./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3483649679 <...> 00 audit(1692034046.959:63): avc: denied { write } for pid=225 comm="sh" path="pipe:[5891]" dev="pipefs" ino=5891 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 12.495875][ T28] audit: type=1400 audit(1692034046.959:64): avc: denied { rlimitinh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.498796][ T28] audit: type=1400 audit(1692034046.959:65): avc: denied { siginh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.0.212' (ED25519) to the list of known hosts. execve("./syz-executor3483649679", ["./syz-executor3483649679"], 0x7ffe828bfd50 /* 10 vars */) = 0 brk(NULL) = 0x55555602b000 brk(0x55555602bd40) = 0x55555602bd40 arch_prctl(ARCH_SET_FS, 0x55555602b3c0) = 0 set_tid_address(0x55555602b690) = 294 set_robust_list(0x55555602b6a0, 24) = 0 rseq(0x55555602bce0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3483649679", 4096) = 28 getrandom("\xe8\x8b\xf4\x1e\x78\x24\xfb\xb2", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555602bd40 brk(0x55555604cd40) = 0x55555604cd40 brk(0x55555604d000) = 0x55555604d000 mprotect(0x7fa52c40d000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.ePL7Xb", 0700) = 0 chmod("./syzkaller.ePL7Xb", 0777) = 0 chdir("./syzkaller.ePL7Xb") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555602b690) = 295 ./strace-static-x86_64: Process 295 attached [pid 295] set_robust_list(0x55555602b6a0, 24) = 0 [pid 295] chdir("./0") = 0 [pid 295] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 295] setpgid(0, 0) = 0 [pid 295] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1000", 4) = 4 [pid 295] close(3) = 0 [pid 295] symlink("/dev/binderfs", "./binderfs") = 0 [pid 295] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] rt_sigaction(SIGRT_1, {sa_handler=0x7fa52c3b2230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa52c3a33e0}, NULL, 8) = 0 [pid 295] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 295] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa52c328000 [pid 295] mprotect(0x7fa52c329000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 295] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 295] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa52c348990, parent_tid=0x7fa52c348990, exit_signal=0, stack=0x7fa52c328000, stack_size=0x20300, tls=0x7fa52c3486c0} => {parent_tid=[296]}, 88) = 296 [pid 295] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 295] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 296 attached [pid 296] set_robust_list(0x7fa52c3489a0, 24) = 0 [pid 296] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 296] memfd_create("syzkaller", 0) = 3 [pid 296] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa523f28000 [pid 296] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 296] munmap(0x7fa523f28000, 262144) = 0 [pid 296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 296] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 296] close(3) = 0 [pid 296] mkdir("./file1", 0777) = 0 [ 21.725534][ T28] audit: type=1400 audit(1692034056.199:66): avc: denied { execmem } for pid=294 comm="syz-executor348" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.731502][ T28] audit: type=1400 audit(1692034056.199:67): avc: denied { read write } for pid=294 comm="syz-executor348" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.737221][ T28] audit: type=1400 audit(1692034056.199:68): avc: denied { open } for pid=294 comm="syz-executor348" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.740783][ T28] audit: type=1400 audit(1692034056.199:69): avc: denied { ioctl } for pid=294 comm="syz-executor348" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.747040][ T296] loop0: detected capacity change from 0 to 512 [pid 296] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 296] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 296] chdir("./file1") = 0 [pid 296] ioctl(4, LOOP_CLR_FD) = 0 [pid 296] close(4) = 0 [pid 296] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 1 [pid 296] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 296] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 1 [pid 296] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 296] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 1 [pid 296] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 296] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 1 [pid 296] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 296] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa523f47000 [pid 295] mprotect(0x7fa523f48000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 295] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 295] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa523f67990, parent_tid=0x7fa523f67990, exit_signal=0, stack=0x7fa523f47000, stack_size=0x20300, tls=0x7fa523f676c0} => {parent_tid=[301]}, 88) = 301 [pid 295] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 295] futex(0x7fa52c4136d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa52c4136dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 1 [pid 296] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 262144 [pid 296] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 21.754469][ T28] audit: type=1400 audit(1692034056.229:70): avc: denied { mounton } for pid=295 comm="syz-executor348" path="/root/syzkaller.ePL7Xb/0/file1" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 21.785001][ T296] EXT4-fs (loop0): 1 orphan inode deleted [ 21.790614][ T296] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 21.799530][ T28] audit: type=1400 audit(1692034056.269:71): avc: denied { mount } for pid=295 comm="syz-executor348" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [pid 296] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 301 attached [pid 301] set_robust_list(0x7fa523f679a0, 24) = 0 [pid 301] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 21.799539][ T296] ext4 filesystem being mounted at /root/syzkaller.ePL7Xb/0/file1 supports timestamps until 2038 (0x7fffffff) [ 21.833024][ T28] audit: type=1400 audit(1692034056.269:72): avc: denied { write } for pid=295 comm="syz-executor348" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 21.854792][ T28] audit: type=1400 audit(1692034056.279:73): avc: denied { add_name } for pid=295 comm="syz-executor348" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [pid 301] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 295] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 21.856009][ T301] EXT4-fs error (device loop0): ext4_ext_remove_space:2866: inode #16: comm syz-executor348: path[1].p_hdr == NULL [ 21.887305][ T28] audit: type=1400 audit(1692034056.279:74): avc: denied { create } for pid=295 comm="syz-executor348" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 21.887528][ T301] EXT4-fs (loop0): Remounting filesystem read-only [pid 301] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 301] futex(0x7fa52c4136dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 301] futex(0x7fa52c4136d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 295] exit_group(0 [pid 296] <... futex resumed>) = ? [pid 295] <... exit_group resumed>) = ? [pid 296] +++ exited with 0 +++ [pid 301] <... futex resumed>) = ? [pid 301] +++ exited with 0 +++ [pid 295] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=295, si_uid=0, si_status=0, si_utime=0, si_stime=13} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555602c730 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 21.907860][ T28] audit: type=1400 audit(1692034056.279:75): avc: denied { read write open } for pid=295 comm="syz-executor348" path="/root/syzkaller.ePL7Xb/0/file1/bus" dev="loop0" ino=16 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 21.913850][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm syz-executor348: Invalid inode table block 0 in block_group 0 [ 21.951860][ T301] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem [ 21.961087][ T301] EXT4-fs error (device loop0): ext4_punch_hole:4137: inode #16: comm syz-executor348: mark_inode_dirty error umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556034770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556034770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 getdents64(3, 0x55555602c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555602b690) = 302 ./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x55555602b6a0, 24) = 0 [pid 302] chdir("./1") = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 302] setpgid(0, 0) = 0 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 302] write(3, "1000", 4) = 4 [pid 302] close(3) = 0 [pid 302] symlink("/dev/binderfs", "./binderfs") = 0 [pid 302] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] rt_sigaction(SIGRT_1, {sa_handler=0x7fa52c3b2230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa52c3a33e0}, NULL, 8) = 0 [pid 302] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 302] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa52c328000 [pid 302] mprotect(0x7fa52c329000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 302] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 302] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa52c348990, parent_tid=0x7fa52c348990, exit_signal=0, stack=0x7fa52c328000, stack_size=0x20300, tls=0x7fa52c3486c0}./strace-static-x86_64: Process 303 attached => {parent_tid=[303]}, 88) = 303 [pid 303] set_robust_list(0x7fa52c3489a0, 24 [pid 302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 302] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 303] <... set_robust_list resumed>) = 0 [pid 303] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 303] memfd_create("syzkaller", 0) = 3 [pid 303] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa523f28000 [pid 303] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 303] munmap(0x7fa523f28000, 262144) = 0 [pid 303] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 21.977520][ T294] EXT4-fs (loop0): unmounting filesystem. [pid 303] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 303] close(3) = 0 [pid 303] mkdir("./file1", 0777) = 0 [pid 303] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 303] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 303] chdir("./file1") = 0 [pid 303] ioctl(4, LOOP_CLR_FD) = 0 [pid 303] close(4) = 0 [pid 303] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 302] <... futex resumed>) = 0 [pid 303] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000 [pid 302] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 303] <... open resumed>) = 4 [pid 303] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 302] <... futex resumed>) = 0 [pid 303] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 302] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 303] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 303] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 303] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 302] <... futex resumed>) = 0 [pid 303] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 302] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 302] <... futex resumed>) = 0 [pid 303] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 302] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 303] <... mount resumed>) = 0 [pid 303] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 302] <... futex resumed>) = 0 [pid 303] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 302] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] <... open resumed>) = 5 [pid 302] <... futex resumed>) = 0 [pid 302] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 303] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 302] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 303] <... futex resumed>) = 0 [pid 302] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 303] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 302] <... futex resumed>) = 0 [pid 302] futex(0x7fa52c4136dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa523f47000 [pid 302] mprotect(0x7fa523f48000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 302] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 302] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa523f67990, parent_tid=0x7fa523f67990, exit_signal=0, stack=0x7fa523f47000, stack_size=0x20300, tls=0x7fa523f676c0} => {parent_tid=[306]}, 88) = 306 [pid 302] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 302] futex(0x7fa52c4136d8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 302] futex(0x7fa52c4136dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 306 attached [pid 306] set_robust_list(0x7fa523f679a0, 24) = 0 [pid 306] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 22.022215][ T303] loop0: detected capacity change from 0 to 512 [ 22.035152][ T303] EXT4-fs (loop0): 1 orphan inode deleted [ 22.040705][ T303] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.049431][ T303] ext4 filesystem being mounted at /root/syzkaller.ePL7Xb/1/file1 supports timestamps until 2038 (0x7fffffff) [pid 306] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 303] <... write resumed>) = 262144 [pid 303] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 22.083545][ T306] EXT4-fs error (device loop0): ext4_ext_remove_space:2866: inode #16: comm syz-executor348: path[1].p_hdr == NULL [ 22.095674][ T306] EXT4-fs (loop0): Remounting filesystem read-only [ 22.102091][ T306] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm syz-executor348: Invalid inode table block 0 in block_group 0 [ 22.115258][ T306] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem [pid 303] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 302] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 306] <... ioctl resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 306] futex(0x7fa52c4136dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 