./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1891277988 <...> Warning: Permanently added '10.128.1.64' (ED25519) to the list of known hosts. execve("./syz-executor1891277988", ["./syz-executor1891277988"], 0x7fff6132abb0 /* 10 vars */) = 0 brk(NULL) = 0x555556324000 brk(0x555556324d00) = 0x555556324d00 arch_prctl(ARCH_SET_FS, 0x555556324380) = 0 set_tid_address(0x555556324650) = 5030 set_robust_list(0x555556324660, 24) = 0 rseq(0x555556324ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1891277988", 4096) = 28 getrandom("\x7c\x2f\xf0\xc3\xee\xe7\x7d\xb7", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556324d00 brk(0x555556345d00) = 0x555556345d00 brk(0x555556346000) = 0x555556346000 mprotect(0x7fe44fc1a000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.WIaPnD", 0700) = 0 chmod("./syzkaller.WIaPnD", 0777) = 0 chdir("./syzkaller.WIaPnD") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5031 attached , child_tidptr=0x555556324650) = 5031 [pid 5031] set_robust_list(0x555556324660, 24) = 0 [pid 5031] chdir("./0") = 0 [pid 5031] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5031] setpgid(0, 0) = 0 [pid 5031] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5031] write(3, "1000", 4) = 4 [pid 5031] close(3) = 0 [pid 5031] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5031] memfd_create("syzkaller", 0) = 3 [pid 5031] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 syzkaller login: [ 65.549852][ T5031] syz-executor189[5031]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set [pid 5031] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5031] munmap(0x7fe447755000, 16777216) = 0 [pid 5031] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5031] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5031] close(3) = 0 [pid 5031] mkdir("./file0", 0777) = 0 [ 65.799845][ T5031] loop0: detected capacity change from 0 to 32768 [ 65.814381][ T5031] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 65.826636][ T5031] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 65.845147][ T5031] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 65.857564][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 65.865973][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5031] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5031] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5031] ioctl(4, LOOP_CLR_FD) = 0 [pid 5031] close(4) = 0 [pid 5031] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5031] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5031] exit_group(0) = ? [pid 5031] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5031, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 65.908505][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 42ms [ 65.917950][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 65.924120][ T5031] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556324650) = 5034 ./strace-static-x86_64: Process 5034 attached [pid 5034] set_robust_list(0x555556324660, 24) = 0 [pid 5034] chdir("./1") = 0 [pid 5034] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5034] setpgid(0, 0) = 0 [pid 5034] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5034] write(3, "1000", 4) = 4 [pid 5034] close(3) = 0 [pid 5034] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5034] memfd_create("syzkaller", 0) = 3 [pid 5034] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5034] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5034] munmap(0x7fe447755000, 16777216) = 0 [pid 5034] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5034] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5034] close(3) = 0 [pid 5034] mkdir("./file0", 0777) = 0 [ 66.335798][ T5034] loop0: detected capacity change from 0 to 32768 [ 66.348238][ T5034] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 66.358043][ T5034] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 66.369676][ T5034] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 66.380021][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 66.387775][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5034] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5034] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5034] ioctl(4, LOOP_CLR_FD) = 0 [pid 5034] close(4) = 0 [pid 5034] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5034] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5034] exit_group(0) = ? [pid 5034] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5034, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=23 /* 0.23 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 [ 66.429607][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 41ms [ 66.438537][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 66.444505][ T5034] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5036 attached , child_tidptr=0x555556324650) = 5036 [pid 5036] set_robust_list(0x555556324660, 24) = 0 [pid 5036] chdir("./2") = 0 [pid 5036] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5036] setpgid(0, 0) = 0 [pid 5036] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5036] write(3, "1000", 4) = 4 [pid 5036] close(3) = 0 [pid 5036] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5036] memfd_create("syzkaller", 0) = 3 [pid 5036] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5036] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5036] munmap(0x7fe447755000, 16777216) = 0 [pid 5036] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5036] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5036] close(3) = 0 [pid 5036] mkdir("./file0", 0777) = 0 [ 66.850619][ T5036] loop0: detected capacity change from 0 to 32768 [ 66.861980][ T5036] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 66.872027][ T5036] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 66.883508][ T5036] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 66.893316][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 66.901069][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5036] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5036] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5036] ioctl(4, LOOP_CLR_FD) = 0 [pid 5036] close(4) = 0 [pid 5036] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5036] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5036] exit_group(0) = ? [pid 5036] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5036, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=23 /* 0.23 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 [ 66.941685][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 40ms [ 66.950014][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 66.955965][ T5036] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556324650) = 5038 ./strace-static-x86_64: Process 5038 attached [pid 5038] set_robust_list(0x555556324660, 24) = 0 [pid 5038] chdir("./3") = 0 [pid 5038] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5038] setpgid(0, 0) = 0 [pid 5038] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5038] write(3, "1000", 4) = 4 [pid 5038] close(3) = 0 [pid 5038] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5038] memfd_create("syzkaller", 0) = 3 [pid 5038] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5038] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5038] munmap(0x7fe447755000, 16777216) = 0 [pid 5038] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5038] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5038] close(3) = 0 [pid 5038] mkdir("./file0", 0777) = 0 [ 67.351454][ T5038] loop0: detected capacity change from 0 to 32768 [ 67.363959][ T5038] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 67.374018][ T5038] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 67.388545][ T5038] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 67.398452][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 67.405938][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5038] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5038] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5038] ioctl(4, LOOP_CLR_FD) = 0 [pid 5038] close(4) = 0 [pid 5038] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5038] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5038] exit_group(0) = ? [pid 5038] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5038, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=24 /* 0.24 s */} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 [ 67.448503][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 42ms [ 67.457850][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 67.464184][ T5038] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556324650) = 5041 ./strace-static-x86_64: Process 5041 attached [pid 5041] set_robust_list(0x555556324660, 24) = 0 [pid 5041] chdir("./4") = 0 [pid 5041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5041] setpgid(0, 0) = 0 [pid 5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5041] write(3, "1000", 4) = 4 [pid 5041] close(3) = 0 [pid 5041] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5041] memfd_create("syzkaller", 