./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1029164976 <...> Warning: Permanently added '10.128.1.120' (ED25519) to the list of known hosts. execve("./syz-executor1029164976", ["./syz-executor1029164976"], 0x7ffe13de4350 /* 10 vars */) = 0 brk(NULL) = 0x555556919000 brk(0x555556919d00) = 0x555556919d00 arch_prctl(ARCH_SET_FS, 0x555556919380) = 0 set_tid_address(0x555556919650) = 293 set_robust_list(0x555556919660, 24) = 0 rseq(0x555556919ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1029164976", 4096) = 28 getrandom("\xdb\x8a\x1c\xdf\x2c\x20\x8c\x39", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556919d00 brk(0x55555693ad00) = 0x55555693ad00 brk(0x55555693b000) = 0x55555693b000 mprotect(0x7f06dc47d000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("/syzcgroup", 0777) = 0 mkdir("/syzcgroup/unified", 0777) = 0 mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL) = 0 chmod("/syzcgroup/unified", 0777) = 0 openat(AT_FDCWD, "/syzcgroup/unified/cgroup.subtree_control", O_WRONLY) = 3 write(3, "+cpu", 4) = 4 write(3, "+io", 3) = 3 write(3, "+pids", 5) = 5 close(3) = 0 mkdir("/syzcgroup/net", 0777) = 0 mount("none", "/syzcgroup/net", "cgroup", 0, "net") = -1 EINVAL (Invalid argument) mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio") = 0 umount2("/syzcgroup/net", 0) = 0 mount("none", "/syzcgroup/net", "cgroup", 0, "devices") = -1 EINVAL (Invalid argument) mount("none", "/syzcgroup/net", "cgroup", 0, "blkio") = 0 umount2("/syzcgroup/net", 0) = 0 mount("none", "/syzcgroup/net", "cgroup", 0, "freezer") = 0 umount2("/syzcgroup/net", 0) = 0 mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,blkio,freezer") = ? ERESTARTNOINTR (To be restarted) [ 20.564300][ T30] audit: type=1400 audit(1712857637.038:66): avc: denied { execmem } for pid=293 comm="syz-executor102" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 20.567312][ T30] audit: type=1400 audit(1712857637.048:67): avc: denied { mounton } for pid=293 comm="syz-executor102" path="/syzcgroup/unified" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 20.568976][ T293] cgroup: Unknown subsys name 'net' [ 20.571505][ T30] audit: type=1400 audit(1712857637.048:68): avc: denied { mount } for pid=293 comm="syz-executor102" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.575078][ T30] audit: type=1400 audit(1712857637.048:69): avc: denied { unmount } for pid=293 comm="syz-executor102" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.575569][ T293] cgroup: Unknown subsys name 'devices' mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,blkio,freezer") = ? ERESTARTNOINTR (To be restarted) mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,blkio,freezer") = ? ERESTARTNOINTR (To be restarted) mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,blkio,freezer") = ? ERESTARTNOINTR (To be restarted) mount("none", "/syzcgroup/net", "cgroup", 0, "net_prio,blkio,freezer") = 0 chmod("/syzcgroup/net", 0777) = 0 mkdir("/syzcgroup/cpu", 0777) = 0 mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset") = 0 umount2("/syzcgroup/cpu", 0) = 0 mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuacct") = 0 umount2("/syzcgroup/cpu", 0) = 0 mount("none", "/syzcgroup/cpu", "cgroup", 0, "hugetlb") = -1 EINVAL (Invalid argument) mount("none", "/syzcgroup/cpu", "cgroup", 0, "rlimit") = -1 EINVAL (Invalid argument) mount("none", "/syzcgroup/cpu", "cgroup", 0, "memory") = 0 umount2("/syzcgroup/cpu", 0) = 0 mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,memory") = ? ERESTARTNOINTR (To be restarted) [ 20.698368][ T293] cgroup: Unknown subsys name 'hugetlb' [ 20.703940][ T293] cgroup: Unknown