./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor76350989

<...>
DUID 00:04:92:3d:a4:bf:d8:99:95:1d:d2:9f:0e:34:7d:20:a7:e6
forked to background, child pid 3181
[   28.529494][ T3182] 8021q: adding VLAN 0 to HW filter on device bond0
[   28.541626][ T3182] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.135' (ECDSA) to the list of known hosts.
execve("./syz-executor76350989", ["./syz-executor76350989"], 0x7ffec827d420 /* 10 vars */) = 0
brk(NULL)                               = 0x555556a5c000
brk(0x555556a5cc40)                     = 0x555556a5cc40
arch_prctl(ARCH_SET_FS, 0x555556a5c300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor76350989", 4096) = 26
brk(0x555556a7dc40)                     = 0x555556a7dc40
brk(0x555556a7e000)                     = 0x555556a7e000
mprotect(0x7f6863e35000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556a5c5d0) = 3610
./strace-static-x86_64: Process 3610 attached
[pid  3610] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  3610] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3610] setsid()                    = 1
[pid  3610] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  3610] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  3610] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  3610] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  3610] prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0
[pid  3610] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  3610] unshare(CLONE_NEWNS)        = 0
[pid  3610] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  3610] unshare(CLONE_NEWIPC)       = 0
[pid  3610] unshare(CLONE_NEWCGROUP)    = 0
[pid  3610] unshare(CLONE_NEWUTS)       = 0
[pid  3610] unshare(CLONE_SYSVSEM)      = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "16777216", 8)     = 8
[pid  3610] close(3)                    = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "536870912", 9)    = 9
[pid  3610] close(3)                    = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "1024", 4)         = 4
[pid  3610] close(3)                    = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "8192", 4)         = 4
[pid  3610] close(3)                    = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "1024", 4)         = 4
[pid  3610] close(3)                    = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "1024", 4)         = 4
[pid  3610] close(3)                    = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "1024 1048576 500 1024", 21) = 21
[pid  3610] close(3)                    = 0
[pid  3610] getpid()                    = 1
[pid  3610] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  3610] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  3610] unshare(CLONE_NEWNET)       = 0
[pid  3610] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  3610] write(3, "0 65535", 7)      = 7
[pid  3610] close(3)                    = 0
[pid  3610] mkdir("/dev/binderfs", 0777) = 0
[pid  3610] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  3610] symlink("/dev/binderfs", "./binderfs") = 0
[pid  3610] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3611 attached
, child_tidptr=0x555556a5c5d0) = 2
[pid  3611] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3611] setpgid(0, 0)               = 0
[pid  3611] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  3611] write(3, "1000", 4)         = 4
[pid  3611] close(3)                    = 0
[pid  3611] openat(AT_FDCWD, "./binderfs/binder1", O_RDONLY) = 3
[pid  3611] mmap(0x20ffc000, 16384, PROT_READ, MAP_SHARED|MAP_FIXED, 3, 0) = 0x20ffc000
syzkaller login: [   51.871676][ T3611] ------------[ cut here ]------------
[   51.871683][ T3611] WARNING: CPU: 0 PID: 3611 at include/linux/mmap_lock.h:161 binder_alloc_vma_close+0x123/0x170
[   51.888398][ T3611] Modules linked in:
[   51.892593][ T3611] CPU: 0 PID: 3611 Comm: syz-executor763 Not tainted 5.19.0-rc3-next-20220623-syzkaller #0
[   51.902965][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.913357][ T3611] RIP: 0010:binder_alloc_vma_close+0x123/0x170
[   51.919523][ T3611] Code: 5b fa 48 8d bd 58 01 00 00 31 f6 e8 d7 44 5d 02 31 ff 41 89 c4 89 c6 e8 7b f8 5b fa 45 85 e4 0f 85 5b ff ff ff e8 1d fc 5b fa <0f> 0b e9 4f ff ff ff e8 11 fc 5b fa 48 89 ef e8 99 cd 91 fa 0f 0b
[   51.939877][ T3611] RSP: 0018:ffffc90002dffbe0 EFLAGS: 00010293
[   51.946362][ T3611] RAX: 0000000000000000 RBX: ffff888078e119e0 RCX: 0000000000000000
[   51.954563][ T3611] RDX: ffff8880219d0000 RSI: ffffffff871ec183 RDI: 0000000000000005
[   51.962876][ T3611] RBP: ffff88807744c880 R08: 0000000000000005 R09: 0000000000000000
[   51.970885][ T3611] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[   51.979138][ T3611] R13: dffffc0000000000 R14: ffff88807744c880 R15: 0000000000000000
[   51.987443][ T3611] FS:  0000555556a5c300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[   51.996611][ T3611] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   52.003559][ T3611] CR2: 00007f6863e39130 CR3: 00000000217f4000 CR4: 00000000003506f0
[   52.011829][ T3611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   52.019834][ T3611] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   52.028119][ T3611] Call Trace:
[   52.031614][ T3611]  <TASK>
[   52.034555][ T3611]  ? binder_mmap+0x320/0x320
[   52.039178][ T3611]  remove_vma+0x81/0x130
[   52.044216][ T3611]  do_mas_align_munmap+0x9e6/0xef0
[   52.049362][ T3611]  ? __split_vma+0x530/0x530
[   52.054299][ T3611]  ? mas_walk+0x48a/0x670
[   52.058636][ T3611]  ? mas_find+0x20d/0xce0
[   52.063258][ T3611]  ? down_write_killable+0xe1/0x170
[   52.068467][ T3611]  do_mas_munmap+0x202/0x2c0
[   52.073356][ T3611]  __vm_munmap+0x159/0x290
[   52.077797][ T3611]  ? do_mas_munmap+0x2c0/0x2c0
[   52.082876][ T3611]  ? lockdep_hardirqs_on+0x79/0x100
[   52.088084][ T3611]  ? _raw_spin_unlock_irq+0x2a/0x40
[   52.093622][ T3611]  __x64_sys_munmap+0x55/0x80
[   52.098390][ T3611]  do_syscall_64+0x35/0xb0
[   52.103030][ T3611]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   52.108958][ T3611] RIP: 0033:0x7f6863dc8099
[   52.113603][ T3611] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   52.133444][ T3611] RSP: 002b:00007ffdc69a2808 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
[   52.142055][ T3611] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6863dc8099
[   52.150054][ T3611] RDX: 00007f6863dc8099 RSI: 0000000000004000 RDI: 0000000020ffa000
[   52.158387][ T3611] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   52.166608][ T3611] R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffdc69a2850
[   52.174796][ T3611] R13: 00007ffdc69a2840 R14: 00007ffdc69a2830 R15: 0000000000000000
[   52.183035][ T3611]  </TASK>
[   52.186076][ T3611] Kernel panic - not syncing: panic_on_warn set ...