0) = 3 [pid 5041] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5041] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5041] munmap(0x7fe447755000, 16777216) = 0 [pid 5041] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5041] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5041] close(3) = 0 [pid 5041] mkdir("./file0", 0777) = 0 [ 67.855189][ T5041] loop0: detected capacity change from 0 to 32768 [ 67.867505][ T5041] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 67.877559][ T5041] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 67.889390][ T5041] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 67.900392][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 67.908148][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5041] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5041] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5041] ioctl(4, LOOP_CLR_FD) = 0 [pid 5041] close(4) = 0 [pid 5041] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5041] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5041] exit_group(0) = ? [pid 5041] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5041, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=24 /* 0.24 s */} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 [ 67.949798][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 41ms [ 67.958247][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 67.964605][ T5041] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5043 attached , child_tidptr=0x555556324650) = 5043 [pid 5043] set_robust_list(0x555556324660, 24) = 0 [pid 5043] chdir("./5") = 0 [pid 5043] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5043] setpgid(0, 0) = 0 [pid 5043] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5043] write(3, "1000", 4) = 4 [pid 5043] close(3) = 0 [pid 5043] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5043] memfd_create("syzkaller", 0) = 3 [pid 5043] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5043] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5043] munmap(0x7fe447755000, 16777216) = 0 [pid 5043] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5043] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5043] close(3) = 0 [pid 5043] mkdir("./file0", 0777) = 0 [ 68.362611][ T5043] loop0: detected capacity change from 0 to 32768 [ 68.375869][ T5043] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 68.386030][ T5043] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 68.398167][ T5043] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 68.408427][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 68.416254][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5043] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5043] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5043] ioctl(4, LOOP_CLR_FD) = 0 [pid 5043] close(4) = 0 [pid 5043] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5043] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5043] exit_group(0) = ? [pid 5043] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5043, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 [ 68.458225][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 41ms [ 68.469439][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 68.475910][ T5043] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5046 attached , child_tidptr=0x555556324650) = 5046 [pid 5046] set_robust_list(0x555556324660, 24) = 0 [pid 5046] chdir("./6") = 0 [pid 5046] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5046] setpgid(0, 0) = 0 [pid 5046] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5046] write(3, "1000", 4) = 4 [pid 5046] close(3) = 0 [pid 5046] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5046] memfd_create("syzkaller", 0) = 3 [pid 5046] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5046] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5046] munmap(0x7fe447755000, 16777216) = 0 [pid 5046] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5046] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5046] close(3) = 0 [pid 5046] mkdir("./file0", 0777) = 0 [ 68.881658][ T5046] loop0: detected capacity change from 0 to 32768 [ 68.892601][ T5046] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 68.903382][ T5046] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 68.913945][ T5046] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 68.923640][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 