subsys name 'rlimit' mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,memory") = ? ERESTARTNOINTR (To be restarted) mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,memory") = ? ERESTARTNOINTR (To be restarted) mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,memory") = ? ERESTARTNOINTR (To be restarted) mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,memory") = 0 chmod("/syzcgroup/cpu", 0777) = 0 openat(AT_FDCWD, "/syzcgroup/cpu/cgroup.clone_children", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/syzcgroup/cpu/cpuset.memory_pressure_enabled", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 getrandom("\x74\xcd\xf7\x34\xb6\x2d\xb1\x50", 8, GRND_NONBLOCK) = 8 mkdir("./syzkaller.grEVd3", 0700) = 0 chmod("./syzkaller.grEVd3", 0777) = 0 chdir("./syzkaller.grEVd3") = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556919650) = 294 ./strace-static-x86_64: Process 294 attached [pid 294] set_robust_list(0x555556919660, 24) = 0 [pid 294] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 294] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 294] setsid() = 1 [pid 294] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 294] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 294] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 294] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 294] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 294] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 294] unshare(CLONE_NEWNS) = 0 [pid 294] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 294] unshare(CLONE_NEWIPC) = -1 EINVAL (Invalid argument) [pid 294] unshare(CLONE_NEWCGROUP) = 0 [pid 294] unshare(CLONE_NEWUTS) = 0 [pid 294] unshare(CLONE_SYSVSEM) = 0 [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 294] getpid() = 1 [pid 294] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 295] set_robust_list(0x555556919660, 24) = 0 [pid 295] chdir("./0" [pid 294] <... clone resumed>, child_tidptr=0x555556919650) = 2 [pid 295] <... chdir resumed>) = 0 [pid 295] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 295] setpgid(0, 0) = 0 [pid 295] symlink("/syzcgroup/unified/syz0", "./cgroup") = 0 [pid 295] symlink("/syzcgroup/cpu/syz0", "./cgroup.cpu") = 0 [pid 295] symlink("/syzcgroup/net/syz0", "./cgroup.net") = 0 [pid 295] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1000", 4) = 4 [pid 295] close(3) = 0 [pid 295] symlink("/dev/binderfs", "./binderfs") = 0 [pid 295] mkdir("./file0", 000) = 0 [pid 295] mount(NULL, "./file0", "tmpfs", 0, NULL) = 0 [ 20.921662][ T30] audit: type=1400 audit(1712857637.338:74): avc: denied { mount } for pid=294 comm="syz-executor102" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 20.956352][ T30] audit: type=1400 audit(1712857637.438:75): avc: denied { mounton } for pid=295 comm="syz-executor102" path="/root/syzkaller.grEVd3/0/file0" dev="sda1" ino=1936 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [pid 295] mount("./file0", "./cgroup", "incremental-fs", 0, NULL) = 0 [pid 295] close(3) = -1 EBADF (Bad file descriptor) [pid 295] close(4) = -1 EBADF (Bad file descriptor) [pid 295] close(5) = -1 EBADF (Bad file descriptor) [pid 295] close(6) = -1 EBADF (Bad file descriptor) [pid 295] close(7) = -1 EBADF (Bad file descriptor) [pid 295] close(8) = -1 EBADF (Bad file descriptor) [pid 295] close(9) = -1 EBADF (Bad file descriptor) [pid 295] close(10) = -1 EBADF (Bad file descriptor) [pid 295] close(11) = -1 EBADF (Bad file descriptor) [pid 295] close(12) = -1 EBADF (Bad file descriptor) [pid 295] close(13) = -1 EBADF (Bad file descriptor) [pid 295] close(14) = -1 EBADF (Bad file