[   52.193637][ T3611] CPU: 0 PID: 3611 Comm: syz-executor763 Not tainted 5.19.0-rc3-next-20220623-syzkaller #0
[   52.203618][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.213684][ T3611] Call Trace:
[   52.216958][ T3611]  <TASK>
[   52.219883][ T3611]  dump_stack_lvl+0xcd/0x134
[   52.224472][ T3611]  panic+0x2d7/0x64a
[   52.228370][ T3611]  ? panic_print_sys_info.part.0+0x10b/0x10b
[   52.234361][ T3611]  ? __warn.cold+0x1d9/0x2cd
[   52.238963][ T3611]  ? binder_alloc_vma_close+0x123/0x170
[   52.244542][ T3611]  __warn.cold+0x1ea/0x2cd
[   52.248995][ T3611]  ? binder_alloc_vma_close+0x123/0x170
[   52.254546][ T3611]  report_bug+0x1bc/0x210
[   52.258912][ T3611]  handle_bug+0x3c/0x60
[   52.263066][ T3611]  exc_invalid_op+0x14/0x40
[   52.267569][ T3611]  asm_exc_invalid_op+0x1b/0x20
[   52.272444][ T3611] RIP: 0010:binder_alloc_vma_close+0x123/0x170
[   52.278636][ T3611] Code: 5b fa 48 8d bd 58 01 00 00 31 f6 e8 d7 44 5d 02 31 ff 41 89 c4 89 c6 e8 7b f8 5b fa 45 85 e4 0f 85 5b ff ff ff e8 1d fc 5b fa <0f> 0b e9 4f ff ff ff e8 11 fc 5b fa 48 89 ef e8 99 cd 91 fa 0f 0b
[   52.298352][ T3611] RSP: 0018:ffffc90002dffbe0 EFLAGS: 00010293
[   52.304439][ T3611] RAX: 0000000000000000 RBX: ffff888078e119e0 RCX: 0000000000000000
[   52.312415][ T3611] RDX: ffff8880219d0000 RSI: ffffffff871ec183 RDI: 0000000000000005
[   52.320400][ T3611] RBP: ffff88807744c880 R08: 0000000000000005 R09: 0000000000000000
[   52.328460][ T3611] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[   52.336433][ T3611] R13: dffffc0000000000 R14: ffff88807744c880 R15: 0000000000000000
[   52.344418][ T3611]  ? binder_alloc_vma_close+0x123/0x170
[   52.349986][ T3611]  ? binder_mmap+0x320/0x320
[   52.354595][ T3611]  remove_vma+0x81/0x130
[   52.358847][ T3611]  do_mas_align_munmap+0x9e6/0xef0
[   52.363979][ T3611]  ? __split_vma+0x530/0x530
[   52.368589][ T3611]  ? mas_walk+0x48a/0x670
[   52.372934][ T3611]  ? mas_find+0x20d/0xce0
[   52.377286][ T3611]  ? down_write_killable+0xe1/0x170
[   52.382510][ T3611]  do_mas_munmap+0x202/0x2c0
[   52.387114][ T3611]  __vm_munmap+0x159/0x290
[   52.391550][ T3611]  ? do_mas_munmap+0x2c0/0x2c0
[   52.396346][ T3611]  ? lockdep_hardirqs_on+0x79/0x100
[   52.401570][ T3611]  ? _raw_spin_unlock_irq+0x2a/0x40
[   52.406795][ T3611]  __x64_sys_munmap+0x55/0x80
[   52.411485][ T3611]  do_syscall_64+0x35/0xb0
[   52.415916][ T3611]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   52.421820][ T3611] RIP: 0033:0x7f6863dc8099
[   52.426239][ T3611] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   52.445863][ T3611] RSP: 002b:00007ffdc69a2808 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
[   52.454283][ T3611] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6863dc8099
[   52.462261][ T3611] RDX: 00007f6863dc8099 RSI: 0000000000004000 RDI: 0000000020ffa000
[   52.470236][ T3611] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   52.478218][ T3611] R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffdc69a2850
[   52.486196][ T3611] R13: 00007ffdc69a2840 R14: 00007ffdc69a2830 R15: 0000000000000000
[   52.494185][ T3611]  </TASK>
[   52.497510][ T3611] Kernel Offset: disabled
[   52.501918][ T3611] Rebooting in 86400 seconds..