68.931445][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5046] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5046] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5046] ioctl(4, LOOP_CLR_FD) = 0 [pid 5046] close(4) = 0 [pid 5046] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5046] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5046] exit_group(0) = ? [pid 5046] +++ exited with 0 +++ [ 68.972624][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 41ms [ 68.983181][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 68.989575][ T5046] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5046, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=25 /* 0.25 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556324650) = 5048 ./strace-static-x86_64: Process 5048 attached [pid 5048] set_robust_list(0x555556324660, 24) = 0 [pid 5048] chdir("./7") = 0 [pid 5048] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5048] setpgid(0, 0) = 0 [pid 5048] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5048] write(3, "1000", 4) = 4 [pid 5048] close(3) = 0 [pid 5048] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5048] memfd_create("syzkaller", 0) = 3 [pid 5048] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5048] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5048] munmap(0x7fe447755000, 16777216) = 0 [pid 5048] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5048] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5048] close(3) = 0 [pid 5048] mkdir("./file0", 0777) = 0 [ 69.407258][ T5048] loop0: detected capacity change from 0 to 32768 [ 69.421648][ T5048] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 69.431976][ T5048] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 69.444781][ T5048] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 69.455079][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 69.463609][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5048] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5048] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5048] ioctl(4, LOOP_CLR_FD) = 0 [pid 5048] close(4) = 0 [pid 5048] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5048] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5048] exit_group(0) = ? [pid 5048] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5048, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=25 /* 0.25 s */} --- umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 [ 69.505171][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 41ms [ 69.515646][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 69.522403][ T5048] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556324650) = 5050 ./strace-static-x86_64: Process 5050 attached [pid 5050] set_robust_list(0x555556324660, 24) = 0 [pid 5050] chdir("./8") = 0 [pid 5050] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5050] setpgid(0, 0) = 0 [pid 5050] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5050] write(3, "1000", 4) = 4 [pid 5050] close(3) = 0 [pid 5050] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5050] memfd_create("syzkaller", 0) = 3 [pid 5050] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5050] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5050] munmap(0x7fe447755000, 16777216) = 0 [pid 5050] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5050] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5050] close(3) = 0 [pid 5050] mkdir("./file0", 0777) = 0 [ 69.929376][ T5050] loop0: detected capacity change from 0 to 32768 [ 69.942363][ T5050] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 69.954737][ T5050] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 69.967561][ T5050] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 69.977336][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 69.984842][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5050] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5050] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5050] ioctl(4, LOOP_CLR_FD) = 0 [pid 5050] close(4) = 0 [pid 5050] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5050] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5050] exit_group(0) = ? [pid 5050] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5050, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=25 /* 0.25 s */} --- umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 [ 70.024957][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 40ms [ 70.035597][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 70.042554][ T5050] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5052 