./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor535054816 <...> Warning: Permanently added '10.128.1.240' (ED25519) to the list of known hosts. execve("./syz-executor535054816", ["./syz-executor535054816"], 0x7ffc4de50bd0 /* 10 vars */) = 0 brk(NULL) = 0x55556d51e000 brk(0x55556d51ed00) = 0x55556d51ed00 arch_prctl(ARCH_SET_FS, 0x55556d51e380) = 0 set_tid_address(0x55556d51e650) = 5826 set_robust_list(0x55556d51e660, 24) = 0 rseq(0x55556d51eca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor535054816", 4096) = 27 getrandom("\xdc\xb8\x25\xcf\x16\x31\xeb\xdd", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556d51ed00 brk(0x55556d53fd00) = 0x55556d53fd00 brk(0x55556d540000) = 0x55556d540000 mprotect(0x7ff0fe81c000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.duGaU0", 0700) = 0 chmod("./syzkaller.duGaU0", 0777) = 0 chdir("./syzkaller.duGaU0") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556d51e650) = 5827 ./strace-static-x86_64: Process 5827 attached [pid 5827] set_robust_list(0x55556d51e660, 24) = 0 [pid 5827] chdir("./0") = 0 [pid 5827] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5827] setpgid(0, 0) = 0 [pid 5827] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5827] write(3, "1000", 4) = 4 [pid 5827] close(3) = 0 [pid 5827] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5827] write(1, "executing program\n", 18executing program ) = 18 [pid 5827] memfd_create("syzkaller", 0) = 3 [pid 5827] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff0f6200000 [pid 5827] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x08\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\x01\x00\x00\x00\x51\x49\x92\x54\x8e\xa5\x9a\x39\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5827] munmap(0x7ff0f6200000, 138412032) = 0 [pid 5827] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5827] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5827] close(3) = 0 [pid 5827] close(4) = 0 [pid 5827] mkdir("./bus", 0777) = 0 [pid 5827] mount("/dev/loop0", "./bus", "ntfs3", 0, "") = 0 [pid 5827] openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3 [pid 5827] chdir("./bus") = 0 [pid 5827] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 85.794695][ T5827] loop0: detected capacity change from 0 to 4096 [pid 5827] openat(AT_FDCWD, "./bus", O_RDWR|O_CREAT|O_APPEND|O_SYNC, 000) = 4 [pid 5827] mkdir(".", 0777) = -1 EEXIST (File exists) [pid 5827] mount(NULL, ".", 0x200000000f40, MS_NOEXEC|MS_SYNCHRONOUS|MS_REMOUNT|MS_NOATIME|MS_MOVE|MS_SILENT|MS_PRIVATE|MS_RELATIME|MS_I_VERSION|MS_STRICTATIME, "") = 0 [pid 5827] openat(AT_FDCWD, ".", O_RDONLY|O_DIRECTORY) = 5 [pid 5827] chdir(".") = 0 [pid 5827] open(".", O_RDONLY) = 6 [pid 5827] fcntl(6, F_NOTIFY, DN_ACCESS|DN_MODIFY|DN_CREATE|DN_DELETE|DN_RENAME|DN_MULTISHOT) = 0 [pid 5827] open("./file0", O_RDONLY|O_CREAT|O_NONBLOCK|O_NOFOLLOW|O_NOATIME, 000) = -1 EINVAL (Invalid argument) [pid 5827] exit_group(0) = ? [pid 5827] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5827, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 85.909093][ T5827] ntfs3(loop0): ino=5, "/" mi_enum_attr [ 85.914758][ T5827] ntfs3(loop0): Mark volume as dirty due to NTFS errors openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55556d51f6f0 /* 4 entries */, 32768) = 104 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/bus", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/bus", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55556d527730 /* 2 entries */, 32768) = 48 getdents64(4, 0x55556d527730 /* 0 entries */, 32768) = 0 close(4) = 0 [ 86.068709][ T3547] ------------[ cut here ]------------ [ 86.074274][ T3547] kernel BUG at fs/notify/dnotify/dnotify.c:134! [ 86.080750][ T3547] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI [ 86.087028][ T3547] CPU: 1 UID: 0 PID: 3547 Comm: kworker/u8:11 Not tainted 6.16.0-rc3-syzkaller-00057-g92ca6c498a5e #0 PREEMPT(full) [ 86.099267][ T3547] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 86.109327][ T3547] Workqueue: events_unbound fsnotify_mark_destroy_workfn rmdir("./0/bus") = 0 [ 86.116388][ T3547] RIP: 0010:dnotify_free_mark+0x58/0x60 [ 86.121959][ T3547] Code: 89 f7 e8 fb 2e db ff 49 83 3e 00 75 17 e8 e0 d6 79 ff 48 8b 3d 31 c4 72 0b 48 89 de 5b 41 5e e9 7e 67 d0 ff e8 c9 d6 79 ff 90 <0f> 0b cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 86.141569][ T3547] RSP: 0018:ffffc9000c8479a8 EFLAGS: 00010293 [ 86.147628][ T3547] RAX: ffffffff82467557 RBX: ffff888077aa2000 RCX: ffff888031a11e00 [ 86.155598][ T3547] RDX: 0000000000000000 RSI: ffffffff8d96ea60 RDI: ffff888077aa2000 [ 86.163566][ T3547] RBP: ffffc9000c847a70 R08: ffffffff8f9fe1f7 R09: 1ffffffff1f3fc3e [ 86.171536][ T3547] R10: dffffc0000000000 R11: ffffffff82467500 R12: 1ffff1100ef54402 [ 86.179506][ T3547] R13: dffffc0000000000 R14: ffff888077aa2080 R15: ffffffff8b99fae8 [ 86.187472][ T3547] FS: 0000000000000000(0000) GS:ffff888125d83000(0000) knlGS:0000000000000000 [ 86.196398][ T3547] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.202979][ T3547] CR2: 00007f9794d8dd30 CR3: 0000000074e16000 CR4: 00000000003526f0 [ 86.210975][ T3547] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 86.218960][ T3547] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 86.226962][ T3547] Call Trace: [ 86.230291][ T3547] [ 86.233242][ T3547] fsnotify_mark_destroy_workfn+0x255/0x2f0 [ 86.239169][ T3547] ? __pfx_fsnotify_mark_destroy_workfn+0x10/0x10 [ 86.245623][ T3547] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.250855][ T3547] ? process_scheduled_works+0x9ef/0x17b0 [ 86.256605][ T3547] ? process_scheduled_works+0x9ef/0x17b0 [ 86.262338][ T3547] process_scheduled_works+0xade/0x17b0 [ 86.267906][ T3547] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.273896][ T3547] worker_thread+0x8a0/0xda0 [ 86.278496][ T3547] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.284843][ T3547] ? __kthread_parkme+0x7b/0x200 [ 86.289789][ T3547] kthread+0x70e/0x8a0 [ 86.293857][ T3547] ? __pfx_worker_thread+0x10/0x10 [ 86.298981][ T3547] ? __pfx_kthread+0x10/0x10 [ 86.303577][ T3547] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.308781][ T3547] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.314009][ T3547] ? __pfx_kthread+0x10/0x10 getdents64(3, 0x55556d51f6f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 [ 86.318604][ T3547] ret_from_fork+0x3fc/0x770 [ 86.323201][ T3547] ? __pfx_ret_from_fork+0x10/0x10 [ 86.328326][ T3547] ? __switch_to_asm+0x39/0x70 [ 86.333092][ T3547] ? __switch_to_asm+0x33/0x70 [ 86.337856][ T3547] ? __pfx_kthread+0x10/0x10 [ 86.342454][ T3547] ret_from_fork_asm+0x1a/0x30 [ 86.347229][ T3547] [ 86.350252][ T3547] Modules linked in: [ 86.355427][ T3547] ---[ end trace 0000000000000000 ]--- [ 86.361602][ T3547] RIP: 0010:dnotify_free_mark+0x58/0x60 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5829 attached , child_tidptr=0x55556d51e650) = 5829 [pid 5829] set_robust_list(0x55556d51e660, 24) = 0 [pid 5829] chdir("./1") = 0 [pid 5829] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5829] setpgid(0, 0) = 0 [ 86.367202][ T3547] Code: 89 f7 e8 fb 2e db ff 49 83 3e 00 75 17 e8 e0 d6 79 ff 48 8b 3d 31 c4 72 0b 48 89 de 5b 41 5e e9 7e 67 d0 ff e8 c9 d6 79 ff 90 <0f> 0b cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 86.387381][ T3547] RSP: 0018:ffffc9000c8479a8 EFLAGS: 00010293 [ 86.393576][ T3547] RAX: ffffffff82467557 RBX: ffff888077aa2000 RCX: ffff888031a11e00 [ 86.401594][ T3547] RDX: 0000000000000000 RSI: ffffffff8d96ea60 RDI: ffff888077aa2000 [ 86.409606][ T3547] RBP: ffffc9000c847a70 R08: ffffffff8f9fe1f7 R09: 1ffffffff1f3fc3e [pid 5829] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5829] write(3, "1000", 4) = 4 [pid 5829] close(3) = 0 [pid 5829] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5829] write(1, "executing program\n", 18executing program ) = 18 [pid 5829] memfd_create("syzkaller", 0) = 3 [ 86.417600][ T3547] R10: dffffc0000000000 R11: ffffffff82467500 R12: 1ffff1100ef54402 [ 86.425640][ T3547] R13: dffffc0000000000 R14: ffff888077aa2080 R15: ffffffff8b99fae8 [ 86.433652][ T3547] FS: 0000000000000000(0000) GS:ffff888125c83000(0000) knlGS:0000000000000000 [ 86.442632][ T3547] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.449256][ T3547] CR2: 00007ff0fe787203 CR3: 00000000335f8000 CR4: 00000000003526f0 [ 86.457235][ T3547] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 86.465254][ T3547] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 86.473272][ T3547] Kernel panic - not syncing: Fatal exception [ 86.479688][ T3547] Kernel Offset: disabled [ 86.484020][ T3547] Rebooting in 86400 seconds..