 5901] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5901] write(3, "1000", 4) = 4 [pid 5901] close(3) = 0 [pid 5901] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5901] write(1, "executing program\n", 18) = 18 [pid 5901] memfd_create("syzkaller", 0) = 3 [pid 5901] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5901] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5901] munmap(0x7f5754600000, 138412032) = 0 [pid 5901] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5901] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5901] close(3) = 0 [pid 5901] close(4) = 0 [pid 5901] mkdir("./file0", 0777) = 0 [ 104.695063][ T5901] loop0: detected capacity change from 0 to 32768 [ 104.732027][ T5901] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 104.741747][ T5901] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 104.759055][ T5901] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 104.769565][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 104.776744][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5901] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5901] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5901] chdir("./file0") = 0 [pid 5901] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5901] memfd_create("syzkaller", 0) = 4 [ 104.810700][ T43] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 33ms [ 104.819076][ T43] gfs2: fsid=loop0.0: jid=0: Done [ 104.824463][ T5901] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5901] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5901] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5901] munmap(0x7f5754600000, 138412032) = 0 [pid 5901] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5901] close(4) = 0 [pid 5901] exit_group(0) = ? [pid 5901] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5901, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=55 /* 0.55 s */} --- umount2("./8", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./8/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./8/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./8/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file0") = 0 umount2("./8/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5904 attached [pid 5904] set_robust_list(0x55558b8c0660, 24 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5904 [pid 5904] <... set_robust_list resumed>) = 0 [pid 5904] chdir("./9") = 0 [pid 5904] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5904] setpgid(0, 0) = 0 [pid 5904] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5904] write(3, "1000", 4) = 4 [pid 5904] close(3) = 0 [pid 5904] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5904] write(1, "executing program\n", 18executing program ) = 18 [pid 5904] memfd_create("syzkaller", 0) = 3 [pid 5904] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5904] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5904] munmap(0x7f5754600000, 138412032) = 0 [pid 5904] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5904] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5904] close(3) = 0 [pid 5904] close(4) = 0 [pid 5904] mkdir("./file0", 0777) = 0 [ 105.962931][ T5904] loop0: detected capacity change from 0 to 32768 [ 106.001123][ T5904] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 106.012025][ T5904] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 106.038751][ T5904] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 106.052279][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 106.060474][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [ 106.099662][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 39ms [pid 5904] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5904] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5904] chdir("./file0") = 0 [pid 5904] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5904] memfd_create("syzkaller", 0) = 4 [pid 5904] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [ 106.108737][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 106.115206][ T5904] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5904] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5904] munmap(0x7f5754600000, 138412032) = 0 [pid 5904] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5904] close(4) = 0 [pid 5904] exit_group(0) = ? [pid 5904] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5904, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=60 /* 0.60 s */} --- umount2("./9", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./9/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 umount2("./9/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5907 attached [pid 5907] set_robust_list(0x55558b8c0660, 24 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5907 [pid 5907] <... set_robust_list resumed>) = 0 [pid 5907] chdir("./10") = 0 [pid 5907] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5907] setpgid(0, 0) = 0 [pid 5907] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5907] write(3, "1000", 4) = 4 [pid 5907] close(3) = 0 [pid 5907] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5907] write(1, "executing program\n", 18executing program ) = 18 [pid 5907] memfd_create("syzkaller", 0) = 3 [pid 5907] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5907] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5907] munmap(0x7f5754600000, 138412032) = 0 [pid 5907] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5907] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5907] close(3) = 0 [pid 5907] close(4) = 0 [pid 5907] mkdir("./file0", 0777) = 0 [ 107.290606][ T5907] loop0: detected capacity change from 0 to 32768 [ 107.320233][ T5907] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 107.330171][ T5907] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 107.343357][ T5907] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 107.354228][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 107.363025][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5907] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5907] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5907] chdir("./file0") = 0 [pid 5907] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5907] memfd_create("syzkaller", 0) = 4 [pid 5907] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [ 107.405325][ T43] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 42ms [ 107.414817][ T43] gfs2: fsid=loop0.0: jid=0: Done [ 107.420699][ T5907] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5907] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5907] munmap(0x7f5754600000, 138412032) = 0 [pid 5907] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5907] close(4) = 0 [pid 5907] exit_group(0) = ? [pid 5907] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5907, si_uid=0, si_status=0, si_utime=13 /* 0.13 s */, si_stime=59 /* 0.59 s */} --- umount2("./10", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./10/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./10/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./10/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file0") = 