attached [pid 5052] set_robust_list(0x555556324660, 24) = 0 [pid 5052] chdir("./9") = 0 [pid 5052] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5052] setpgid(0, 0) = 0 [pid 5052] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5052] write(3, "1000", 4) = 4 [pid 5052] close(3) = 0 [pid 5052] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5052] memfd_create("syzkaller", 0) = 3 [pid 5030] <... clone resumed>, child_tidptr=0x555556324650) = 5052 [pid 5052] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5052] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5052] munmap(0x7fe447755000, 16777216) = 0 [pid 5052] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5052] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5052] close(3) = 0 [pid 5052] mkdir("./file0", 0777) = 0 [ 70.457961][ T5052] loop0: detected capacity change from 0 to 32768 [ 70.476620][ T5052] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 70.486437][ T5052] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 70.498381][ T5052] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 70.508661][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 70.516134][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5052] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5052] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5052] ioctl(4, LOOP_CLR_FD) = 0 [pid 5052] close(4) = 0 [pid 5052] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5052] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5052] exit_group(0) = ? [pid 5052] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5052, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=25 /* 0.25 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/binderfs") = 0 [ 70.558021][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 41ms [ 70.567759][ T23] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 70.573846][ T5052] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555632d730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55555632d730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 getdents64(3, 0x5555563256f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556324650) = 5055 ./strace-static-x86_64: Process 5055 attached [pid 5055] set_robust_list(0x555556324660, 24) = 0 [pid 5055] chdir("./10") = 0 [pid 5055] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5055] setpgid(0, 0) = 0 [pid 5055] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5055] write(3, "1000", 4) = 4 [pid 5055] close(3) = 0 [pid 5055] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5055] memfd_create("syzkaller", 0) = 3 [pid 5055] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe447755000 [pid 5055] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5055] munmap(0x7fe447755000, 16777216) = 0 [pid 5055] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5055] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5055] close(3) = 0 [pid 5055] mkdir("./file0", 0777) = 0 [ 70.975693][ T5055] loop0: detected capacity change from 0 to 32768 [ 70.987190][ T5055] gfs2: fsid=„½%b­i’~N-SS“: Trying to join cluster "lock_nolock", "„½%b­i’~N-SS“" [ 70.996773][ T5055] gfs2: fsid=„½%b­i’~N-SS“: Now mounting FS (format 1801)... [ 71.008496][ T5055] gfs2: fsid=„½%b­i’~N-SS“.0: journal 0 mapped with 18 extents in 0ms [ 71.018695][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0, already locked for use [ 71.026188][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Looking at journal... [pid 5055] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0 [pid 5055] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5055] ioctl(4, LOOP_CLR_FD) = 0 [pid 5055] close(4) = 0 [pid 5055] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, {dqb_bhardlimit=0, dqb_bsoftlimit=0, dqb_curspace=4096, dqb_ihardlimit=0, dqb_isoftlimit=0, dqb_curinodes=0, ...