./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4235950383
<...>
Warning: Permanently added '10.128.0.53' (ED25519) to the list of known hosts.
execve("./syz-executor4235950383", ["./syz-executor4235950383"], 0x7ffe6140ccc0 /* 10 vars */) = 0
brk(NULL) = 0x555593071000
brk(0x555593071d00) = 0x555593071d00
arch_prctl(ARCH_SET_FS, 0x555593071380) = 0
set_tid_address(0x555593071650) = 5817
set_robust_list(0x555593071660, 24) = 0
rseq(0x555593071ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor4235950383", 4096) = 28
getrandom("\x1e\xa1\x03\x45\xd3\x31\xb4\x29", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555593071d00
brk(0x555593092d00) = 0x555593092d00
brk(0x555593093000) = 0x555593093000
mprotect(0x7f882f4b2000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getrandom("\x93\xc9\x3f\x63\x4c\x93\xd5\x75", 8, GRND_NONBLOCK) = 8
mkdir("./syzkaller.5FW75p", 0700) = 0
chmod("./syzkaller.5FW75p", 0777) = 0
chdir("./syzkaller.5FW75p") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5819 attached
, child_tidptr=0x555593071650) = 5819
[pid 5819] set_robust_list(0x555593071660, 24) = 0
[pid 5819] chdir("./0") = 0
[pid 5819] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5819] setpgid(0, 0) = 0
[pid 5819] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5819] write(3, "1000", 4) = 4
[pid 5819] close(3) = 0
[pid 5819] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5819] write(1, "executing program\n", 18executing program
) = 18
[pid 5819] memfd_create("syzkaller", 0) = 3
[pid 5819] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8826e00000
[pid 5819] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5819] munmap(0x7f8826e00000, 138412032) = 0
[pid 5819] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5819] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5819] close(3) = 0
[pid 5819] close(4) = 0
[pid 5819] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[ 81.188978][ T5819] loop0: detected capacity change from 0 to 128
[pid 5819] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\xae\x7a\x0d\xad\xf2\x49\x84\x17\x43\x36\xc1\x9b\xd4\xf6\xeb\x98\xb0\xc5\x0f\x5a\x9b\xd5\x28\x6d\x2e\x7f\x0e\x4f\x05\x4a\x25\x41\x4a\xa3\x2f\xde\xef\x45\x06\x96\xd1\x5e\x12\x87\x04\xaf\x02\x2d\xe1\x41\x73\xeb\xb7\x60\xe3\x2e\x88\x9e\x14"...) = 0
[pid 5819] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid 5819] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid 5819] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[pid 5819] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_SYNC, 000) = -1 EIO (Input/output error)
[pid 5819] exit_group(0) = ?
[pid 5819] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5819, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} ---
[ 81.231507][ T5819] VFS: Found a Xenix FS (block size = 1024) on device loop0
[ 81.260456][ T5819] syz-executor423: attempt to access beyond end of device
[ 81.260456][ T5819] loop0: rw=2049, sector=6491536, nr_sectors = 2 limit=128
umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555930726f0 /* 4 entries */, 32768) = 176
umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
[ 81.387529][ T5817] sysv_free_block: flc_count > flc_size
[ 81.393193][ T5817] sysv_free_block: flc_count > flc_size
[ 81.398834][ T5817] sysv_free_block: flc_count > flc_size
[ 81.404507][ T5817] sysv_free_block: flc_count > flc_size
[ 81.410077][ T5817] sysv_free_block: flc_count > flc_size
[ 81.415712][ T5817] sysv_free_block: flc_count > flc_size
[ 81.421278][ T5817] sysv_free_block: flc_count > flc_size
[ 81.426887][ T5817] sysv_free_block: flc_count > flc_size
[ 81.432453][ T5817] sysv_free_block: flc_count > flc_size
umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0
umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
[ 81.438060][ T5817] sysv_free_block: flc_count > flc_size
[ 81.444338][ T5817] sysv_free_inode: inode 0,1,2 or nonexistent inode
umount2("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x55559307a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x55559307a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("\x2e\x2f\x30\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0
getdents64(3, 0x5555930726f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5820 attached
<unfinished ...>
[pid 5820] set_robust_list(0x555593071660, 24 <unfinished ...>
[pid 5817] <... clone resumed>, child_tidptr=0x555593071650) = 5820
[pid 5820] <... set_robust_list resumed>) = 0
[pid 5820] chdir("./1") = 0
[pid 5820] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5820] setpgid(0, 0) = 0
[pid 5820] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5820] write(3, "1000", 4) = 4
[pid 5820] close(3) = 0
[pid 5820] symlink("/dev/binderfs", "./binderfs") = 0
executing program
[pid 5820] write(1, "executing program\n", 18) = 18
[pid 5820] memfd_create("syzkaller", 0) = 3
[pid 5820] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8826e00000
[pid 5820] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5820] munmap(0x7f8826e00000, 138412032) = 0
[pid 5820] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5820] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5820] close(3) = 0
[pid 5820] close(4) = 0
[pid 5820] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[pid 5820] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\xae\x7a\x0d\xad\xf2\x49\x84\x17\x43\x36\xc1\x9b\xd4\xf6\xeb\x98\xb0\xc5\x0f\x5a\x9b\xd5\x28\x6d\x2e\x7f\x0e\x4f\x05\x4a\x25\x41\x4a\xa3\x2f\xde\xef\x45\x06\x96\xd1\x5e\x12\x87\x04\xaf\x02\x2d\xe1\x41\x73\xeb\xb7\x60\xe3\x2e\x88\x9e\x14"...) = 0
[pid 5820] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid 5820] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[ 81.775531][ T5820] loop0: detected capacity change from 0 to 128
[ 81.810932][ T5820] VFS: Found a Xenix FS (block size = 1024) on device loop0
[pid 5820] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[pid 5820] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_SYNC, 000) = -1 EIO (Input/output error)
[pid 5820] exit_group(0) = ?