0 umount2("./10/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5910 attached , child_tidptr=0x55558b8c0650) = 5910 [pid 5910] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5910] chdir("./11") = 0 [pid 5910] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5910] setpgid(0, 0) = 0 [pid 5910] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5910] write(3, "1000", 4) = 4 [pid 5910] close(3) = 0 [pid 5910] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5910] write(1, "executing program\n", 18) = 18 [pid 5910] memfd_create("syzkaller", 0) = 3 [pid 5910] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5910] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5910] munmap(0x7f5754600000, 138412032) = 0 [pid 5910] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5910] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5910] close(3) = 0 [pid 5910] close(4) = 0 [pid 5910] mkdir("./file0", 0777) = 0 [ 108.705525][ T5910] loop0: detected capacity change from 0 to 32768 [ 108.735777][ T5910] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 108.747097][ T5910] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 108.764133][ T5910] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 108.787395][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 108.795193][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5910] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = -1 EIO (Input/output error) [pid 5910] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5910] ioctl(3, LOOP_CLR_FD) = 0 [ 108.820040][ T43] kworker/1:1: attempt to access beyond end of device [ 108.820040][ T43] loop0: rw=0, sector=67113728, nr_sectors = 8 limit=32768 [ 108.848271][ T43] gfs2: fsid=loop0.0: jid=0: Failed [ 108.855270][ T5910] gfs2: fsid=loop0.0: error recovering journal 0: -5 [pid 5910] close(3) = 0 [pid 5910] memfd_create("syzkaller", 0) = 3 [pid 5910] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5910] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5910] munmap(0x7f5754600000, 138412032) = 0 [pid 5910] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5910] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5910] close(3) = 0 [pid 5910] close(4) = 0 [pid 5910] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 109.258130][ T5910] loop0: detected capacity change from 0 to 32768 [ 109.301483][ T5910] gfs2: fsid=norecovery: Trying to join cluster "lock_nolock", "norecovery" [ 109.311698][ T5910] gfs2: fsid=norecovery: Now mounting FS (format 0)... [ 109.330438][ T5910] syz-executor240: attempt to access beyond end of device [ 109.330438][ T5910] loop0: rw=12288, sector=18446744073709551608, nr_sectors = 8 limit=32768 [ 109.348411][ T5910] gfs2: fsid=norecovery.s: fatal: filesystem consistency error - inode = 1 19, function = gfs2_jdesc_check, file = fs/gfs2/super.c, line = 119 [ 109.366045][ T5910] gfs2: fsid=norecovery.s: G: s:SH n:2/13 f:aqob t:SH d:EX/0 a:0 v:0 r:2 m:20 p:2 [ 109.376412][ T5910] gfs2: fsid=norecovery.s: H: s:SH f:eEcH e:0 p:5910 [syz-executor240] init_journal+0x17f8/0x2260 [ 109.389549][ T5910] gfs2: fsid=norecovery.s: I: n:1/19 t:8 f:0x00 d:0x00000200 s:8388608 p:0 [ 109.405853][ T5910] gfs2: fsid=norecovery.s: about to withdraw this file system [ 109.421650][ T5910] gfs2: fsid=norecovery.s: Journal recovery skipped for jid 0 until next mount. [ 109.434080][ T5910] gfs2: fsid=norecovery.s: Glock dequeues delayed: 0 [ 109.442736][ T5910] gfs2: fsid=norecovery.s: File system withdrawn [ 109.449928][ T5910] CPU: 1 UID: 0 PID: 5910 Comm: syz-executor240 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) [ 109.449959][ T5910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 109.449973][ T5910] Call Trace: [ 109.449985][ T5910] [ 109.449996][ T5910] dump_stack_lvl+0x189/0x250 [ 109.450030][ T5910] ? __pfx_dump_stack_lvl+0x10/0x10 [ 109.450054][ T5910] ? __pfx__printk+0x10/0x10 [ 109.450084][ T5910] ? kobject_uevent_env+0x36b/0x8c0 [ 109.450117][ T5910] gfs2_withdraw+0xb30/0x1430 [ 109.450159][ T5910] ? __pfx_gfs2_withdraw+0x10/0x10 [ 109.450183][ T5910] ? __pfx_wake_up_bit+0x10/0x10 [ 109.450214][ T5910] ? gfs2_consist_inode_i+0xf5/0x110 [ 109.450242][ T5910] gfs2_jdesc_check+0x17d/0x2f0 [ 109.450275][ T5910] check_journal_clean+0x158/0x310 [ 109.450302][ T5910] ? __pfx_check_journal_clean+0x10/0x10 [ 109.450329][ T5910] ? init_journal+0x17f8/0x2260 [ 109.450361][ T5910] ? do_raw_spin_unlock+0x122/0x240 [ 109.450397][ T5910] ? _raw_spin_unlock+0x28/0x50 [ 109.450423][ T5910] ? gfs2_jdesc_find+0xab/0xc0 [ 109.450454][ T5910] init_journal+0x17f8/0x2260 [ 109.450494][ T5910] ? init_inodes+0xdb/0x320 [ 109.450526][ T5910] ? __pfx_init_journal+0x10/0x10 [ 109.450552][ T5910] ? vsnprintf+0xe11/0xf00 [ 109.450586][ T5910] ? snprintf+0xda/0x120 [ 109.450611][ T5910] ? init_inodes+0xdb/0x320 [ 109.450637][ T5910] ? __pfx_snprintf+0x10/0x10 [ 109.450745][ T5910] ? gfs2_glock_nq_num+0x13d/0x170 [ 109.450845][ T5910] init_inodes+0xdb/0x320 [ 109.450876][ T5910] gfs2_fill_super+0x1923/0x20d0 [ 109.450916][ T5910] ? __pfx_gfs2_fill_super+0x10/0x10 [ 109.450943][ T5910] ? init_locking+0xb8/0x210 [ 109.450964][ T5910] ? sb_set_blocksize+0x104/0x180 [ 109.450992][ T5910] ? setup_bdev_super+0x4c1/0x5b0 [ 109.451023][ T5910] get_tree_bdev_flags+0x40e/0x4d0 [ 109.451059][ T5910] ? __pfx_gfs2_fill_super+0x10/0x10 [ 109.451091][ T5910] ? __pfx_get_tree_bdev_flags+0x10/0x10 [ 109.451131][ T5910] gfs2_get_tree+0x51/0x1e0 [ 109.451163][ T5910] vfs_get_tree+0x92/0x2b0 [ 109.451194][ T5910] do_new_mount+0x2a2/0x9e0 [ 109.451229][ T5910] ? ns_capable+0x8a/0xf0 [ 109.451250][ T5910] ? __pfx_do_new_mount+0x10/0x10 [ 109.451279][ T5910] ? path_mount+0x61c/0xfe0 [ 109.451306][ T5910] ? user_path_at+0x44/0x60 [ 109.451500][ T5910] __se_sys_mount+0x317/0x410 [ 109.451539][ T5910] ? __pfx___se_sys_mount+0x10/0x10 [ 109.451568][ T5910] ? rcu_is_watching+0x15/0xb0 [ 109.451596][ T5910] ? __x64_sys_mount+0x20/0xc0 [ 109.451630][ T5910] do_syscall_64+0xfa/0x3b0 [ 109.451659][ T5910] ? lockdep_hardirqs_on+0x9c/0x150 [ 109.451686][ T5910] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.451706][ T5910] ? clear_bhb_loop+0x60/0xb0 [ 109.451731][ T5910] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.451751][ T5910] RIP: 0033:0x7f575cc41a6a [ 109.451771][ T5910] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 109.451789][ T5910] RSP: 002b:00007ffd8687bd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 109.451810][ T5910] RAX: ffffffffffffffda RBX: 00007ffd8687bdc0 RCX: 00007f575cc41a6a [ 109.451825][ T5910] RDX: 0000200000000400 RSI: 0000200000012500 RDI: 00007ffd8687bdc0 [pid 5910] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_RELATIME, "norecovery,suiddir,noloccookie,norecovery,quota=off,data=writeback,data=writeback,upgrade,loccookie,"...) = -1 EIO (Input/output error) [pid 5910] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 109.451840][ T5910] RBP: 0000200000012500 R08: 00007ffd8687be00 R09: 00007ffd8687be00 [ 109.451855][ T5910] R10: 0000000000200001 R11: 