}) = 0 [pid 5055] open("./file0", O_RDONLY|O_NONBLOCK) = 4 [pid 5055] exit_group(0) = ? [pid 5055] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5055, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=24 /* 0.24 s */} --- umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563256f0 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/binderfs") = 0 [ 71.074691][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Journal head lookup took 48ms [ 71.084544][ T779] gfs2: fsid=„½%b­i’~N-SS“.0: jid=0: Done [ 71.091452][ T5055] gfs2: fsid=„½%b­i’~N-SS“.0: first mount done, others may mount [ 71.167408][ C0] ================================================================== [ 71.175666][ C0] BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x83/0xf0 [ 71.183276][ C0] Write of size 4 at addr ffff888025754a78 by task ksoftirqd/0/16 [ 71.191194][ C0] [ 71.193554][ C0] CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.6.0-rc3-syzkaller #0 [ 71.201980][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 71.212407][ C0] Call Trace: [ 71.215709][ C0] [ 71.218653][ C0] dump_stack_lvl+0x1e7/0x2d0 [ 71.223352][ C0] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.229003][ C0] ? panic+0x770/0x770 [ 71.233095][ C0] ? _printk+0xd5/0x120 [ 71.237276][ C0] print_report+0x163/0x540 [ 71.241805][ C0] ? print_irqtrace_events+0x220/0x220 [ 71.247279][ C0] ? __virt_addr_valid+0x22f/0x2e0 [ 71.252409][ C0] ? __phys_addr+0xba/0x170 [ 71.257029][ C0] ? gfs2_qd_dealloc+0x83/0xf0 [ 71.261824][ C0] kasan_report+0x175/0x1b0 [ 71.266356][ C0] ? gfs2_qd_dealloc+0x83/0xf0 [ 71.271167][ C0] kasan_check_range+0x27e/0x290 [ 71.276124][ C0] gfs2_qd_dealloc+0x83/0xf0 [ 71.280742][ C0] ? gfs2_qd_dispose+0x5b0/0x5b0 [ 71.285755][ C0] ? rcu_core+0xa61/0x1790 [ 71.290212][ C0] rcu_core+0xacf/0x1790 [ 71.294484][ C0] ? rcu_cpu_kthread_park+0x90/0x90 [ 71.299776][ C0] ? rcu_qs+0xf1/0x190 [ 71.303934][ C0] ? rcu_softirq_qs+0x2f0/0x2f0 [ 71.308803][ C0] ? sched_clock+0x4a/0x60 [ 71.313914][ C0] ? sched_clock_cpu+0x76/0x490 [ 71.318771][ C0] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 71.324743][ C0] ? print_irqtrace_events+0x220/0x220 [ 71.330299][ C0] __do_softirq+0x2ab/0x908 [ 71.335591][ C0] ? run_ksoftirqd+0xc5/0x120 [ 71.340272][ C0] ? __lock_text_end+0xc/0xc [ 71.344865][ C0] run_ksoftirqd+0xc5/0x120 [ 71.349371][ C0] ? ksoftirqd_should_run+0x20/0x20 [ 71.354579][ C0] ? ksoftirqd_should_run+0x20/0x20 [ 71.359864][ C0] smpboot_thread_fn+0x530/0x9f0 [ 71.365109][ C0] ? smpboot_thread_fn+0x4e/0x9f0 [ 71.370244][ C0] kthread+0x2d3/0x370 [ 71.374407][ C0] ? smpboot_unregister_percpu_thread+0x130/0x130 [ 71.380827][ C0] ? kthread_blkcg+0xd0/0xd0 [ 71.385419][ C0] ret_from_fork+0x48/0x80 [ 71.389832][ C0] ? kthread_blkcg+0xd0/0xd0 [ 71.394421][ C0] ret_from_fork_asm+0x11/0x20 [ 71.399187][ C0] [ 71.402202][ C0] [ 71.404513][ C0] Allocated by task 5055: [ 71.408876][ C0] kasan_set_track+0x4f/0x70 [ 71.414006][ C0] __kasan_kmalloc+0x98/0xb0 [ 71.418589][ C0] gfs2_fill_super+0x136/0x26c0 [ 71.423435][ C0] get_tree_bdev+0x416/0x5b0 [ 71.428051][ C0] gfs2_get_tree+0x54/0x210 [ 71.433282][ C0] vfs_get_tree+0x8c/0x280 [ 71.437709][ C0] do_new_mount+0x28f/0xae0 [ 71.442223][ C0] __se_sys_mount+0x2d9/0x3c0 [ 71.446911][ C0] do_syscall_64+0x41/0xc0 [ 71.451337][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 71.457246][ C0] [ 71.459560][ C0] Freed by task 5030: [ 71.463527][ C0] kasan_set_track+0x4f/0x70 [ 71.468114][ C0] kasan_save_free_info+0x28/0x40 [ 71.473227][ C0] ____kasan_slab_free+0xd6/0x120 [ 71.478266][ C0] __kmem_cache_free+0x25f/0x3b0 [ 71.483916][ C0] generic_shutdown_super+0x13a/0x2c0 [ 71.489412][ C0] kill_block_super+0x41/0x70 [ 71.494114][ C0] deactivate_locked_super+0xa4/0x110 [ 71.499629][ C0] cleanup_mnt+0x426/0x4c0 [ 71.504075][ C0] task_work_run+0x24a/0x300 [ 71.508776][ C0] ptrace_notify+0x2cd/0x380 [ 71.513364][ C0] syscall_exit_to_user_mode+0x15c/0x280 [ 71.519131][ C0] do_syscall_64+0x4d/0xc0 [ 71.524578][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 71.530463][ C0] [ 71.532776][ C0] The buggy address belongs to the object at ffff888025754000 [ 71.532776][ C0] which belongs to the cache kmalloc-8k of size 8192 [ 71.546820][ C0] The buggy address is located 2680 bytes inside of [ 71.546820][ C0] freed 8192-byte region [ffff888025754000, ffff888025756000) [ 71.561133][ C0] [ 71.563448][ C0] The buggy address belongs to the physical page: [ 71.569847][ C0] page:ffffea000095d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25750 [ 71.580007][ C0] head:ffffea000095d400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 71.589236][ C0] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 71.597237][ C0] page_type: 0xffffffff() [ 71.601592][ C0] raw: 00fff00000000840 ffff888012842280 ffffea0000952e00 0000000000000002 [ 71.610286][ C0] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 71.619598][ C0] page dumped because: kasan: bad access detected [ 71.626097][ C0] page_owner tracks the page as allocated [ 71.631825][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4714, tgid 4714 (dhcpcd-run-hook), ts 36549622906, free_ts 36548101490 [ 71.652752][ C0] post_alloc_hook+0x1e6/0x210 [ 71.657520][ C0] get_page_from_freelist+0x31db/0x3360 [ 71.663077][ C0] __alloc_pages+0x255/0x670 [ 71.667664][ C0] alloc_slab_page+0x6a/0x160 [ 71.672334][ C0] new_slab+0x84/0x2f0 [ 71.676397][ C0] ___slab_alloc+0xc85/0x1310 [ 71.681345][ C0] __kmem_cache_alloc_node+0x1af/0x270 [ 71.686936][ C0] kmalloc_trace+0x2a/0xe0 [ 71.691684][ C0] tomoyo_init_log+0x11cd/0x2040 [ 71.696776][ C0] tomoyo_supervisor+0x386/0x11f0 [ 71.702002][ C0] tomoyo_env_perm+0x178/0x210 [ 71.706788][ C0] tomoyo_find_next_domain+0x1383/0x1cf0 [ 71.712431][ C0] tomoyo_bprm_check_security+0x114/0x170 [ 71.718168][ C0] security_bprm_check+0x63/0xa0 [ 71.723111][ C0] bprm_execve+0x8c7/0x17c0 [ 71.727783][ C0] do_execveat_common+0x580/0x720 [ 71.732796][ C0] page last free stack trace: [ 71.737559][ C0] free_unref_page_prepare+0x8c3/0x9f0 [ 71.743018][ C0] free_unref_page+0x37/0x3f0 [ 71.748130][ C0] __unfreeze_partials+0x1dc/0x220 [ 71.753243][ C0] put_cpu_partial+0x17b/0x250 [ 71.758084][ C0] __slab_free+0x2b6/0x390 [ 71.762489][ C0] qlist_free_all+0x75/0xe0 [ 71.767111][ C0] kasan_quarantine_reduce+0x14b/0x160 [ 71.772564][ C0] __kasan_slab_alloc+0x23/0x70 [ 71.777507][ C0] slab_post_alloc_hook+0x67/0x3d0 [ 71.782871][ C0] __kmem_cache_alloc_node+0x141/0x270 [ 71.788318][ C0] __kmalloc+0xa8/0x230 [ 71.792990][ C0] tomoyo_supervisor+0xe06/0x11f0 [ 71.798280][ C0] tomoyo_env_perm+0x178/0x210 [ 71.803124][ C0] tomoyo_find_next_domain+0x1383/0x1cf0 [ 71.808775][ C0] tomoyo_bprm_check_security+0x114/0x170 [ 71.814496][ C0] security_bprm_check+0x63/0xa0 [ 71.819532][ C0] [ 71.821844][ C0] Memory state around the buggy address: [ 71.827460][ C0] ffff888025754900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.835670][ C0] ffff888025754980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.844328][ C0] >ffff888025754a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.852388][ C0] ^ [ 71.861920][ C0] ffff888025754a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.869975][ C0] ffff888025754b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.879088][ C0] ================================================================== [ 71.887282][ C0] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 71.894763][ C0] CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.6.0-rc3-syzkaller #0 [ 71.903039][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 71.913117][ C0] Call Trace: [ 71.916417][ C0] [ 71.919362][ C0] dump_stack_lvl+0x1e7/0x2d0 [ 71.924172][ C0] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.929674][ C0] ? panic+0x770/0x770 [ 71.933859][ C0] ? vscnprintf+0x5d/0x80 [ 71.938394][ C0] panic+0x30f/0x770 [ 71.942351][ C0] ? check_panic_on_warn+0x21/0xa0 [ 71.947586][ C0] ? __memcpy_flushcache+0x2b0/0x2b0 [ 71.952908][ C0] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 71.959025][ C0] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 71.965023][ C0] ? _raw_spin_unlock+0x40/0x40 [ 71.969879][ C0] ? print_report+0x4fb/0x540 [ 71.974589][ C0] check_panic_on_warn+0x82/0xa0 [ 71.979643][ C0] ? gfs2_qd_dealloc+0x83/0xf0 [ 71.984424][ C0] end_report+0x6e/0x130 [ 71.988683][ C0] kasan_report+0x186/0x1b0 [ 71.993188][ C0] ? gfs2_qd_dealloc+0x83/0xf0 [ 71.998049][ C0] kasan_check_range+0x27e/0x290 [ 72.002992][ C0] gfs2_qd_dealloc+0x83/0xf0 [ 72.007583][ C0] ? gfs2_qd_dispose+0x5b0/0x5b0 [ 72.012563][ C0] ? rcu_core+0xa61/0x1790 [ 72.016996][ C0] rcu_core+0xacf/0x1790 [ 72.021341][ C0] ? rcu_cpu_kthread_park+0x90/0x90 [ 72.026552][ C0] ? rcu_qs+0xf1/0x190 [ 72.030797][ C0] ? rcu_softirq_qs+0x2f0/0x2f0 [ 72.035660][ C0] ? sched_clock+0x4a/0x60 [ 72.040073][ C0] ? sched_clock_cpu+0x76/0x490 [ 72.044930][ C0] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 72.051018][ C0] ? print_irqtrace_events+0x220/0x220 [ 72.056475][ C0] __do_softirq+0x2ab/0x908 [ 72.060982][ C0] ? run_ksoftirqd+0xc5/0x120 [ 72.065663][ C0] ? __lock_text_end+0xc/0xc [ 72.070256][ C0] run_ksoftirqd+0xc5/0x120 [ 72.074778][ C0] ? ksoftirqd_should_run+0x20/0x20 [ 72.080002][ C0] ? ksoftirqd_should_run+0x20/0x20 [ 72.085212][ C0] smpboot_thread_fn+0x530/0x9f0 [ 72.090153][ C0] ? smpboot_thread_fn+0x4e/0x9f0 [ 72.095180][ C0] kthread+0x2d3/0x370 [ 72.099243][ C0] ? smpboot_unregister_percpu_thread+0x130/0x130 [ 72.106091][ C0] ? kthread_blkcg+0xd0/0xd0 [ 72.110681][ C0] ret_from_fork+0x48/0x80 [ 72.115093][ C0] ? kthread_blkcg+0xd0/0xd0 [ 72.119700][ C0] ret_from_fork_asm+0x11/0x20 [ 72.124560][ C0] [ 72.127873][ C0] Kernel Offset: disabled [ 72.132187][ C0] Rebooting in 86400 seconds..