./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2979356367 <...> Warning: Permanently added '10.128.0.187' (ED25519) to the list of known hosts. execve("./syz-executor2979356367", ["./syz-executor2979356367"], 0x7ffe248017b0 /* 10 vars */) = 0 brk(NULL) = 0x555571b99000 brk(0x555571b99d00) = 0x555571b99d00 arch_prctl(ARCH_SET_FS, 0x555571b99380) = 0 set_tid_address(0x555571b99650) = 5077 set_robust_list(0x555571b99660, 24) = 0 rseq(0x555571b99ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2979356367", 4096) = 28 getrandom("\x5c\x50\x97\x9e\x05\x7d\xba\x55", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555571b99d00 brk(0x555571bbad00) = 0x555571bbad00 brk(0x555571bbb000) = 0x555571bbb000 mprotect(0x7fd257380000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555571b99650) = 5078 ./strace-static-x86_64: Process 5078 attached [pid 5077] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5078] set_robust_list(0x555571b99660, 24) = 0 ./strace-static-x86_64: Process 5079 attached [pid 5078] mkdir("./syzkaller.ctgA3Y", 0700 [pid 5077] <... clone resumed>, child_tidptr=0x555571b99650) = 5079 [pid 5079] set_robust_list(0x555571b99660, 24) = 0 [pid 5077] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5079] mkdir("./syzkaller.zYaWBT", 0700 [pid 5078] <... mkdir resumed>) = 0 ./strace-static-x86_64: Process 5080 attached [pid 5079] <... mkdir resumed>) = 0 [pid 5080] set_robust_list(0x555571b99660, 24 [pid 5078] chmod("./syzkaller.ctgA3Y", 0777 [pid 5077] <... clone resumed>, child_tidptr=0x555571b99650) = 5080 [pid 5079] chmod("./syzkaller.zYaWBT", 0777 [pid 5077] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5080] <... set_robust_list resumed>) = 0 [pid 5079] <... chmod resumed>) = 0 [pid 5078] <... chmod resumed>) = 0 [pid 5079] chdir("./syzkaller.zYaWBT" [pid 5080] mkdir("./syzkaller.KWWHx4", 0700 [pid 5079] <... chdir resumed>) = 0 [pid 5078] chdir("./syzkaller.ctgA3Y" [pid 5079] mkdir("./0", 0777) = 0 [pid 5078] <... chdir resumed>) = 0 [pid 5077] <... clone resumed>, child_tidptr=0x555571b99650) = 5081 [pid 5078] mkdir("./0", 0777 [pid 5080] <... mkdir resumed>) = 0 ./strace-static-x86_64: Process 5081 attached [pid 5077] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5081] set_robust_list(0x555571b99660, 24 [pid 5080] chmod("./syzkaller.KWWHx4", 0777 [pid 5078] <... mkdir resumed>) = 0 [pid 5079] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5081] <... set_robust_list resumed>) = 0 [pid 5081] mkdir("./syzkaller.Ki8vuV", 0700./strace-static-x86_64: Process 5082 attached ) = 0 [pid 5080] <... chmod resumed>) = 0 [pid 5077] <... clone resumed>, child_tidptr=0x555571b99650) = 5082 [pid 5082] set_robust_list(0x555571b99660, 24) = 0 ./strace-static-x86_64: Process 5083 attached [pid 5082] mkdir("./syzkaller.iLDXEz", 0700 [pid 5080] chdir("./syzkaller.KWWHx4" [pid 5078] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5081] chmod("./syzkaller.Ki8vuV", 0777 [pid 5080] <... chdir resumed>) = 0 [pid 5082] <... mkdir resumed>) = 0 [pid 5081] <... chmod resumed>) = 0 ./strace-static-x86_64: Process 5084 attached [pid 5080] mkdir("./0", 0777 [pid 5083] set_robust_list(0x555571b99660, 24 [pid 5084] set_robust_list(0x555571b99660, 24) = 0 [pid 5081] chdir("./syzkaller.Ki8vuV" [pid 5084] chdir("./0" [pid 5081] <... chdir resumed>) = 0 [pid 5080] <... mkdir resumed>) = 0 [pid 5083] <... set_robust_list resumed>) = 0 [pid 5084] <... chdir resumed>) = 0 [pid 5081] mkdir("./0", 0777 [pid 5083] chdir("./0" [pid 5084] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5082] chmod("./syzkaller.iLDXEz", 0777 [pid 5081] <... mkdir resumed>) = 0 [pid 5080] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5079] <... clone resumed>, child_tidptr=0x555571b99650) = 5083 [pid 5078] <... clone resumed>, child_tidptr=0x555571b99650) = 5084 [pid 5084] <... prctl resumed>) = 0 [pid 5083] <... chdir resumed>) = 0 [pid 