0000000000000246 R12: 0000200000000400 [ 109.451868][ T5910] R13: 00007ffd8687be00 R14: 00000000000125bb R15: 0000200000000180 [ 109.451901][ T5910] [ 109.451911][ T5910] gfs2: fsid=norecovery.s: Error checking journal for spectator mount. [pid 5910] ioctl(3, LOOP_CLR_FD) = 0 [pid 5910] close(3) = 0 [pid 5910] exit_group(0) = ? [pid 5910] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5910, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=117 /* 1.17 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./11", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./11/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./11/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./11/file0") = 0 umount2("./11/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5915 attached [pid 5915] set_robust_list(0x55558b8c0660, 24 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5915 [pid 5915] <... set_robust_list resumed>) = 0 [pid 5915] chdir("./12") = 0 [pid 5915] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5915] setpgid(0, 0) = 0 [pid 5915] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5915] write(3, "1000", 4) = 4 [pid 5915] close(3) = 0 [pid 5915] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5915] write(1, "executing program\n", 18) = 18 [pid 5915] memfd_create("syzkaller", 0) = 3 [pid 5915] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5915] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5915] munmap(0x7f5754600000, 138412032) = 0 [pid 5915] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5915] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5915] close(3) = 0 [pid 5915] close(4) = 0 [pid 5915] mkdir("./file0", 0777) = 0 [ 110.542118][ T5915] loop0: detected capacity change from 0 to 32768 [ 110.573788][ T5915] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 110.584616][ T5915] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 110.600968][ T5915] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 110.611141][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 110.621334][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5915] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5915] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5915] chdir("./file0") = 0 [pid 5915] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5915] memfd_create("syzkaller", 0) = 4 [pid 5915] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [ 110.655018][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 33ms [ 110.662852][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 110.668621][ T5915] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5915] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5915] munmap(0x7f5754600000, 138412032) = 0 [pid 5915] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5915] close(4) = 0 [pid 5915] exit_group(0) = ? [pid 5915] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5915, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=55 /* 0.55 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./12", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./12/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./12/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./12/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./12/file0") = 0 umount2("./12/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./12/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5918 attached , child_tidptr=0x55558b8c0650) = 5918 [pid 5918] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5918] chdir("./13") = 0 [pid 5918] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5918] setpgid(0, 0) = 0 [pid 5918] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5918] write(3, "1000", 4) = 4 [pid 5918] close(3) = 0 [pid 5918] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5918] write(1, "executing program\n", 18) = 18 [pid 5918] memfd_create("syzkaller", 0) = 3 [pid 5918] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5918] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5918] munmap(0x7f5754600000, 138412032) = 0 [pid 5918] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5918] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5918] close(3) = 0 [pid 5918] close(4) = 0 [pid 5918] mkdir("./file0", 0777) = 0 [ 111.811224][ T5918] loop0: detected capacity change from 0 to 32768 [ 111.863634][ T5918] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 111.875135][ T5918] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 111.891509][ T5918] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 111.901947][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 111.909698][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5918] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5918] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5918] chdir("./file0") = 0 [pid 5918] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5918] memfd_create("syzkaller", 0) = 4 [pid 5918] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [ 111.942272][ T43] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 32ms [ 111.951171][ T43] gfs2: fsid=loop0.0: jid=0: Done [ 111.956851][ T5918] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5918] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5918] munmap(0x7f5754600000, 138412032) = 0 [pid 5918] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5918] close(4) = 0 [pid 5918] exit_group(0) = ? [pid 5918] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5918, si_uid=0, si_status=0, si_utime=8 /* 0.08 s */, si_stime=54 /* 0.54 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./13", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./13/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./13/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./13/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file0") = 0 umount2("./13/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./13/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5921 attached , child_tidptr=0x55558b8c0650) = 5921 [pid 5921] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5921] chdir("./14") = 0 [pid 5921] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5921] setpgid(0, 0) = 0 [pid 5921] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5921] write(3, "1000", 4) = 4 [pid 5921] close(3) = 0 [pid 5921] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5921] write(1, "executing program\n", 18) = 18 [pid 5921] memfd_create("syzkaller", 0) = 3 [pid 5921] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5921] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5921] munmap(0x7f5754600000, 138412032) = 0 [pid 5921] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5921] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5921] close(3) = 0 [pid 5921] close(4) = 0 [pid 5921] mkdir("./file0", 0777) = 0 [ 113.111345][ T5921] loop0: detected capacity change from 0 to 32768 [ 113.150306][ T5921] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 113.160453][ T5921] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 113.176512][ T5921] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 113.189121][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 113.196647][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5921] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5921] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5921] chdir("./file0") = 0 [pid 5921] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 113.246745][ T43] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 50ms [ 113.256090][ T43] gfs2: fsid=loop0.0: jid=0: Done [ 113.264054][ T5921] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5921] memfd_create("syzkaller", 0) = 4 [pid 5921] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5921] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5921] munmap(0x7f5754600000, 138412032) = 0 [pid 5921] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5921] close(4) = 0 [pid 5921] exit_group(0) = ? [pid 5921] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5921, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=58 /* 0.58 s */} --- umount2("./14", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./14/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./14/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./14/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file0") = 0 umount2("./14/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./14/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5924 attached [pid 5924] set_robust_list(0x55558b8c0660, 24 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5924 [pid 5924] <... set_robust_list resumed>) = 0 [pid 5924] chdir("./15") = 0 [pid 5924] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5924] setpgid(0, 0) = 0 [pid 5924] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5924] write(3, "1000", 4) = 4 [pid 5924] close(3) = 0 [pid 5924] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5924] write(1, "executing program\n", 18) = 18 [pid 5924] memfd_create("syzkaller", 0) = 3 [pid 5924] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5924] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5924] munmap(0x7f5754600000, 138412032) = 0 [pid 5924] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5924] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5924] close(3) = 0 [pid 5924] close(4) = 0 [pid 5924] mkdir("./file0", 0777) = 0 [ 114.478540][ T5924] loop0: detected capacity change from 0 to 32768 [ 114.546656][ T5924] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 114.556013][ T5924] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 114.570059][ T5924] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 114.580436][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 114.587718][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5924] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = 0 [pid 5924] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5924] chdir("./file0") = 0 [pid 5924] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 114.619877][ T55] gfs2: fsid=loop0.0: jid=0: Journal head lookup took 32ms [ 114.628346][ T55] gfs2: fsid=loop0.0: jid=0: Done [ 114.634186][ T5924] gfs2: fsid=loop0.0: first mount done, others may mount [pid 5924] memfd_create("syzkaller", 0) = 4 [pid 5924] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5924] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5924] munmap(0x7f5754600000, 138412032) = 0 [pid 5924] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5924] close(4) = 0 [pid 5924] exit_group(0) = ? [pid 5924] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5924, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=57 /* 0.57 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./15", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./15/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./15/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./15/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./15/file0") = 0 umount2("./15/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./15/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5927 attached , child_tidptr=0x55558b8c0650) = 5927 [pid 5927] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5927] chdir("./16") = 0 [pid 5927] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5927] setpgid(0, 0) = 0 [pid 5927] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5927] write(3, "1000", 4) = 4 [pid 5927] close(3) = 0 [pid 5927] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5927] write(1, "executing program\n", 18) = 18 [pid 5927] memfd_create("syzkaller", 0) = 3 [pid 5927] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5927] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5927] munmap(0x7f5754600000, 138412032) = 0 [pid 5927] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5927] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5927] close(3) = 0 [pid 5927] close(4) = 0 [pid 5927] mkdir("./file0", 0777) = 0 [ 115.735484][ T5927] loop0: detected capacity change from 0 to 32768 [ 115.786186][ T5927] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 115.798853][ T5927] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 115.811467][ T5927] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 115.822270][ T55] gfs2: fsid=loop0.0: jid=0, already locked for use [ 115.828994][ T55] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5927] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = -1 EIO (Input/output error) [pid 5927] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 115.850543][ T55] kworker/0:2: attempt to access beyond end of device [ 115.850543][ T55] loop0: rw=0, sector=67113728, nr_sectors = 8 limit=32768 [ 115.875523][ T55] gfs2: fsid=loop0.0: jid=0: Failed [ 115.881309][ T5927] gfs2: fsid=loop0.0: error recovering journal 0: -5 [pid 5927] ioctl(3, LOOP_CLR_FD) = 0 [pid 5927] close(3) = 0 [pid 5927] memfd_create("syzkaller", 0) = 3 [pid 5927] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5927] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5927] munmap(0x7f5754600000, 138412032) = 0 [pid 5927] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5927] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5927] close(3) = 0 [pid 5927] close(4) = 0 [pid 5927] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 116.318174][ T5927] loop0: detected capacity change from 0 to 32768 [ 116.359649][ T5927] gfs2: fsid=norecovery: Trying to join cluster "lock_nolock", "norecovery" [ 116.370765][ T5927] gfs2: fsid=norecovery: Now mounting FS (format 0)... [ 116.384764][ T5927] syz-executor240: attempt to access beyond end of device [ 116.384764][ T5927] loop0: rw=12288, sector=18446744073709551608, nr_sectors = 8 limit=32768 [ 116.403732][ T5927] gfs2: fsid=norecovery.s: fatal: filesystem consistency error - inode = 1 19, function = gfs2_jdesc_check, file = fs/gfs2/super.c, line = 119 [ 116.420902][ T5927] gfs2: fsid=norecovery.s: G: s:SH n:2/13 f:aqob t:SH d:EX/0 a:0 v:0 r:2 m:20 p:2 [ 116.433318][ T5927] gfs2: fsid=norecovery.s: H: s:SH f:eEcH e:0 p:5927 [syz-executor240] init_journal+0x17f8/0x2260 [ 