306] futex(0x7fa52c4136d8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 302] exit_group(0) = ? [pid 303] <... futex resumed>) = ? [pid 306] <... futex resumed>) = ? [pid 303] +++ exited with 0 +++ [pid 306] +++ exited with 0 +++ [pid 302] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555602c730 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556034770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556034770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = 0 getdents64(3, 0x55555602c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555602b690) = 307 ./strace-static-x86_64: Process 307 attached [pid 307] set_robust_list(0x55555602b6a0, 24) = 0 [pid 307] chdir("./2") = 0 [pid 307] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 307] setpgid(0, 0) = 0 [pid 307] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "1000", 4) = 4 [pid 307] close(3) = 0 [pid 307] symlink("/dev/binderfs", "./binderfs") = 0 [pid 307] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] rt_sigaction(SIGRT_1, {sa_handler=0x7fa52c3b2230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa52c3a33e0}, NULL, 8) = 0 [pid 307] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 307] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa52c328000 [pid 307] mprotect(0x7fa52c329000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 307] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 307] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa52c348990, parent_tid=0x7fa52c348990, exit_signal=0, stack=0x7fa52c328000, stack_size=0x20300, tls=0x7fa52c3486c0} => {parent_tid=[308]}, 88) = 308 [pid 307] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 307] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 308 attached [pid 308] set_robust_list(0x7fa52c3489a0, 24) = 0 [pid 308] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 308] memfd_create("syzkaller", 0) = 3 [pid 308] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa523f28000 [pid 308] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 308] munmap(0x7fa523f28000, 262144) = 0 [pid 308] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 308] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 308] close(3) = 0 [pid 308] mkdir("./file1", 0777) = 0 [ 22.124795][ T306] EXT4-fs error (device loop0): ext4_punch_hole:4137: inode #16: comm syz-executor348: mark_inode_dirty error [ 22.146833][ T294] EXT4-fs (loop0): unmounting filesystem. [ 22.166806][ T308] loop0: detected capacity change from 0 to 512 [pid 308] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 308] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 308] chdir("./file1") = 0 [pid 308] ioctl(4, LOOP_CLR_FD) = 0 [pid 308] close(4) = 0 [pid 308] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = 0 [pid 307] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 308] <... futex resumed>) = 1 [pid 308] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 308] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = 0 [pid 308] <... futex resumed>) = 1 [pid 308] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 307] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 308] <... futex resumed>) = 0 [pid 308] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 308] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] <... futex resumed>) = 0 [pid 308] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 307] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 307] <... futex resumed>) = 0 [pid 308] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 307] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 308] <... mount resumed>) = 0 [pid 308] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 307] <... futex resumed>) = 0 [pid 308] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 307] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 308] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 308] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 308] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0 [pid 307] <... futex resumed>) = 1 [pid 307] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 308] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 307] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 308] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 307] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 307] <... futex resumed>) = 0 [pid 307] futex(0x7fa52c4136dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa523f47000 [pid 307] mprotect(0x7fa523f48000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 307] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 307] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa523f67990, parent_tid=0x7fa523f67990, exit_signal=0, stack=0x7fa523f47000, stack_size=0x20300, tls=0x7fa523f676c0}./strace-static-x86_64: Process 311 attached => {parent_tid=[311]}, 88) = 311 [pid 307] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 311] set_robust_list(0x7fa523f679a0, 24 [pid 307] futex(0x7fa52c4136d8, FUTEX_WAKE_PRIVATE, 1000000 [pid 311] <... set_robust_list resumed>) = 0 [pid 307] <... futex resumed>) = 0 [pid 311] rt_sigprocmask(SIG_SETMASK, [], [pid 307] futex(0x7fa52c4136dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 311] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 308] <... write resumed>) = 262144 [pid 308] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 22.184888][ T308] EXT4-fs (loop0): 1 orphan inode deleted [ 22.190444][ T308] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.199181][ T308] ext4 filesystem being mounted at /root/syzkaller.ePL7Xb/2/file1 supports timestamps until 2038 (0x7fffffff) [pid 308] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 307] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 307] futex(0x7fa52c4136dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 22.226444][ T311] EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:438: comm syz-executor348: Invalid block bitmap block 0 in block_group 0 [ 22.240285][ T311] EXT4-fs (loop0): Remounting filesystem read-only [ 22.246635][ T311] EXT4-fs error (device loop0) in ext4_mb_clear_bb:6077: Corrupt filesystem [ 22.255264][ T311] ================================================================== [ 22.263126][ T311] BUG: KASAN: out-of-bounds in ext4_ext_remove_space+0x1e16/0x4f50 [ 22.270852][ T311] Read of size 18446744073709551544 at addr ffff88812095e054 by task syz-executor348/311 [ 22.280484][ T311] [ 22.282655][ T311] CPU: 1 PID: 311 Comm: syz-executor348 Not tainted 6.1.25-syzkaller-00011-gd7dacaa439c7 #0 [ 22.292552][ T311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 22.302443][ T311] Call Trace: [ 22.305583][ T311] [ 22.308344][ T311] dump_stack_lvl+0x151/0x1b7 [ 22.312861][ T311] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 22.318151][ T311] ? _printk+0xd1/0x111 [ 22.322148][ T311] ? __virt_addr_valid+0x242/0x2f0 [ 22.327095][ T311] print_report+0x158/0x4e0 [ 22.331432][ T311] ? __virt_addr_valid+0x242/0x2f0 [ 22.336379][ T311] ? kasan_addr_to_slab+0xd/0x80 [ 22.341153][ T311] ? ext4_ext_remove_space+0x1e16/0x4f50 [ 22.346623][ T311] kasan_report+0x13c/0x170 [ 22.350962][ T311] ? ext4_ext_remove_space+0x1e16/0x4f50 [ 22.356430][ T311] kasan_check_range+0x294/0x2a0 [ 22.361202][ T311] ? ext4_ext_remove_space+0x1e16/0x4f50 [ 22.366671][ T311] memmove+0x2d/0x70 [ 22.370405][ T311] ext4_ext_remove_space+0x1e16/0x4f50 [ 22.375704][ T311] ? ext4_ext_index_trans_blocks+0x120/0x120 [pid 307] exit_group(0 [pid 308] <... futex resumed>) = ? [pid 307] <... exit_group resumed>) = ? [pid 308] +++ exited with 0 +++ [ 22.381512][ T311] ? ext4_es_remove_extent+0x1ac/0x390 [ 22.386807][ T311] ext4_punch_hole+0x794/0xc00 [ 22.391412][ T311] ext4_fallocate+0x318/0x1e90 [ 22.396009][ T311] ? avc_policy_seqno+0x1b/0x70 [ 22.400690][ T311] ? selinux_file_permission+0x2bb/0x560 [ 22.406160][ T311] ? ext4_ext_truncate+0x320/0x320 [ 22.411107][ T311] ? fsnotify_perm+0x6a/0x5d0 [ 22.415621][ T311] vfs_fallocate+0x492/0x570 [ 22.420047][ T311] do_vfs_ioctl+0x2150/0x29a0 [ 22.424573][ T311] ? __x64_compat_sys_ioctl+0x90/0x90 [ 22.429766][ T311] ? compat_start_thread+0x20/0x20 [ 22.434719][ T311] ? ioctl_has_perm+0x1f8/0x560 [ 22.439401][ T311] ? ioctl_has_perm+0x3f0/0x560 [ 22.444088][ T311] ? has_cap_mac_admin+0x3c0/0x3c0 [ 22.449124][ T311] ? __kasan_check_write+0x14/0x20 [ 22.454074][ T311] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 22.459016][ T311] ? cgroup_update_frozen+0x15f/0x980 [ 22.464226][ T311] ? selinux_file_ioctl+0x3cc/0x540 [ 22.469256][ T311] ? ptrace_stop+0x709/0x930 [ 22.473684][ T311] ? selinux_file_alloc_security+0x120/0x120 [ 22.479500][ T311] ? __fget_files+0x2cb/0x330 [ 22.484015][ T311] ? security_file_ioctl+0x84/0xb0 [ 22.488960][ T311] __se_sys_ioctl+0x99/0x190 [ 22.493389][ T311] __x64_sys_ioctl+0x7b/0x90 [ 22.497816][ T311] do_syscall_64+0x3d/0xb0 [ 22.502065][ T311] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 22.507795][ T311] RIP: 0033:0x7fa52c38be19 [ 22.512046][ T311] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 22.531487][ T311] RSP: 002b:00007fa523f67218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 22.539734][ T311] RAX: ffffffffffffffda