descriptor) [pid 295] close(15) = -1 EBADF (Bad file descriptor) [pid 295] close(16) = -1 EBADF (Bad file descriptor) [pid 295] close(17) = -1 EBADF (Bad file descriptor) [pid 295] close(18) = -1 EBADF (Bad file descriptor) [pid 295] close(19) = -1 EBADF (Bad file descriptor) [pid 295] close(20) = -1 EBADF (Bad file descriptor) [pid 295] close(21) = -1 EBADF (Bad file descriptor) [pid 295] close(22) = -1 EBADF (Bad file descriptor) [pid 295] close(23) = -1 EBADF (Bad file descriptor) [pid 295] close(24) = -1 EBADF (Bad file descriptor) [pid 295] close(25) = -1 EBADF (Bad file descriptor) [pid 295] close(26) = -1 EBADF (Bad file descriptor) [pid 295] close(27) = -1 EBADF (Bad file descriptor) [pid 295] close(28) = -1 EBADF (Bad file descriptor) [pid 295] close(29) = -1 EBADF (Bad file descriptor) [pid 295] exit_group(0) = ? [pid 295] +++ exited with 0 +++ [pid 294] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- [pid 294] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 294] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 294] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 294] getdents64(3, 0x55555691a6f0 /* 7 entries */, 32768) = 208 [pid 294] umount2("./0/cgroup.cpu", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] newfstatat(AT_FDCWD, "./0/cgroup.cpu", {st_mode=S_IFLNK|0777, st_size=19, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] unlink("./0/cgroup.cpu") = 0 [pid 294] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] unlink("./0/binderfs") = 0 [pid 294] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 294] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=80, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 294] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 294] newfstatat(4, "", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=80, ...}, AT_EMPTY_PATH) = 0 [pid 294] getdents64(4, 0x555556922730 /* 4 entries */, 32768) = 112 [pid 294] umount2("./0/file0/.incomplete", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] newfstatat(AT_FDCWD, "./0/file0/.incomplete", {st_mode=S_IFDIR|0700, st_size=40, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] umount2("./0/file0/.incomplete", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] openat(AT_FDCWD, "./0/file0/.incomplete", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 [pid 294] newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=40, ...}, AT_EMPTY_PATH) = 0 [pid 294] getdents64(5, 0x55555692a770 /* 2 entries */, 32768) = 48 [pid 294] getdents64(5, 0x55555692a770 /* 0 entries */, 32768) = 0 [pid 294] close(5) = 0 [pid 294] rmdir("./0/file0/.incomplete") = 0 [pid 294] umount2("./0/file0/.index", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] newfstatat(AT_FDCWD, "./0/file0/.index", {st_mode=S_IFDIR|0700, st_size=40, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] umount2("./0/file0/.index", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] openat(AT_FDCWD, "./0/file0/.index", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 [pid 294] newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=40, ...}, AT_EMPTY_PATH) = 0 [pid 294] getdents64(5, 0x55555692a770 /* 2 entries */, 32768) = 48 [pid 294] getdents64(5, 0x55555692a770 /* 0 entries */, 32768) = 0 [pid 294] close(5) = 0 [pid 294] rmdir("./0/file0/.index") = 0 [pid 294] getdents64(4, 0x555556922730 /* 0 entries */, 32768) = 0 [pid 294] close(4) = 0 [pid 294] rmdir("./0/file0") = -1 EBUSY (Device or resource busy) [pid 294] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 294] exit_group(1) = ? [ 20.957847][ T295] incfs: ino conflict with backing FS 1 [ 20.997878][ T294] ------------[ cut here ]------------ [ 21.003159][ T294] WARNING: CPU: 0 PID: 294 at fs/inode.c:307 drop_nlink+0xc1/0x110 [ 21.010979][ T294] Modules linked in: [ 21.014737][ T294] CPU: 1 PID: 294 Comm: syz-executor102 Not tainted 5.15.148-syzkaller-00718-g993bed180178 #0 [ 21.024866][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 21.034796][ T294] RIP: 0010:drop_nlink+0xc1/0x110 [ 21.039599][ T294] Code: 1e 48 8d bb b8 04 00 00 be 08 00 00 00 e8 f7 fb f0 ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 3f e9 ae ff <0f> 0b eb 88 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 62 ff ff ff 4c [ 21.059065][ T294] RSP: 0018:ffffc90000987b28 EFLAGS: 00010293 [ 21.064931][ T294] RAX: ffffffff81c13841 RBX: 0000000000000000 RCX: ffff88811e948000 [ 21.072779][ T294] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 21.080584][ T294] RBP: ffffc90000987b50 R08: ffffffff81c137c4 R09: 0000000000000003 [ 21.088352][ T294] R10: fffff52000130f54 R11: dffffc0000000001 R12: dffffc0000000000 [ 21.096166][ T294] R13: 1ffff11023aa7af8 R14: ffff88811d53d778 R15: ffff88811d53d7c0 [ 21.103959][ T294] FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 21.112751][ T294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.119156][ T294] CR2: 00007f06dc4841b0 CR3: 000000010c55f000 CR4: 00000000003506b0 [ 21.126996][ T294] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.134773][ T294] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.143146][ T294] Call Trace: [ 21.146254][ T294] [ 21.149024][ T294] ? show_regs+0x58/0x60 [ 21.153101][ T294] ? __warn+0x160/0x2f0 [ 21.157112][ T294] ? drop_nlink+0xc1/0x110 [ 21.161348][ T294] ? report_bug+0x3d9/0x5b0 [ 21.165709][ T294] ? drop_nlink+0xc1/0x110 [ 21.169938][ T294] ? handle_bug+0x41/0x70 [ 21.174098][ T294] ? exc_invalid_op+0x1b/0x50 [ 21.178633][ T294] ? asm_exc_invalid_op+0x1b/0x20 [ 21.183478][ T294] ? drop_nlink+0x44/0x110 [ 21.187758][ T294] ? drop_nlink+0xc1/0x110 [ 21.191984][ T294] ? drop_nlink+0xc1/0x110 [ 21.196254][ T294] ? drop_nlink+0xc1/0x110 [ 21.200487][ T294] shmem_rmdir+0x59/0x90 [ 21.204564][ T294] vfs_rmdir+0x324/0x470 [ 21.208665][ T294] incfs_kill_sb+0x113/0x230 [ 21.213072][ T294] deactivate_locked_super+0xad/0x110 [ 21.218317][ T294] deactivate_super+0xbe/0xf0 [ 21.222796][ T294] cleanup_mnt+0x45c/0x510 [ 21.227082][ T294] __cleanup_mnt+0x19/0x20 [ 21.231318][ T294] task_work_run+0x129/0x190 [ 21.235762][ T294] do_exit+0xc48/0x2ca0 [ 21.239736][ T294] ? put_task_struct+0x80/0x80 [ 21.244331][ T294] ? ptrace_notify+0x24c/0x350 [ 21.248947][ T294] ? do_notify_parent+0xa30/0xa30 [ 21.253778][ T294] do_group_exit+0x141/0x310 [ 21.258224][ T294] __x64_sys_exit_group+0x3f/0x40 [ 21.263062][ T294] do_syscall_64+0x3d/0xb0 [ 21.267341][ T294] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 21.273043][ T294] RIP: 0033:0x7f06dc407909 [ 21.277315][ T294] Code: Unable to access opcode bytes at RIP 0x7f06dc4078df. [ 21.284499][ T294] RSP: 002b:00007ffdc4105478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 21.292768][ T294] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f06dc407909 [ 21.300573][ T294] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 21.308389][ T294] RBP: 00007f06dc483350 R08: ffffffffffffffb8 R09: 0000000000000000 [ 21.316191][ T294] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f06dc483350 [ 21.323994][ T294] R13: 0000000000000000 R14: 00007f06dc483da0 R15: 00007f06dc3d88f0 [ 21.331849][ T294] [ 21.334666][ T294] ---[ end trace 3654bf6f39f27fbf ]--- [ 21.340088][ T294] ================================================================== [ 21.347860][ T294] BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 [ 21.353933][ T294] Write of size 4 at addr 0000000000000170 by task syz-executor102/294 [ 21.362003][ T294] [ 21.364177][ T294] CPU: 0 PID: 294 Comm: syz-executor102 Tainted: G W 5.15.148-syzkaller-00718-g993bed180178 #0 [ 21.375631][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 21.385526][ T294] Call Trace: [ 21.388655][ T294] [ 21.391430][ T294] dump_stack_lvl+0x151/0x1b7 [ 21.395941][ T294] ? io_uring_drop_tctx_refs+0x190/0x190 [ 21.401411][ T294] kasan_report+0x16f/0x1c0 [ 21.405747][ T294] ? __kasan_check_write+0x14/0x20 [ 21.410692][ T294] ? ihold+0x20/0x60 [ 21.414425][ T294] ? ihold+0x20/0x60 [ 21.418161][ T294] kasan_check_range+0x293/0x2a0 [ 21.422939][ T294] __kasan_check_write+0x14/0x20 [ 21.427705][ T294] ihold+0x20/0x60 [ 21.431262][ T294] vfs_rmdir+0x201/0x470 [ 21.436628][ T294] incfs_kill_sb+0x113/0x230 [ 21.441050][ T294] deactivate_locked_super+0xad/0x110 [ 21.446628][ T294] deactivate_super+0xbe/0xf0 [ 21.451148][ T294] cleanup_mnt+0x45c/0x510 [ 21.455392][ T294] __cleanup_mnt+0x19/0x20 [ 21.459642][ T294] task_work_run+0x129/0x190 [ 21.464074][ T294] do_exit+0xc48/0x2ca0 [ 21.468065][ T294] ? put_task_struct+0x80/0x80 [ 21.472662][ T294] ? ptrace_notify+0x24c/0x350 [ 21.477260][ T294] ? do_notify_parent+0xa30/0xa30 [ 21.482121][ T294] do_group_exit+0x141/0x310 [ 21.486549][ T294] __x64_sys_exit_group+0x3f/0x40 [ 21.491407][ T294] do_syscall_64+0x3d/0xb0 [ 21.495661][ T294] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 21.501389][ T294] RIP: 0033:0x7f06dc407909 [ 21.505642][ T294] Code: Unable to access opcode bytes at RIP 0x7f06dc4078df. [ 21.512846][ T294] RSP: 002b:00007ffdc4105478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 21.521949][ T294] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f06dc407909 [ 21.529753][ T294] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 21.537562][ T294] RBP: 00007f06dc483350 R08: ffffffffffffffb8 R09: 0000000000000000 [ 21.545376][ T294] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f06dc483350 [ 21.553185][ T294] R13: 0000000000000000 R14: 00007f06dc483da0 R15: 00007f06dc3d88f0 [ 21.561005][ T294] [ 21.563863][ T294] ================================================================== [ 21.571759][ T294] Disabling lock debugging due to kernel taint [ 21.577858][ T294] BUG: kernel NULL pointer dereference, address: 0000000000000170 [ 21.585386][ T294] #PF: supervisor write access in kernel mode [ 21.591286][ T294] #PF: error_code(0x0002) - not-present page [ 21.597102][ T294] PGD 0 P4D 0 [ 21.600313][ T294] Oops: 0002 [#1] PREEMPT SMP KASAN [ 21.605348][ T294] CPU: 0 PID: 294 Comm: syz-executor102 Tainted: G B W 5.15.148-syzkaller-00718-g993bed180178 #0 [ 21.616802][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 21.626697][ T294] RIP: 0010:ihold+0x25/0x60 [ 21.631037][ T294] Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 51 e1 ae ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 e0 f3 f0 ff bb 01 00 00 00 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 d4 e4 ae [ 21.650478][ T294] RSP: 0018:ffffc90000987b68 EFLAGS: 00010246 [ 21.656381][ T294] RAX: ffff88811e948000 RBX: 0000000000000001 RCX: ffff88811e948000 [ 21.664192][ T294] RDX: 0000000000000000 RSI: 0000000000000286 RDI: 00000000ffffffff [ 21.672001][ T294] RBP: ffffc90000987b78 R08: ffffffff81416e7b R09: 0000000000000003 [ 21.679812][ T294] R10: fffffbfff0e5224c R11: dffffc0000000001 R12: dffffc0000000000 [ 21.687625][ T294] R13: ffff88811bd88660 R14: 0000000000000000 R15: 1ffff110237b10d2 [ 21.695438][ T294] FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 21.704202][ T294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.710625][ T294] CR2: 0000000000000170 CR3: 0000000116054000 CR4: 00000000003506b0 [ 21.718437][ T294] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.726249][ T294] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.734059][ T294] Call Trace: [ 21.737183][ T294] [ 21.739961][ T294] ? __die_body+0x62/0xb0 [ 21.744128][ T294] ? __die+0x7e/0x90 [ 21.747858][ T294] ? page_fault_oops+0x7f9/0xa90 [ 21.752629][ T294] ? _raw_spin_unlock+0x4d/0x70 [ 21.757319][ T294] ? kernelmode_fixup_or_oops+0x270/0x270 [ 21.762871][ T294] ? __schedule+0xcd4/0x1590 [ 21.767304][ T294] ? exc_page_fault+0x521/0x830 [ 21.771990][ T294] ? asm_exc_page_fault+0x27/0x30 [ 21.776852][ T294] ? check_panic_on_warn+0x5b/0xb0 [ 21.781794][ T294] ? ihold+0x25/0x60 [ 21.785526][ T294] ? ihold+0x20/0x60 [ 21.789259][ T294] vfs_rmdir+0x201/0x470 [ 21.793339][ T294] incfs_kill_sb+0x113/0x230 [ 21.797763][ T294] deactivate_locked_super+0xad/0x110 [ 21.802973][ T294] deactivate_super+0xbe/0xf0 [ 21.807486][ T294] cleanup_mnt+0x45c/0x510 [ 21.811737][ T294] __cleanup_mnt+0x19/0x20 [ 21.815990][ T294] task_work_run+0x129/0x190 [ 21.820416][ T294] do_exit+0xc48/0x2ca0 [ 21.824413][ T294] ? put_task_struct+0x80/0x80 [ 21.829010][ T294] ? ptrace_notify+0x24c/0x350 [ 21.833608][ T294] ? do_notify_parent+0xa30/0xa30 [ 21.838472][ T294] do_group_exit+0x141/0x310 [ 21.842897][ T294] __x64_sys_exit_group+0x3f/0x40 [ 21.847758][ T294] do_syscall_64+0x3d/0xb0 [ 21.852009][ T294] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 21.857735][ T294] RIP: 0033:0x7f06dc407909 [ 21.861990][ T294] Code: Unable to access opcode bytes at RIP 0x7f06dc4078df. [ 21.869195][ T294] RSP: 002b:00007ffdc4105478 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 21.877437][ T294] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f06dc407909 [ 21.885248][ T294] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 21.893061][ T294] RBP: 00007f06dc483350 R08: ffffffffffffffb8 R09: 0000000000000000 [ 21.900870][ T294] R10: 0000000000001000 R11: 0000000000000246 R12: 00007f06dc483350 [ 21.908687][ T294] R13: 0000000000000000 R14: 00007f06dc483da0 R15: 00007f06dc3d88f0 [ 21.916500][ T294] [ 21.919357][ T294] Modules linked in: [ 21.923092][ T294] CR2: 0000000000000170 [ 21.927087][ T294] ---[ end trace 3654bf6f39f27fc0 ]--- [ 21.932378][ T294] RIP: 0010:ihold+0x25/0x60 [ 21.936716][ T294] Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 51 e1 ae ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 e0 f3 f0 ff bb 01 00 00 00 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 d4 e4 ae [ 21.956157][ T294] RSP: 0018:ffffc90000987b68 EFLAGS: 00010246 [ 21.962058][ T294] RAX: ffff88811e948000 RBX: 0000000000000001 RCX: ffff88811e948000 [ 21.969872][ T294] RDX: 0000000000000000 RSI: 0000000000000286 RDI: 00000000ffffffff [ 21.977679][ T294] RBP: ffffc90000987b78 R08: ffffffff81416e7b R09: 0000000000000003 [ 21.985493][ T294] R10: fffffbfff0e5224c R11: dffffc0000000001 R12: dffffc0000000000 [ 21.993303][ T294] R13: ffff88811bd88660 R14: 0000000000000000 R15: 1ffff110237b10d2 [ 22.001116][ T294] FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 22.009884][ T294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.016304][ T294] CR2: 0000000000000170 CR3: 0000000116054000 CR4: 00000000003506b0 [ 22.024119][ T294] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.031927][ T294] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.039740][ T294] Kernel panic - not syncing: Fatal exception [ 22.046204][ T294] Kernel Offset: disabled [ 22.050324][ T294] Rebooting in 86400 seconds..