[pid 5820] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5820, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
umount2("./1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555930726f0 /* 4 entries */, 32768) = 176
[ 81.873119][ T5820] syz-executor423: attempt to access beyond end of device
[ 81.873119][ T5820] loop0: rw=2049, sector=6491536, nr_sectors = 2 limit=128
umount2("./1/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
[ 81.978772][ T5817] sysv_free_block: flc_count > flc_size
[ 81.984402][ T5817] sysv_free_block: flc_count > flc_size
[ 81.990098][ T5817] sysv_free_block: flc_count > flc_size
[ 81.995781][ T5817] sysv_free_block: flc_count > flc_size
[ 82.001360][ T5817] sysv_free_block: flc_count > flc_size
[ 82.007006][ T5817] sysv_free_block: flc_count > flc_size
[ 82.012597][ T5817] sysv_free_block: flc_count > flc_size
[ 82.018214][ T5817] sysv_free_block: flc_count > flc_size
umount2("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0
umount2("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[ 82.023790][ T5817] sysv_free_block: flc_count > flc_size
[ 82.029435][ T5817] sysv_free_block: flc_count > flc_size
[ 82.035358][ T5817] sysv_free_inode: inode 0,1,2 or nonexistent inode
openat(AT_FDCWD, "\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x55559307a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x55559307a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("\x2e\x2f\x31\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0
getdents64(3, 0x5555930726f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5821 attached
, child_tidptr=0x555593071650) = 5821
[pid 5821] set_robust_list(0x555593071660, 24) = 0
[pid 5821] chdir("./2") = 0
[pid 5821] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5821] setpgid(0, 0) = 0
[pid 5821] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5821] write(3, "1000", 4) = 4
[pid 5821] close(3) = 0
[pid 5821] symlink("/dev/binderfs", "./binderfs") = 0
executing program
[pid 5821] write(1, "executing program\n", 18) = 18
[pid 5821] memfd_create("syzkaller", 0) = 3
[pid 5821] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8826e00000
[pid 5821] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5821] munmap(0x7f8826e00000, 138412032) = 0
[pid 5821] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5821] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5821] close(3) = 0
[pid 5821] close(4) = 0
[pid 5821] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[pid 5821] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\xae\x7a\x0d\xad\xf2\x49\x84\x17\x43\x36\xc1\x9b\xd4\xf6\xeb\x98\xb0\xc5\x0f\x5a\x9b\xd5\x28\x6d\x2e\x7f\x0e\x4f\x05\x4a\x25\x41\x4a\xa3\x2f\xde\xef\x45\x06\x96\xd1\x5e\x12\x87\x04\xaf\x02\x2d\xe1\x41\x73\xeb\xb7\x60\xe3\x2e\x88\x9e\x14"...) = 0
[pid 5821] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid 5821] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid 5821] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[ 82.325431][ T5821] loop0: detected capacity change from 0 to 128
[ 82.360315][ T5821] VFS: Found a Xenix FS (block size = 1024) on device loop0
[pid 5821] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_SYNC, 000) = -1 EIO (Input/output error)
[pid 5821] exit_group(0) = ?