116.467129][ T5927] gfs2: fsid=norecovery.s: I: n:1/19 t:8 f:0x00 d:0x00000200 s:8388608 p:0 [ 116.476919][ T5927] gfs2: fsid=norecovery.s: about to withdraw this file system [ 116.485182][ T5927] gfs2: fsid=norecovery.s: Journal recovery skipped for jid 0 until next mount. [ 116.494899][ T5927] gfs2: fsid=norecovery.s: Glock dequeues delayed: 0 [ 116.503580][ T5927] gfs2: fsid=norecovery.s: File system withdrawn [ 116.510686][ T5927] CPU: 0 UID: 0 PID: 5927 Comm: syz-executor240 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) [ 116.510714][ T5927] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 116.510733][ T5927] Call Trace: [ 116.510740][ T5927] [ 116.510748][ T5927] dump_stack_lvl+0x189/0x250 [ 116.510793][ T5927] ? __pfx_dump_stack_lvl+0x10/0x10 [ 116.510817][ T5927] ? __pfx__printk+0x10/0x10 [ 116.510844][ T5927] ? kobject_uevent_env+0x36b/0x8c0 [ 116.510875][ T5927] gfs2_withdraw+0xb30/0x1430 [ 116.510919][ T5927] ? __pfx_gfs2_withdraw+0x10/0x10 [ 116.510956][ T5927] ? __pfx_wake_up_bit+0x10/0x10 [ 116.510993][ T5927] ? gfs2_consist_inode_i+0xf5/0x110 [ 116.511024][ T5927] gfs2_jdesc_check+0x17d/0x2f0 [ 116.511062][ T5927] check_journal_clean+0x158/0x310 [ 116.511091][ T5927] ? __pfx_check_journal_clean+0x10/0x10 [ 116.511121][ T5927] ? init_journal+0x17f8/0x2260 [ 116.511155][ T5927] ? do_raw_spin_unlock+0x122/0x240 [ 116.511184][ T5927] ? _raw_spin_unlock+0x28/0x50 [ 116.511209][ T5927] ? gfs2_jdesc_find+0xab/0xc0 [ 116.511240][ T5927] init_journal+0x17f8/0x2260 [ 116.511280][ T5927] ? init_inodes+0xdb/0x320 [ 116.511311][ T5927] ? __pfx_init_journal+0x10/0x10 [ 116.511337][ T5927] ? vsnprintf+0xe11/0xf00 [ 116.511371][ T5927] ? snprintf+0xda/0x120 [ 116.511395][ T5927] ? init_inodes+0xdb/0x320 [ 116.511421][ T5927] ? __pfx_snprintf+0x10/0x10 [ 116.511445][ T5927] ? gfs2_glock_nq_num+0x13d/0x170 [ 116.511478][ T5927] init_inodes+0xdb/0x320 [ 116.511507][ T5927] gfs2_fill_super+0x1923/0x20d0 [ 116.511552][ T5927] ? __pfx_gfs2_fill_super+0x10/0x10 [ 116.511583][ T5927] ? init_locking+0xb8/0x210 [ 116.511607][ T5927] ? sb_set_blocksize+0x104/0x180 [ 116.511638][ T5927] ? setup_bdev_super+0x4c1/0x5b0 [ 116.511670][ T5927] get_tree_bdev_flags+0x40e/0x4d0 [ 116.511697][ T5927] ? __pfx_gfs2_fill_super+0x10/0x10 [ 116.511724][ T5927] ? __pfx_get_tree_bdev_flags+0x10/0x10 [ 116.511764][ T5927] gfs2_get_tree+0x51/0x1e0 [ 116.511795][ T5927] vfs_get_tree+0x92/0x2b0 [ 116.511825][ T5927] do_new_mount+0x2a2/0x9e0 [ 116.511859][ T5927] ? ns_capable+0x8a/0xf0 [ 116.511879][ T5927] ? __pfx_do_new_mount+0x10/0x10 [ 116.511907][ T5927] ? path_mount+0x61c/0xfe0 [ 116.511934][ T5927] ? user_path_at+0x44/0x60 [ 116.511975][ T5927] __se_sys_mount+0x317/0x410 [ 116.512012][ T5927] ? __pfx___se_sys_mount+0x10/0x10 [ 116.512041][ T5927] ? rcu_is_watching+0x15/0xb0 [ 116.512067][ T5927] ? __x64_sys_mount+0x20/0xc0 [ 116.512100][ T5927] do_syscall_64+0xfa/0x3b0 [ 116.512128][ T5927] ? lockdep_hardirqs_on+0x9c/0x150 [ 116.512168][ T5927] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 116.512188][ T5927] ? clear_bhb_loop+0x60/0xb0 [ 116.512212][ T5927] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 116.512232][ T5927] RIP: 0033:0x7f575cc41a6a [ 116.512257][ T5927] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 116.512273][ T5927] RSP: 002b:00007ffd8687bd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 116.512298][ T5927] RAX: ffffffffffffffda RBX: 00007ffd8687bdc0 RCX: 00007f575cc41a6a [ 116.512313][ T5927] RDX: 0000200000000400 RSI: 0000200000012500 RDI: 00007ffd8687bdc0 [pid 5927] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_RELATIME, "norecovery,suiddir,noloccookie,norecovery,quota=off,data=writeback,data=writeback,upgrade,loccookie,"...) = -1 EIO (Input/output error) [pid 5927] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5927] ioctl(3, LOOP_CLR_FD) = 0 [ 116.512326][ T5927] RBP: 0000200000012500 R08: 00007ffd8687be00 R09: 00007ffd8687be00 [ 116.512378][ T5927] R10: 0000000000200001 R11: 0000000000000246 R12: 0000200000000400 [ 116.512391][ T5927] R13: 00007ffd8687be00 R14: 00000000000125bb R15: 0000200000000180 [ 116.512424][ T5927] [ 116.512433][ T5927] gfs2: fsid=norecovery.s: Error checking journal for spectator mount. [pid 5927] close(3) = 0 [pid 5927] exit_group(0) = ? [pid 5927] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5927, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=112 /* 1.12 s */} --- umount2("./16", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558b8c16f0 /* 4 entries */, 32768) = 112 umount2("./16/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./16/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558b8c9730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55558b8c9730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./16/file0") = 0 umount2("./16/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./16/binderfs") = 0 getdents64(3, 0x55558b8c16f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5932 attached [pid 5932] set_robust_list(0x55558b8c0660, 24) = 0 [pid 5866] <... clone resumed>, child_tidptr=0x55558b8c0650) = 5932 [pid 5932] chdir("./17") = 0 [pid 5932] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5932] setpgid(0, 0) = 0 [pid 5932] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5932] write(3, "1000", 4) = 4 [pid 5932] close(3) = 0 [pid 5932] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5932] write(1, "executing program\n", 18executing program ) = 18 [pid 5932] memfd_create("syzkaller", 0) = 3 [pid 5932] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5932] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5932] munmap(0x7f5754600000, 138412032) = 0 [pid 5932] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5932] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5932] close(3) = 0 [pid 5932] close(4) = 0 [pid 5932] mkdir("./file0", 0777) = 0 [ 117.686699][ T5932] loop0: detected capacity change from 0 to 32768 [ 117.742197][ T5932] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 117.751949][ T5932] gfs2: fsid=loop0: Now mounting FS (format 1801)... [ 117.770432][ T5932] gfs2: fsid=loop0.0: journal 0 mapped with 10 extents in 0ms [ 117.780452][ T43] gfs2: fsid=loop0.0: jid=0, already locked for use [ 117.787179][ T43] gfs2: fsid=loop0.0: jid=0: Looking at journal... [pid 5932] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS, "norgrplvb,suiddir,localflocks,quota=account,errors=withdraw,data=writeback,discard,upgrade,loccookie"...) = -1 EIO (Input/output error) [pid 5932] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5932] ioctl(3, LOOP_CLR_FD) = 0 [ 117.814232][ T43] kworker/1:1: attempt to access beyond end of device [ 117.814232][ T43] loop0: rw=0, sector=67113728, nr_sectors = 8 limit=32768 [ 117.841908][ T43] gfs2: fsid=loop0.0: jid=0: Failed [ 117.849350][ T5932] gfs2: fsid=loop0.0: error recovering journal 0: -5 [pid 5932] close(3) = 0 [pid 5932] memfd_create("syzkaller", 0) = 3 [pid 5932] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5754600000 [pid 5932] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5932] munmap(0x7f5754600000, 