5081] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5082] <... chmod resumed>) = 0 ./strace-static-x86_64: Process 5085 attached [pid 5084] setpgid(0, 0 [pid 5083] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5082] chdir("./syzkaller.iLDXEz" [pid 5083] <... prctl resumed>) = 0 [pid 5084] <... setpgid resumed>) = 0 [pid 5084] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5083] setpgid(0, 0 [pid 5082] <... chdir resumed>) = 0 [pid 5080] <... clone resumed>, child_tidptr=0x555571b99650) = 5085 [pid 5083] <... setpgid resumed>) = 0 [pid 5084] <... openat resumed>) = 3 [pid 5083] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5082] mkdir("./0", 0777 [pid 5085] set_robust_list(0x555571b99660, 24./strace-static-x86_64: Process 5086 attached ) = 0 [pid 5083] <... openat resumed>) = 3 [pid 5082] <... mkdir resumed>) = 0 [pid 5084] write(3, "1000", 4 [pid 5086] set_robust_list(0x555571b99660, 24 [pid 5085] chdir("./0" [pid 5083] write(3, "1000", 4 [pid 5082] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5081] <... clone resumed>, child_tidptr=0x555571b99650) = 5086 [pid 5085] <... chdir resumed>) = 0 [pid 5084] <... write resumed>) = 4 [pid 5083] <... write resumed>) = 4 [pid 5083] close(3) = 0 [pid 5086] <... set_robust_list resumed>) = 0 [pid 5085] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5084] close(3 [pid 5083] symlink("/dev/binderfs", "./binderfs" [pid 5085] <... prctl resumed>) = 0 [pid 5084] <... close resumed>) = 0 [pid 5085] setpgid(0, 0 [pid 5084] symlink("/dev/binderfs", "./binderfs" [pid 5085] <... setpgid resumed>) = 0 [pid 5085] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 ./strace-static-x86_64: Process 5087 attached [pid 5086] chdir("./0" [pid 5084] <... symlink resumed>) = 0 [pid 5083] <... symlink resumed>) = 0 [pid 5087] set_robust_list(0x555571b99660, 24 [pid 5086] <... chdir resumed>) = 0 [pid 5085] write(3, "1000", 4 [pid 5084] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5083] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5082] <... clone resumed>, child_tidptr=0x555571b99650) = 5087 [pid 5087] <... set_robust_list resumed>) = 0 [pid 5086] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5085] <... write resumed>) = 4 [pid 5084] <... bpf resumed>) = 3 [pid 5086] <... prctl resumed>) = 0 [pid 5085] close(3 [pid 5087] chdir("./0" [pid 5085] <... close resumed>) = 0 [pid 5083] <... bpf resumed>) = 3 [pid 5086] setpgid(0, 0 [pid 5084] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5083] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5087] <... chdir resumed>) = 0 [pid 5086] <... setpgid resumed>) = 0 [pid 5085] symlink("/dev/binderfs", "./binderfs" [pid 5084] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5083] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5087] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5083] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5087] <... prctl resumed>) = 0 [pid 5086] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5085] <... symlink resumed>) = 0 [pid 5084] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5083] <... bpf resumed>) = 4 [pid 5087] setpgid(0, 0 [pid 5086] <... openat resumed>) = 3 [pid 5085] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5083] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5087] <... setpgid resumed>) = 0 [pid 5086] write(3, "1000", 4 [pid 5085] <... bpf resumed>) = 3 [pid 5084] <... bpf resumed>) = 4 [pid 5087] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5086] <... write resumed>) = 4 [pid 5087] <... openat resumed>) = 3 [pid 5086] close(3 [pid 5085] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5084] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5083] <... bpf resumed>) = 5 [pid 5087] write(3, "1000", 4 [pid 5086] <... close resumed>) = 0 [pid 5085] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5084] <... bpf resumed>) = 5 [pid 5083] exit_group(0 [pid 5087] <... write resumed>) = 4 [pid 5086] symlink("/dev/binderfs", "./binderfs" [pid 5085] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5084] exit_group(0 [pid 5083] <... exit_group resumed>) = ? [pid 5087] close(3 [pid 5084] <... exit_group resumed>) = ? [pid 5087] <... close resumed>) = 0 [pid 5086] <... symlink resumed>) = 0 [pid 5085] <... bpf resumed>) = 4 [pid 5084] +++ exited with 0 +++ [pid 5087] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5086] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5085] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5083] +++ exited with 0 +++ [pid 5087] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294966784, max_entries=4, map_flags=0, inner_map_fd=1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 5086] <... bpf resumed>) = 3 [pid 5078] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5084, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5087] <... bpf resumed>) = 3 [pid 5078] restart_syscall(<... resuming interrupted clone ...> [pid 5087] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5086] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5079] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5083, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} --- [pid 5078] <... restart_syscall resumed>) = 0 [pid 5085] <... bpf resumed>) = 5 [pid 5086] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5086] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5085] exit_group(0 [pid 5079] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 5079] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 5086] <... bpf resumed>) = 4 [pid 5079] <... openat resumed>) = 3 [pid 5087] <... bpf resumed>) = -1 EFAULT (Bad address) [pid 5085] <... exit_group resumed>) = ? [pid 5079] newfstatat(3, "", [pid 5078] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5079] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5087] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 5078] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5079] getdents64(3, 0x555571b9a6f0 /* 3 entries */, 32768) = 80 [pid 5087] <... bpf resumed>) = 4 [pid 5079] umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5078] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 5087] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5086] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="ext4_drop_inode", prog_fd=4}}, 16 [pid 5085] +++ exited with 0 +++ [pid 5080] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5085, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5079] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5079] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5078] <... openat resumed>) = 3 [pid 5080] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 5079] unlink("./0/binderfs" [pid 5080] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY [pid 5079] <... unlink resumed>) = 0 [pid 5078] newfstatat(3, "", [pid 5080] <... openat resumed>) = 3 [pid 5080] newfstatat(3, "", [pid 5087] <... bpf resumed>) = 5 [pid 5086] <... bpf resumed>) = 5 [pid 5080] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5079] getdents64(3, [pid 5078] <... newfstatat resumed>{st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5087] exit_group(0 [pid 5086] exit_group(0 [pid 5079] <... getdents64 resumed>0x555571b9a6f0 /* 0 entries */, 32768) = 0 [pid 5078] getdents64(3, [pid 5087] <... exit_group resumed>) = ? [pid 5079] close(3 [pid 5078] <... getdents64 resumed>0x555571b9a6f0 /* 3 entries */, 32768) = 80 [pid 5086] <... exit_group resumed>) = ? [pid 5080] getdents64(3, [pid 5079] <... close resumed>) = 0 [pid 5078] umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5080] <... getdents64 resumed>0x555571b9a6f0 /* 3 entries */, 32768) = 80 [pid 5078] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [pid 5079] rmdir("./0" [pid 5080] umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW [pid 5078] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5080] <... umount2 resumed>) = -1 EINVAL (Invalid argument) [ 74.064860][ T5079] ================================================================== [ 74.072994][ T5079] BUG: KASAN: stack-out-of-bounds in hash+0x1bf/0x410 [ 74.078544][ T5078] BUG: unable to handle page fault for address: ffffc900039e8000 [ 74.079846][ T5079] Read of size 4 at addr ffffc900039f7c00 by task syz-executor297/5079 [ 74.090003][ T5078] #PF: supervisor read access in kernel mode [ 74.098222][ T5079] [ 74.098230][ T5079] CPU: 0 PID: 5079 Comm: syz-executor297 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0 [ 74.104375][ T5078] #PF: error_code(0x0000) - not-present page [ 74.106704][ T5079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 74.116746][ T5078] PGD 14c00067 [ 74.122711][ T5079] Call Trace: [ 74.122725][ T5079] [ 74.132757][ T5078] P4D 14c00067 [ 74.136202][ T5079] dump_stack_lvl+0x1e7/0x2e0 [ 74.139475][ T5078] PUD 15ad6067 [ 74.142408][ T5079] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.145845][ T5078] PMD 1ea3f067 [ 74.150514][ T5079] ? __pfx__printk+0x10/0x10 [ 74.153966][ T5078] PTE 0 [ 74.159149][ T5079] ? _printk+0xd5/0x120 [ 74.162601][ T5078] [ 74.162610][ T5078] Oops: 0000 [#1] PREEMPT SMP KASAN PTI [ 74.167196][ T5079] print_report+0x169/0x550 [ 74.169942][ T5078] CPU: 1 PID: 5078 Comm: syz-executor297 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0 [ 74.174088][ T5079] ? __virt_addr_valid+0xbd/0x520 [ 74.176398][ T5078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 74.181926][ T5079] ? hash+0x1bf/0x410 [ 74.186419][ T5078] RIP: 0010:hash+0xd3/0x410 [ 74.196460][ T5079] kasan_report+0x143/0x180 [ 74.201554][ T5078] Code: ff df 0f b6 04 10 84 c0 0f 85 a7 00 00 00 45 03 6f f4 49 8d 7c 24 04 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b3 00 00 00 <41> 03 5f f8 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 [ 74.211614][ T5079] ? hash+0x1bf/0x410 [ 74.215576][ T5078] RSP: 0018:ffffc900039e7b38 EFLAGS: 00010286 [ 74.220066][ T5079] hash+0x1bf/0x410 [ 74.224550][ T5078] [ 74.224557][ T5078] RAX: 0000000000000000 RBX: 00000000c5ebd4ee RCX: ffffffff81b5c67b [ 74.244159][ T5079] bloom_map_peek_elem+0xb2/0x1b0 [ 74.248206][ T5078] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc900039e8000 [ 74.254265][ T5079] bpf_prog_00798911c748094f+0x42/0x46 [ 74.258052][ T5078] RBP: 000000004639b97d R08: ffffffff81b5c560 R09: 1ffffffff2598ea0 [ 74.260633][ T5079] bpf_trace_run2+0x204/0x420 [ 74.268590][ T5078] R10: dffffc0000000000 R11: ffffffffa0002194 R12: ffffc900039e7ffc [ 74.273604][ T5079] ? bpf_trace_run2+0x114/0x420 [ 74.281557][ T5078] R13: 00000000b68b7e25 R14: 000000003ffffe78 R15: ffffc900039e8008 [ 74.287002][ T5079] ? __pfx_bpf_trace_run2+0x10/0x10 [ 74.294969][ T5078] FS: 0000555571b99380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 [ 74.299632][ T5079] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 74.307594][ T5078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.312443][ T5079] ? __pfx___bpf_trace_ext4_drop_inode+0x10/0x10 [ 74.320486][ T5078] CR2: ffffc900039e8000 CR3: 0000000075dba000 CR4: 00000000003506f0 [ 74.325678][ T5079] __traceiter_ext4_drop_inode+0x76/0xd0 [ 74.334593][ T5078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 74.339949][ T5079] ext4_drop_inode+0x20a/0x270 [ 74.346515][ T5078] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 74.352833][ T5079] ? __pfx_ext4_drop_inode+0x10/0x10 [ 74.360801][ T5078] Call Trace: [ 74.360811][ T5078] [ 74.366502][ T5079] iput+0x45e/0x900 [ 74.374479][ T5078] ? __die_body+0x88/0xe0 [ 74.379237][ T5079] vfs_rmdir+0x38f/0x4c0 [ 74.387539][ T5078] ? page_fault_oops+0x817/0xb30 [ 74.392819][ T5079] do_rmdir+0x3b5/0x580 [ 74.396087][ T5078] ? __pfx_validate_chain+0x10/0x10 [ 74.399021][ T5079] ? __pfx_do_rmdir+0x10/0x10 [ 74.402819][ T5078] ? __pfx_page_fault_oops+0x10/0x10 [ 74.407233][ T5079] ? strncpy_from_user+0x1a4/0x2f0 [ 74.411641][ T5078] ? __pfx_validate_chain+0x10/0x10 [ 74.416577][ T5079] __x64_sys_rmdir+0x49/0x60 [ 74.420710][ T5078] ? __pfx_is_prefetch+0x10/0x10 [ 74.425913][ T5079] do_syscall_64+0xfb/0x240 [ 74.430579][ T5078] ? kernelmode_fixup_or_oops+0x20e/0x2b0 [ 74.435849][ T5079] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 74.440953][ T5078] ? __bad_area_nosemaphore+0x127/0x780 [ 74.446156][ T5079] RIP: 0033:0x7fd25730cfb7 [ 74.450734][ T5078] ? mark_lock+0x9a/0x350 [ 74.455653][ T5079] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 74.460143][ T5078] ? __pfx___bad_area_nosemaphore+0x10/0x10 [ 74.465842][ T5079] RSP: 002b:00007fff78ca7198 EFLAGS: 00000207 [ 74.471743][ T5078] ? spurious_kernel_fault+0x11b/0x520 [ 74.477296][ T5079] ORIG_RAX: 0000000000000054 [ 74.481707][ T5078] ? exc_page_fault+0x5bd/0x890 [ 74.486023][ T5079] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd25730cfb7 [ 74.505636][ T5078] ? asm_exc_page_fault+0x26/0x30 [ 74.511516][ T5079] RDX: fffffffffffff000 RSI: 0000000000000000 RDI: 00007fff78ca82c0 [ 74.517564][ T5078] ? 0xffffffffa0002194 [ 74.523176][ T5079] RBP: 0000000000000065 R08: 0000555571b9a73b R09: 0000000000000000 [ 74.527835][ T5078] ? hash+0x80/0x410 [ 74.532672][ T5079] R10: 0000000000000100 R11: 0000000000000207 R12: 00007fff78ca82c0 [ 74.540804][ T5078] ? hash+0x19b/0x410 [ 74.546767][ T5079] R13: 0000555571b9a6c0 R14: 00007fff78ca82c0 R15: 0000000000000001 [ 74.554740][ T5078] ? hash+0xd3/0x410 [ 74.558883][ T5079] [ 74.566838][ T5078] ? hash+0x19b/0x410 [ 74.570712][ T5079] [ 74.570718][ T5079] The buggy address belongs to stack of task syz-executor297/5079 [ 74.578694][ T5078] bloom_map_peek_elem+0xb2/0x1b0 [ 74.582655][ T5079] and is located at offset 0 in frame: [ 74.591142][ T5078] bpf_prog_00798911c748094f+0x42/0x46 [ 74.595010][ T5079] bpf_trace_run2+0x0/0x420 [ 74.598024][ T5078] bpf_trace_run2+0x204/0x420 [ 74.601986][ T5079] [ 74.601991][ T5079] This frame has 1 object: [ 74.604303][ T5078] ? bpf_trace_run2+0x114/0x420 [ 74.612089][ T5079] [32, 48) 'args' [ 74.617102][ T5078] ? __pfx_bpf_trace_run2+0x10/0x10 [ 74.622744][ T5079] [ 74.622756][ T5079] The buggy address belongs to the virtual mapping at [ 74.622756][ T5079] [ffffc900039f0000, ffffc900039f9000) created by: [ 74.622756][ T5079] copy_process+0x5d1/0x3df0 [ 74.628279][ T5078] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 74.632763][ T5079] [ 74.632770][ T5079] The buggy address belongs to the physical page: [ 74.637453][ T5078] ? __pfx___bpf_trace_ext4_drop_inode+0x10/0x10 [ 74.639774][ T5079] page:ffffea00007f36c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fcdb [ 74.644167][ T5078] __traceiter_ext4_drop_inode+0x76/0xd0 [ 74.649002][ T5079] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 74.652713][ T5078] ext4_drop_inode+0x20a/0x270 [ 74.658061][ T5079] page_type: 0xffffffff() [ 74.660382][ T5078] ? __pfx_ext4_drop_inode+0x10/0x10 [ 74.678083][ T5079] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 74.683437][ T5078] iput+0x45e/0x900 [ 74.685763][ T5079] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 74.692161][ T5078] do_unlinkat+0x512/0x830 [ 74.698460][ T5079] page dumped because: kasan: bad access detected [ 74.698473][ T5079] page_owner tracks the page as allocated [ 74.708699][ T5078] ? __pfx_do_unlinkat+0x10/0x10 [ 74.714308][ T5079] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5077, tgid 5077 (syz-executor297), ts 73887639293, free_ts 73091924927 [ 74.721403][ T5078] ? strncpy_from_user+0x1a4/0x2f0 [ 74.726160][ T5079] post_alloc_hook+0x1ea/0x210 [ 74.730505][ T5078] __x64_sys_unlink+0x49/0x60 [ 74.735815][ T5079] get_page_from_freelist+0x33ea/0x3580 [ 74.744495][ T5078] do_syscall_64+0xfb/0x240 [ 74.748385][ T5079] __alloc_pages+0x256/0x680 [ 74.756971][ T5078] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 74.761376][ T5079] alloc_pages_mpol+0x3de/0x650 [ 74.767776][ T5078] RIP: 0033:0x7fd25730cf87 [ 74.773478][ T5079] __vmalloc_node_range+0x9a4/0x14a0 [ 74.778424][ T5078] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 74.797927][ T5079] dup_task_struct+0x3e9/0x7d0 [ 74.803019][ T5078] RSP: 002b:00007fff78ca7198 EFLAGS: 00000206 [ 74.807780][ T5079] copy_process+0x5d1/0x3df0 [ 74.812707][ T5078] ORIG_RAX: 0000000000000057 [ 74.818250][ T5079] kernel_clone+0x21e/0x8d0 [ 74.822739][ T5078] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd25730cf87 [ 74.827314][ T5079] __x64_sys_clone+0x258/0x2a0 [ 74.833192][ T5078] RDX: 00007fff78ca71c0 RSI: 00007fff78ca7250 RDI: 00007fff78ca7250 [ 74.838022][ T5079] do_syscall_64+0xfb/0x240 [ 74.842421][ T5078] RBP: 00007fff78ca7250 R08: 0000000000000000 R09: 0000000000000000 [ 74.847688][ T5079] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 74.867280][ T5078] R10: 0000000000000100 R11: 0000000000000206 R12: 00007fff78ca82c0 [ 74.872032][ T5079] page last free pid 5072 tgid 5072 stack trace: [ 74.878076][ T5078] R13: 0000555571b9a6c0 R14: 00007fff78ca82c0 R15: 0000000000000001 [ 74.882651][ T5079] free_unref_page_prepare+0x968/0xa90 [ 74.887320][ T5078] [ 74.891791][ T5079] free_unref_page+0x37/0x3f0 [ 74.899753][ T5078] Modules linked in: [ 74.904496][ T5079] __mmdrop+0xb9/0x3d0 [ 74.912459][ T5078] CR2: ffffc900039e8000 [ 74.916956][ T5079] exec_mmap+0x69d/0x730 [ 74.925006][ T5078] ---[ end trace 0000000000000000 ]--- [ 74.930889][ T5079] begin_new_exec+0x119b/0x1ce0 [ 74.938845][ T5078] RIP: 0010:hash+0xd3/0x410 [ 74.945155][ T5079] load_elf_binary+0x961/0x2590 [ 74.953200][ T5078] Code: ff df 0f b6 04 10 84 c0 0f 85 a7 00 00 00 45 03 6f f4 49 8d 7c 24 04 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b3 00 00 00 <41> 03 5f f8 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 [ 74.958638][ T5079] bprm_execve+0xaf8/0x1790 [ 74.961736][ T5078] RSP: 0018:ffffc900039e7b38 EFLAGS: 00010286 [ 74.966396][ T5079] do_execveat_common+0x553/0x700 [ 74.970282][ T5078] [ 74.970289][ T5078] RAX: 0000000000000000 RBX: 00000000c5ebd4ee RCX: ffffffff81b5c67b [ 74.974344][ T5079] __x64_sys_execve+0x92/0xb0 [ 74.978568][ T5078] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc900039e8000 [ 74.982791][ T5079] do_syscall_64+0xfb/0x240 [ 74.988234][ T5078] RBP: 000000004639b97d R08: ffffffff81b5c560 R09: 1ffffffff2598ea0 [ 74.993069][ T5079] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 74.997552][ T5078] R10: dffffc0000000000 R11: ffffffffa0002194 R12: ffffc900039e7ffc [ 75.002386][ T5079] [ 75.002392][ T5079] Memory state around the buggy address: [ 75.022172][ T5078] R13: 00000000b68b7e25 R14: 000000003ffffe78 R15: ffffc900039e8008 [ 75.026869][ T5079] ffffc900039f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.032913][ T5078] FS: 0000555571b99380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 [ 75.037923][ T5079] ffffc900039f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.040233][ T5078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.048386][ T5079] >ffffc900039f7c00: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00 [ 75.053039][ T5078] CR2: ffffc900039e8000 CR3: 0000000075dba000 CR4: 00000000003506f0 [ 75.060995][ T5079] ^ [ 75.061008][ T5079] ffffc900039f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.065483][ T5078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 75.073439][ T5079] ffffc900039f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.079308][ T5078] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 75.087265][ T5079] ================================================================== [ 75.087539][ T5079] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.236491][ T5079] Shutting down cpus with NMI [ 76.356579][ T5079] Kernel Offset: disabled [ 76.360914][ T5079] Rebooting in 86400 seconds..