RBX: 00007fa52c4136d8 RCX: 00007fa52c38be19 [ 22.547545][ T311] RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000004 [ 22.555357][ T311] RBP: 00007fa52c4136d0 R08: 00007ffe5a02a957 R09: 0000000000000000 [ 22.563168][ T311] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa52c3e0578 [ 22.570979][ T311] R13: 000000000000000b R14: 00007ffe5a02a870 R15: 6f6f6c2f7665642f [ 22.578792][ T311] [ 22.581653][ T311] [ 22.583823][ T311] The buggy address belongs to the physical page: [ 22.590076][ T311] page:ffffea0004825780 refcount:2 mapcount:0 mapping:ffff88810b8e1c50 index:0x3a pfn:0x12095e [ 22.600228][ T311] memcg:ffff88810031e000 [ 22.604310][ T311] aops:def_blk_aops ino:700000 [ 22.608907][ T311] flags: 0x4e00000000002056(referenced|uptodate|lru|workingset|private|zone=1) [ 22.617678][ T311] raw: 4e00000000002056 ffffea00047a36c8 ffffea0004266648 ffff88810b8e1c50 [ 22.626099][ T311] raw: 000000000000003a ffff88811fd0b3f0 00000002ffffffff ffff88810031e000 [ 22.634512][ T311] page dumped because: kasan: bad access detected [ 22.640761][ T311] page_owner tracks the page as allocated [ 22.646317][ T311] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 308, tgid 307 (syz-executor348), ts 22218821051, free_ts 15091448006 [ 22.666537][ T311] post_alloc_hook+0x213/0x220 [ 22.671135][ T311] prep_new_page+0x1b/0x110 [ 22.675494][ T311] get_page_from_freelist+0x2762/0x27f0 [ 22.680860][ T311] __alloc_pages+0x3a1/0x780 [ 22.685286][ T311] __folio_alloc+0x15/0x40 [ 22.689535][ T311] __filemap_get_folio+0x6c0/0x970 [ 22.694488][ T311] pagecache_get_page+0x2f/0x110 [ 22.699256][ T311] __getblk_gfp+0x205/0x7d0 [ 22.703596][ T311] ext4_ext_insert_extent+0xfd2/0x4e00 [ 22.708892][ T311] ext4_ext_map_blocks+0x1c31/0x71e0 [ 22.714016][ T311] ext4_map_blocks+0xa42/0x1ce0 [ 22.718697][ T311] _ext4_get_block+0x23b/0x660 [ 22.723301][ T311] ext4_get_block+0x39/0x50 [ 22.727643][ T311] ext4_block_write_begin+0x55e/0x1200 [ 22.732941][ T311] ext4_write_begin+0x5e0/0xfb0 [ 22.737619][ T311] ext4_da_write_begin+0x2ff/0x920 [ 22.742567][ T311] page last free stack trace: [ 22.747084][ T311] free_unref_page_prepare+0x83d/0x850 [ 22.752373][ T311] free_unref_page_list+0xf6/0x6c0 [ 22.757320][ T311] release_pages+0xf7f/0xfe0 [ 22.761746][ T311] free_pages_and_swap_cache+0x8a/0xa0 [ 22.767045][ T311] tlb_finish_mmu+0x1e0/0x3f0 [ 22.771572][ T311] unmap_region+0x2c1/0x310 [ 22.775896][ T311] do_mas_align_munmap+0xd05/0x1400 [ 22.780935][ T311] do_mas_munmap+0x23e/0x2b0 [ 22.785357][ T311] __vm_munmap+0x263/0x3a0 [ 22.789615][ T311] __x64_sys_munmap+0x6b/0x80 [ 22.794120][ T311] do_syscall_64+0x3d/0xb0 [ 22.798372][ T311] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 22.804103][ T311] [ 22.806273][ T311] Memory state around the buggy address: [ 22.811745][ T311] ffff88812095df00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.819641][ T311] ffff88812095df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.827538][ T311] >ffff88812095e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.835447][ T311] ^ [ 22.841945][ T311] ffff88812095e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.849862][ T311] ffff88812095e100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.857740][ T311] ================================================================== [ 22.865785][ T311] Disabling lock debugging due to kernel taint [ 22.871829][ T311] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm syz-executor348: Invalid inode table block 0 in block_group 0 [pid 311] <... ioctl resumed>) = ? [pid 311] +++ exited with 0 +++ [pid 307] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=307, si_uid=0, si_status=0, si_utime=0, si_stime=8} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555602c730 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556034770 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556034770 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = 0 getdents64(3, 0x55555602c730 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555602b690) = 313 ./strace-static-x86_64: Process 313 attached [pid 313] set_robust_list(0x55555602b6a0, 24) = 0 [pid 313] chdir("./3") = 0 [pid 313] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 313] setpgid(0, 0) = 0 [pid 313] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 313] write(3, "1000", 4) = 4 [pid 313] close(3) = 0 [pid 313] symlink("/dev/binderfs", "./binderfs") = 0 [pid 313] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] rt_sigaction(SIGRT_1, {sa_handler=0x7fa52c3b2230, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa52c3a33e0}, NULL, 8) = 0 [pid 313] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 313] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa52c328000 [pid 313] mprotect(0x7fa52c329000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 313] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 313] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa52c348990, parent_tid=0x7fa52c348990, exit_signal=0, stack=0x7fa52c328000, stack_size=0x20300, tls=0x7fa52c3486c0} => {parent_tid=[314]}, 88) = 314 [pid 313] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 313] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 314 attached [pid 314] set_robust_list(0x7fa52c3489a0, 24) = 0 [pid 314] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 314] memfd_create("syzkaller", 0) = 3 [pid 314] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa523f28000 [pid 314] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 314] munmap(0x7fa523f28000, 262144) = 0 [pid 314] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 22.884741][ T311] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem [ 22.894081][ T311] EXT4-fs error (device loop0): ext4_punch_hole:4137: inode #16: comm syz-executor348: mark_inode_dirty error [ 22.910026][ T294] EXT4-fs (loop0): unmounting filesystem. [pid 314] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 314] close(3) = 0 [pid 314] mkdir("./file1", 0777) = 0 [pid 314] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, "errors=remount-ro,norecovery,dioread_lock,errors=remount-ro,noauto_da_alloc,resgid=0x000000000000000"...) = 0 [pid 314] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 314] chdir("./file1") = 0 [pid 314] ioctl(4, LOOP_CLR_FD) = 0 [pid 314] close(4) = 0 [pid 314] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 313] <... futex resumed>) = 0 [pid 313] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 314] <... futex resumed>) = 1 [pid 314] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 314] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 313] <... futex resumed>) = 0 [pid 313] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 314] <... futex resumed>) = 1 [pid 314] write(4, "\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966945) = 167936 [pid 314] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 313] <... futex resumed>) = 0 [pid 313] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 314] <... futex resumed>) = 1 [pid 314] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 314] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 313] <... futex resumed>) = 0 [pid 313] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7fa52c4136cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 314] <... futex resumed>) = 1 [pid 314] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 314] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 313] <... futex resumed>) = 0 [pid 313] futex(0x7fa52c4136c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] futex(0x7fa52c4136dc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 313] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa523f47000 [pid 314] <... futex resumed>) = 1 [pid 314] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 313] mprotect(0x7fa523f48000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 313] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 313] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa523f67990, parent_tid=0x7fa523f67990, exit_signal=0, stack=0x7fa523f47000, stack_size=0x20300, tls=0x7fa523f676c0}./strace-static-x86_64: Process 317 attached => {parent_tid=[317]}, 88) = 317 [pid 317] set_robust_list(0x7fa523f679a0, 24 [pid 313] rt_sigprocmask(SIG_SETMASK, [], [pid 317] <... set_robust_list resumed>) = 0 [pid 313] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 317] rt_sigprocmask(SIG_SETMASK, [], [pid 313] futex(0x7fa52c4136d8, FUTEX_WAKE_PRIVATE, 1000000 [pid 317] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 317] ioctl(4, _IOC(_IOC_WRITE, 0x58, 0x2b, 0x30), 0x20000080 [pid 313] <... futex resumed>) = 0 [ 22.946985][ T314] loop0: detected capacity change from 0 to 512 [ 22.964577][ T314] EXT4-fs (loop0): 1 orphan inode deleted [ 22.970137][ T314] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.979063][ T314] ext4 filesystem being mounted at /root/syzkaller.ePL7Xb/3/file1 supports timestamps until 2038 (0x7fffffff) [pid 313] futex(0x7fa52c4136dc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 314] <... write resumed>) = 262144 [pid 314] futex(0x7fa52c4136cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa52c4136c8, FUTEX_WAIT_PRIVATE, 0, NULLConnection to 10.128.0.212 closed by remote host. [