138412032) = 0 [pid 5932] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5932] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5932] close(3) = 0 [pid 5932] close(4) = 0 [pid 5932] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 118.263009][ T5932] loop0: detected capacity change from 0 to 32768 [ 118.296877][ T5932] gfs2: fsid=norecovery: Trying to join cluster "lock_nolock", "norecovery" [ 118.308372][ T5932] gfs2: fsid=norecovery: Now mounting FS (format 0)... [ 118.324564][ T5932] syz-executor240: attempt to access beyond end of device [ 118.324564][ T5932] loop0: rw=12288, sector=18446744073709551608, nr_sectors = 8 limit=32768 [ 118.342742][ T5932] gfs2: fsid=norecovery.s: fatal: filesystem consistency error - inode = 1 19, function = gfs2_jdesc_check, file = fs/gfs2/super.c, line = 119 [ 118.359563][ T5932] gfs2: fsid=norecovery.s: G: s:SH n:2/13 f:aqob t:SH d:EX/0 a:0 v:0 r:2 m:20 p:2 [ 118.369539][ T5932] gfs2: fsid=norecovery.s: H: s:SH f:eEcH e:0 p:5932 [syz-executor240] init_journal+0x17f8/0x2260 [ 118.381683][ T5932] gfs2: fsid=norecovery.s: I: n:1/19 t:8 f:0x00 d:0x00000200 s:8388608 p:0 [ 118.396421][ T5932] gfs2: fsid=norecovery.s: about to withdraw this file system [ 118.405276][ T5932] gfs2: fsid=norecovery.s: Journal recovery skipped for jid 0 until next mount. [ 118.415115][ T5932] gfs2: fsid=norecovery.s: Glock dequeues delayed: 0 [ 118.423314][ T5932] gfs2: fsid=norecovery.s: File system withdrawn [ 118.431637][ T5932] CPU: 1 UID: 0 PID: 5932 Comm: syz-executor240 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) [ 118.431664][ T5932] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 118.431676][ T5932] Call Trace: [ 118.431683][ T5932] [ 118.431690][ T5932] dump_stack_lvl+0x189/0x250 [ 118.431720][ T5932] ? __pfx_dump_stack_lvl+0x10/0x10 [ 118.432079][ T5932] ? __pfx__printk+0x10/0x10 [ 118.432122][ T5932] ? kobject_uevent_env+0x36b/0x8c0 [ 118.432150][ T5932] gfs2_withdraw+0xb30/0x1430 [ 118.432192][ T5932] ? __pfx_gfs2_withdraw+0x10/0x10 [ 118.432218][ T5932] ? __pfx_wake_up_bit+0x10/0x10 [ 118.432263][ T5932] ? gfs2_consist_inode_i+0xf5/0x110 [ 118.432291][ T5932] gfs2_jdesc_check+0x17d/0x2f0 [ 118.432326][ T5932] check_journal_clean+0x158/0x310 [ 118.432357][ T5932] ? __pfx_check_journal_clean+0x10/0x10 [ 118.432388][ T5932] ? init_journal+0x17f8/0x2260 [ 118.432425][ T5932] ? do_raw_spin_unlock+0x122/0x240 [ 118.432455][ T5932] ? _raw_spin_unlock+0x28/0x50 [ 118.432479][ T5932] ? gfs2_jdesc_find+0xab/0xc0 [ 118.432507][ T5932] init_journal+0x17f8/0x2260 [ 118.432544][ T5932] ? init_inodes+0xdb/0x320 [ 118.432575][ T5932] ? __pfx_init_journal+0x10/0x10 [ 118.432600][ T5932] ? vsnprintf+0xe11/0xf00 [ 118.432635][ T5932] ? snprintf+0xda/0x120 [ 118.432657][ T5932] ? init_inodes+0xdb/0x320 [ 118.432678][ T5932] ? __pfx_snprintf+0x10/0x10 [ 118.432697][ T5932] ? gfs2_glock_nq_num+0x13d/0x170 [ 118.432726][ T5932] init_inodes+0xdb/0x320 [ 118.432750][ T5932] gfs2_fill_super+0x1923/0x20d0 [ 118.432788][ T5932] ? __pfx_gfs2_fill_super+0x10/0x10 [ 118.432817][ T5932] ? init_locking+0xb8/0x210 [ 118.432840][ T5932] ? sb_set_blocksize+0x104/0x180 [ 118.432870][ T5932] ? setup_bdev_super+0x4c1/0x5b0 [ 118.432971][ T5932] get_tree_bdev_flags+0x40e/0x4d0 [ 118.433000][ T5932] ? __pfx_gfs2_fill_super+0x10/0x10 [ 118.433027][ T5932] ? __pfx_get_tree_bdev_flags+0x10/0x10 [ 118.433067][ T5932] gfs2_get_tree+0x51/0x1e0 [ 118.433097][ T5932] vfs_get_tree+0x92/0x2b0 [ 118.433128][ T5932] do_new_mount+0x2a2/0x9e0 [ 118.433163][ T5932] ? ns_capable+0x8a/0xf0 [ 118.433184][ T5932] ? __pfx_do_new_mount+0x10/0x10 [ 118.433212][ T5932] ? path_mount+0x61c/0xfe0 [ 118.433239][ T5932] ? user_path_at+0x44/0x60 [ 118.433273][ T5932] __se_sys_mount+0x317/0x410 [ 118.433310][ T5932] ? __pfx___se_sys_mount+0x10/0x10 [ 118.433338][ T5932] ? rcu_is_watching+0x15/0xb0 [ 118.433366][ T5932] ? __x64_sys_mount+0x20/0xc0 [ 118.433399][ T5932] do_syscall_64+0xfa/0x3b0 [ 118.433428][ T5932] ? lockdep_hardirqs_on+0x9c/0x150 [ 118.433455][ T5932] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.433475][ T5932] ? clear_bhb_loop+0x60/0xb0 [ 118.433500][ T5932] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.433519][ T5932] RIP: 0033:0x7f575cc41a6a [ 118.433540][ T5932] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 118.433557][ T5932] RSP: 002b:00007ffd8687bd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 118.433579][ T5932] RAX: ffffffffffffffda RBX: 00007ffd8687bdc0 RCX: 00007f575cc41a6a [ 118.433594][ T5932] RDX: 0000200000000400 RSI: 0000200000012500 RDI: 00007ffd8687bdc0 [ 118.433608][ T5932] RBP: 0000200000012500 R08: 00007ffd8687be00 R09: 00007ffd8687be00 [pid 5932] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_RELATIME, "norecovery,suiddir,noloccookie,norecovery,quota=off,data=writeback,data=writeback,upgrade,loccookie,"...) = -1 EIO (Input/output error) [pid 5932] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5932] ioctl(3, LOOP_CLR_FD) = 0 [ 118.433621][ T5932] R10: 0000000000200001 R11: 0000000000000246 R12: 0000200000000400 [ 118.433634][ T5932] R13: 00007ffd8687be00 R14: 00000000000125bb R15: 0000200000000180 [ 118.433679][ T5932] [ 118.433690][ T5932] gfs2: fsid=norecovery.s: Error checking journal for spectator mount. [ 118.894809][ T5932] ================================================================== [ 118.905382][ T5932] BUG: KASAN: slab-use-after-free in lru_add+0x25f/0xd80 [ 118.916697][ T5932] Read of size 8 at addr ffff88807e517898 by task syz-executor240/5932 [ 118.929852][ T5932] [ 118.933073][ T5932] CPU: 0 UID: 0 PID: 5932 Comm: syz-executor240 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) [ 118.933103][ T5932] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 118.933117][ T5932] Call Trace: [ 118.933126][ T5932] [ 118.933133][ T5932] dump_stack_lvl+0x189/0x250 [ 118.933167][ T5932] ? rcu_is_watching+0x15/0xb0 [ 118.933182][ T5932] ? __kasan_check_byte+0x12/0x40 [ 118.933203][ T5932] ? __pfx_dump_stack_lvl+0x10/0x10 [ 118.933219][ T5932] ? rcu_is_watching+0x15/0xb0 [ 118.933232][ T5932] ? lock_release+0x4b/0x3e0 [ 118.933254][ T5932] ? __virt_addr_valid+0x1c8/0x5c0 [ 118.933273][ T5932] ? __virt_addr_valid+0x4a5/0x5c0 [ 118.933291][ T5932] print_report+0xca/0x240 [ 118.933305][ T5932] ? lru_add+0x25f/0xd80 [ 118.933318][ T5932] kasan_report+0x118/0x150 [ 118.933339][ T5932] ? lru_add+0x25f/0xd80 [ 118.933355][ T5932] kasan_check_range+0x2b0/0x2c0 [ 118.933376][ T5932] lru_add+0x25f/0xd80 [ 118.933390][ T5932] ? lru_add+0x198/0xd80 [ 118.933404][ T5932] folio_batch_move_lru+0x21b/0x3a0 [ 118.933419][ T5932] ? xas_store+0xf3e/0x1880 [ 118.933442][ T5932] ? __pfx_lru_add+0x10/0x10 [ 118.933457][ T5932] ? __pfx_folio_batch_move_lru+0x10/0x10 [ 118.933474][ T5932] ? xas_clear_mark+0x2d6/0x530 [ 118.933499][ T5932] lru_add_drain_cpu+0x119/0x880 [ 118.933516][ T5932] ? lru_add_drain+0x79/0x3e0 [ 118.933533][ T5932] ? __pfx_lru_add_drain_cpu+0x10/0x10 [ 118.933553][ T5932] ? lru_add_drain+0x79/0x3e0 [ 118.933567][ T5932] ? lru_add_drain+0x79/0x3e0 [ 118.933582][ T5932] lru_add_drain+0x122/0x3e0 [ 118.933598][ T5932] __folio_batch_release+0x48/0x90 [ 118.933614][ T5932] shmem_undo_range+0x49e/0x14b0 [ 118.933634][ T5932] ? __kernel_text_address+0xd/0x40 [ 118.933654][ T5932] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 118.933672][ T5932] ? arch_stack_walk+0xfc/0x150 [ 118.933699][ T5932] ? __pfx_shmem_undo_range+0x10/0x10 [ 118.933737][ T5932] ? unwind_get_return_address+0x4d/0x90 [ 118.933753][ T5932] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 118.933770][ T5932] ? arch_stack_walk+0xfc/0x150 [ 118.933791][ T5932] shmem_evict_inode+0x272/0xa70 [ 118.933819][ T5932] ? inode_wait_for_writeback+0xf9/0x290 [ 118.933834][ T5932] ? __pfx_shmem_evict_inode+0x10/0x10 [ 118.933856][ T5932] ? __pfx_inode_wait_for_writeback+0x10/0x10 [ 118.933874][ T5932] ? do_raw_spin_unlock+0x122/0x240 [ 118.933892][ T5932] ? __pfx_shmem_evict_inode+0x10/0x10 [ 118.933913][ T5932] evict+0x504/0x9c0 [ 118.933933][ T5932] ? __pfx_evict+0x10/0x10 [ 118.933948][ T5932] ? do_raw_spin_unlock+0x122/0x240 [ 118.933966][ T5932] ? _raw_spin_unlock+0x28/0x50 [ 118.933989][ T5932] ? iput+0x6d8/0x9d0 [ 118.934004][ T5932] __dentry_kill+0x209/0x660 [ 118.934017][ T5932] ? dput+0x37/0x2b0 [ 118.934038][ T5932] dput+0x19f/0x2b0 [ 118.934059][ T5932] __fput+0x68e/0xa70 [ 118.934078][ T5932] task_work_run+0x1d4/0x260 [ 118.934098][ T5932] ? __pfx_task_work_run+0x10/0x10 [ 118.934133][ T5932] ptrace_notify+0x281/0x2c0 [ 118.934147][ T5932] ? __pfx_ptrace_notify+0x10/0x10 [ 118.934159][ T5932] ? fput_close_sync+0x119/0x200 [ 118.934174][ T5932] ? __pfx_fput_close_sync+0x10/0x10 [ 118.934193][ T5932] syscall_exit_work+0xc6/0x1d0 [ 118.934217][ T5932] do_syscall_64+0x2ad/0x3b0 [ 118.934314][ T5932] ? lockdep_hardirqs_on+0x9c/0x150 [ 118.934335][ T5932] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.934350][ T5932] ? clear_bhb_loop+0x60/0xb0 [ 118.934367][ T5932] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.934381][ T5932] RIP: 0033:0x7f575cc3f840 [ 118.934396][ T5932] Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d 41 d8 09 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c [ 118.934408][ T5932] RSP: 002b:00007ffd8687bd78 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 118.934424][ T5932] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f575cc3f840 [ 118.934434][ T5932] RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003 [ 118.934443][ T5932] RBP: 0000000000000003 R08: 00007ffd8687be00 R09: 00007ffd8687be00 [ 118.934453][ T5932] R10: 0000000000000000 R11: 0000000000000202 R12: 0000200000000400 [ 118.934462][ T5932] R13: 00007ffd8687be00 R14: 00000000000125bb R15: 0000200000000180 [ 118.934478][ T5932] [ 118.934484][ T5932] [ 119.416340][ T5932] Allocated by task 5932: [ 119.421301][ T5932] kasan_save_track+0x3e/0x80 [ 119.426661][ T5932] __kasan_slab_alloc+0x6c/0x80 [ 119.432157][ T5932] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 119.438007][ T5932] gfs2_glock_get+0x263/0xec0 [ 119.443174][ T5932] gfs2_inode_lookup+0x215/0xb10 [ 119.448417][ T5932] gfs2_dir_search+0x168/0x220 [ 119.453584][ T5932] gfs2_lookupi+0x3d9/0x5a0 [ 119.458555][ T5932] init_journal+0x54a/0x2260 [ 119.464238][ T5932] init_inodes+0xdb/0x320 [ 119.469309][ T5932] gfs2_fill_super+0x1923/0x20d0 [ 119.474462][ T5932] get_tree_bdev_flags+0x40e/0x4d0 [ 119.480554][ T5932] gfs2_get_tree+0x51/0x1e0 [ 119.485274][ T5932] vfs_get_tree+0x92/0x2b0 [ 119.490159][ T5932] do_new_mount+0x2a2/0x9e0 [ 119.495056][ T5932] __se_sys_mount+0x317/0x410 [ 119.500212][ T5932] do_syscall_64+0xfa/0x3b0 [ 119.505278][ T5932] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 119.512087][ T5932] [ 119.514819][ T5932] Freed by task 0: [ 119.519094][ T5932] kasan_save_track+0x3e/0x80 [ 119.524335][ T5932] kasan_save_free_info+0x46/0x50 [ 119.531355][ T5932] __kasan_slab_free+0x5b/0x80 [ 119.536806][ T5932] kmem_cache_free+0x18f/0x400 [ 119.542742][ T5932] rcu_core+0xca8/0x1770 [ 119.548340][ T5932] handle_softirqs+0x283/0x870 [ 119.554764][ T5932] __irq_exit_rcu+0xca/0x1f0 [ 119.560088][ T5932] irq_exit_rcu+0x9/0x30 [ 119.564884][ T5932] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 119.571706][ T5932] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 119.578199][ T5932] [ 119.580728][ T5932] Last potentially related work creation: [ 119.587273][ T5932] kasan_save_stack+0x3e/0x60 [ 119.592712][ T5932] kasan_record_aux_stack+0xbd/0xd0 [ 119.598298][ T5932] call_rcu+0x157/0x9c0 [ 119.602621][ T5932] __gfs2_glock_free+0xb44/0xc90 [ 119.607900][ T5932] gfs2_glock_free+0x3c/0xa0 [ 119.612917][ T5932] gfs2_evict_inode+0xae7/0x1000 [ 119.618371][ T5932] evict+0x504/0x9c0 [ 119.622700][ T5932] gfs2_jindex_free+0x39c/0x440 [ 119.627756][ T5932] init_journal+0x8f1/0x2260 [ 119.632727][ T5932] init_inodes+0xdb/0x320 [ 119.637269][ T5932] gfs2_fill_super+0x1923/0x20d0 [ 119.642858][ T5932] get_tree_bdev_flags+0x40e/0x4d0 [ 119.648450][ T5932] gfs2_get_tree+0x51/0x1e0 [ 119.653337][ T5932] vfs_get_tree+0x92/0x2b0 [ 119.658057][ T5932] do_new_mount+0x2a2/0x9e0 [ 119.663586][ T5932] __se_sys_mount+0x317/0x410 [ 119.668522][ T5932] do_syscall_64+0xfa/0x3b0 [ 119.673599][ T5932] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 119.679920][ T5932] [ 119.682266][ T5932] Second to last potentially related work creation: [ 119.690355][ T5932] kasan_save_stack+0x3e/0x60 [ 119.695881][ T5932] kasan_record_aux_stack+0xbd/0xd0 [ 119.701805][ T5932] insert_work+0x3d/0x330 [ 119.707143][ T5932] __queue_work+0xcd2/0xfb0 [ 119.712541][ T5932] queue_delayed_work_on+0x18b/0x280 [ 119.719257][ T5932] do_xmote+0xce0/0x1260 [ 119.725996][ T5932] glock_work_func+0x2a8/0x580 [ 119.732387][ T5932] process_scheduled_works+0xade/0x17b0 [ 119.738830][ T5932] worker_thread+0x8a0/0xda0 [ 119.743894][ T5932] kthread+0x70e/0x8a0 [ 119.748703][ T5932] ret_from_fork+0x3f9/0x770 [ 119.753855][ T5932] ret_from_fork_asm+0x1a/0x30 [ 119.760325][ T5932] [ 119.762775][ T5932] The buggy address belongs to the object at ffff88807e5174d0 [ 119.762775][ T5932] which belongs to the cache gfs2_glock(aspace) of size 1224 [ 119.778926][ T5932] The buggy address is located 968 bytes inside of [ 119.778926][ T5932] freed 1224-byte region [ffff88807e5174d0, ffff88807e517998) [ 119.794137][ T5932] [ 119.796508][ T5932] The buggy address belongs to the physical page: [ 119.803394][ T5932] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e514 [ 119.812522][ T5932] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 119.821924][ T5932] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 119.830039][ T5932] page_type: f5(slab) [ 119.834312][ T5932] raw: 00fff00000000040 ffff888140b3b500 dead000000000122 0000000000000000 [ 119.843641][ T5932] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 119.852766][ T5932] head: 00fff00000000040 ffff888140b3b500 dead000000000122 0000000000000000 [ 119.862513][ T5932] head: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 [ 119.872898][ T5932] head: 00fff00000000002 ffffea0001f94501 00000000ffffffff 00000000ffffffff [ 119.882143][ T5932] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 119.892237][ T5932] page dumped because: kasan: bad access detected [ 119.899717][ T5932] page_owner tracks the page as allocated [ 119.906321][ T5932] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5927, tgid 5927 (syz-executor240), ts 116383259321, free_ts 115796234787 [ 119.930581][ T5932] post_alloc_hook+0x240/0x2a0 [ 119.936420][ T5932] get_page_from_freelist+0x21e4/0x22c0 [ 119.942596][ T5932] __alloc_frozen_pages_noprof+0x181/0x370 [ 119.949476][ T5932] alloc_pages_mpol+0x232/0x4a0 [ 119.954799][ T5932] allocate_slab+0x8a/0x370 [ 119.959865][ T5932] ___slab_alloc+0xbeb/0x1410 [ 119.965512][ T5932] kmem_cache_alloc_noprof+0x283/0x3c0 [ 119.971274][ T5932] gfs2_glock_get+0x263/0xec0 [ 119.976322][ T5932] gfs2_inode_lookup+0x215/0xb10 [ 119.981619][ T5932] gfs2_dir_search+0x168/0x220 [ 119.986662][ T5932] gfs2_lookupi+0x3d9/0x5a0 [ 119.991381][ T5932] gfs2_lookup_meta+0xa7/0x170 [ 119.996581][ T5932] init_journal+0x10cd/0x2260 [ 120.001744][ T5932] init_inodes+0xdb/0x320 [ 120.006700][ T5932] gfs2_fill_super+0x1923/0x20d0 [ 120.012111][ T5932] get_tree_bdev_flags+0x40e/0x4d0 [ 120.017681][ T5932] page last free pid 5868 tgid 5868 stack trace: [ 120.024278][ T5932] __free_frozen_pages+0xbc4/0xd30 [ 120.029615][ T5932] __slab_free+0x303/0x3c0 [ 120.034529][ T5932] qlist_free_all+0x97/0x140 [ 120.039409][ T5932] kasan_quarantine_reduce+0x148/0x160 [ 120.045495][ T5932] __kasan_slab_alloc+0x22/0x80 [ 120.050526][ T5932] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 120.056365][ T5932] getname_flags+0xb8/0x540 [ 120.061338][ T5932] do_sys_openat2+0xbc/0x1c0 [ 120.066230][ T5932] __x64_sys_openat+0x138/0x170 [ 120.071278][ T5932] do_syscall_64+0xfa/0x3b0 [ 120.075822][ T5932] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 120.081913][ T5932] [ 120.084534][ T5932] Memory state around the buggy address: [ 120.091114][ T5932] ffff88807e517780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 120.100357][ T5932] ffff88807e517800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 120.109756][ T5932] >ffff88807e517880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 120.117890][ T5932] ^ [ 120.123030][ T5932] ffff88807e517900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 120.131836][ T5932] ffff88807e517980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 120.140716][ T5932] ================================================================== [ 120.149183][ T5932] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 120.157184][ T5932] CPU: 0 UID: 0 PID: 5932 Comm: syz-executor240 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) [ 120.170177][ T5932] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 120.181697][ T5932] Call Trace: [ 120.185512][ T5932] [ 120.189467][ T5932] dump_stack_lvl+0x99/0x250 [ 120.195524][ T5932] ? __asan_memcpy+0x40/0x70 [ 120.200985][ T5932] ? __pfx_dump_stack_lvl+0x10/0x10 [ 120.206975][ T5932] ? __pfx__printk+0x10/0x10 [ 120.212017][ T5932] vpanic+0x281/0x750 [ 120.216550][ T5932] ? __pfx_print_hex_dump+0x10/0x10 [ 120.222480][ T5932] ? __pfx_vpanic+0x10/0x10 [ 120.227254][ T5932] panic+0xb9/0xc0 [ 120.231501][ T5932] ? __pfx_panic+0x10/0x10 [ 120.236920][ T5932] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 120.243908][ T5932] ? lru_add+0x25f/0xd80 [ 120.248947][ T5932] check_panic_on_warn+0x89/0xb0 [ 120.255187][ T5932] ? lru_add+0x25f/0xd80 [ 120.260077][ T5932] end_report+0x78/0x160 [ 120.265327][ T5932] kasan_report+0x129/0x150 [ 120.270060][ T5932] ? lru_add+0x25f/0xd80 [ 120.275526][ T5932] kasan_check_range+0x2b0/0x2c0 [ 120.280670][ T5932] lru_add+0x25f/0xd80 [ 120.285577][ T5932] ? lru_add+0x198/0xd80 [ 120.290133][ T5932] folio_batch_move_lru+0x21b/0x3a0 [ 120.296541][ T5932] ? xas_store+0xf3e/0x1880 [ 120.302567][ T5932] ? __pfx_lru_add+0x10/0x10 [ 120.307444][ T5932] ? __pfx_folio_batch_move_lru+0x10/0x10 [ 120.313924][ T5932] ? xas_clear_mark+0x2d6/0x530 [ 120.319179][ T5932] lru_add_drain_cpu+0x119/0x880 [ 120.324662][ T5932] ? lru_add_drain+0x79/0x3e0 [ 120.329643][ T5932] ? __pfx_lru_add_drain_cpu+0x10/0x10 [ 120.335649][ T5932] ? lru_add_drain+0x79/0x3e0 [ 120.340985][ T5932] ? lru_add_drain+0x79/0x3e0 [ 120.346457][ T5932] lru_add_drain+0x122/0x3e0 [ 120.352055][ T5932] __folio_batch_release+0x48/0x90 [ 120.358257][ T5932] shmem_undo_range+0x49e/0x14b0 [ 120.363690][ T5932] ? __kernel_text_address+0xd/0x40 [ 120.369660][ T5932] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 120.376871][ T5932] ? arch_stack_walk+0xfc/0x150 [ 120.384109][ T5932] ? __pfx_shmem_undo_range+0x10/0x10 [ 120.391019][ T5932] ? unwind_get_return_address+0x4d/0x90 [ 120.398716][ T5932] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 120.409099][ T5932] ? arch_stack_walk+0xfc/0x150 [ 120.415382][ T5932] shmem_evict_inode+0x272/0xa70 [ 120.422270][ T5932] ? inode_wait_for_writeback+0xf9/0x290 [ 120.430056][ T5932] ? __pfx_shmem_evict_inode+0x10/0x10 [ 120.437692][ T5932] ? __pfx_inode_wait_for_writeback+0x10/0x10 [ 120.444192][ T5932] ? do_raw_spin_unlock+0x122/0x240 [ 120.449863][ T5932] ? __pfx_shmem_evict_inode+0x10/0x10 [ 120.455787][ T5932] evict+0x504/0x9c0 [ 120.459973][ T5932] ? __pfx_evict+0x10/0x10 [ 120.464885][ T5932] ? do_raw_spin_unlock+0x122/0x240 [ 120.470834][ T5932] ? _raw_spin_unlock+0x28/0x50 [ 120.476516][ T5932] ? iput+0x6d8/0x9d0 [ 120.480795][ T5932] __dentry_kill+0x209/0x660 [ 120.485764][ T5932] ? dput+0x37/0x2b0 [ 120.489794][ T5932] dput+0x19f/0x2b0 [ 120.494325][ T5932] __fput+0x68e/0xa70 [ 120.498893][ T5932] task_work_run+0x1d4/0x260 [ 120.504119][ T5932] ? __pfx_task_work_run+0x10/0x10 [ 120.509865][ T5932] ptrace_notify+0x281/0x2c0 [ 120.514676][ T5932] ? __pfx_ptrace_notify+0x10/0x10 [ 120.519891][ T5932] ? fput_close_sync+0x119/0x200 [ 120.525017][ T5932] ? __pfx_fput_close_sync+0x10/0x10 [ 120.530551][ T5932] syscall_exit_work+0xc6/0x1d0 [ 120.535732][ T5932] do_syscall_64+0x2ad/0x3b0 [ 120.540465][ T5932] ? lockdep_hardirqs_on+0x9c/0x150 [ 120.545685][ T5932] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 120.551895][ T5932] ? clear_bhb_loop+0x60/0xb0 [ 120.556696][ T5932] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 120.562689][ T5932] RIP: 0033:0x7f575cc3f840 [ 120.567317][ T5932] Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d 41 d8 09 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c [ 120.588077][ T5932] RSP: 002b:00007ffd8687bd78 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 120.597795][ T5932] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f575cc3f840 [ 120.606446][ T5932] RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003 [ 120.614772][ T5932] RBP: 0000000000000003 R08: 00007ffd8687be00 R09: 00007ffd8687be00 [ 120.622853][ T5932] R10: 0000000000000000 R11: 0000000000000202 R12: 0000200000000400 [ 120.630843][ T5932] R13: 00007ffd8687be00 R14: 00000000000125bb R15: 0000200000000180 [ 120.639555][ T5932] [ 121.778892][ T5932] Shutting down cpus with NMI [ 121.784815][ T5932] Kernel Offset: disabled [ 121.789879][ T5932] Rebooting in 86400 seconds..