[pid 5821] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5821, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} ---
umount2("./2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
[ 82.402774][ T5821] unable to read i-node block
[ 82.407952][ T5821] syz-executor423: attempt to access beyond end of device
[ 82.407952][ T5821] loop0: rw=2049, sector=6491536, nr_sectors = 2 limit=128
[ 82.422510][ T5821] sysv_free_inode: unable to read inode block on device loop0
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555930726f0 /* 4 entries */, 32768) = 176
umount2("./2/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/binderfs") = 0
[ 82.549802][ T5817] sysv_free_block: flc_count > flc_size
[ 82.555530][ T5817] sysv_free_block: flc_count > flc_size
[ 82.561085][ T5817] sysv_free_block: flc_count > flc_size
[ 82.566690][ T5817] sysv_free_block: flc_count > flc_size
[ 82.572270][ T5817] sysv_free_block: flc_count > flc_size
[ 82.578078][ T5817] sysv_free_block: flc_count > flc_size
[ 82.583668][ T5817] sysv_free_block: flc_count > flc_size
[ 82.589612][ T5817] sysv_free_block: flc_count > flc_size
umount2("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0
umount2("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[ 82.595312][ T5817] sysv_free_block: flc_count > flc_size
[ 82.600911][ T5817] sysv_free_block: flc_count > flc_size
[ 82.607530][ T5817] sysv_free_inode: inode 0,1,2 or nonexistent inode
openat(AT_FDCWD, "\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x55559307a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x55559307a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("\x2e\x2f\x32\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0
getdents64(3, 0x5555930726f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5822 attached
, child_tidptr=0x555593071650) = 5822
[pid 5822] set_robust_list(0x555593071660, 24) = 0
[pid 5822] chdir("./3") = 0
[pid 5822] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5822] setpgid(0, 0) = 0
[pid 5822] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5822] write(3, "1000", 4) = 4
[pid 5822] close(3) = 0
[pid 5822] symlink("/dev/binderfs", "./binderfs") = 0
executing program
[pid 5822] write(1, "executing program\n", 18) = 18
[pid 5822] memfd_create("syzkaller", 0) = 3
[pid 5822] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8826e00000
[pid 5822] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5822] munmap(0x7f8826e00000, 138412032) = 0
[pid 5822] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5822] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5822] close(3) = 0
[pid 5822] close(4) = 0
[pid 5822] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[ 82.931559][ T5822] loop0: detected capacity change from 0 to 128
[pid 5822] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\xae\x7a\x0d\xad\xf2\x49\x84\x17\x43\x36\xc1\x9b\xd4\xf6\xeb\x98\xb0\xc5\x0f\x5a\x9b\xd5\x28\x6d\x2e\x7f\x0e\x4f\x05\x4a\x25\x41\x4a\xa3\x2f\xde\xef\x45\x06\x96\xd1\x5e\x12\x87\x04\xaf\x02\x2d\xe1\x41\x73\xeb\xb7\x60\xe3\x2e\x88\x9e\x14"...) = 0
[pid 5822] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid 5822] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid 5822] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[ 82.974551][ T5822] VFS: Found a Xenix FS (block size = 1024) on device loop0
[pid 5822] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_SYNC, 000) = -1 EIO (Input/output error)
[pid 5822] exit_group(0) = ?
[pid 5822] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5822, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
[ 83.017643][ T5822] syz-executor423: attempt to access beyond end of device
[ 83.017643][ T5822] loop0: rw=2049, sector=6491536, nr_sectors = 2 limit=128
[ 83.042079][ T5822] syz-executor423 (5822) used greatest stack depth: 18672 bytes left
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555930726f0 /* 4 entries */, 32768) = 176
umount2("./3/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/binderfs") = 0
[ 83.178267][ T5817] sysv_free_block: flc_count > flc_size
[ 83.183898][ T5817] sysv_free_block: flc_count > flc_size
[ 83.189630][ T5817] sysv_free_block: flc_count > flc_size
[ 83.195331][ T5817] sysv_free_block: flc_count > flc_size
[ 83.200920][ T5817] sysv_free_block: flc_count > flc_size
[ 83.206633][ T5817] sysv_free_block: flc_count > flc_size
[ 83.212243][ T5817] sysv_free_block: flc_count > flc_size
[ 83.217875][ T5817] sysv_free_block: flc_count > flc_size
umount2("\x2e\x2f\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0
umount2("\x2e\x2f\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "\x2e\x2f\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("\x2e\x2f\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "\x2e\x2f\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
[ 83.223496][ T5817] sysv_free_block: flc_count > flc_size
[ 83.229170][ T5817] sysv_free_block: flc_count > flc_size
[ 83.235223][ T5817] sysv_free_inode: inode 0,1,2 or nonexistent inode
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x55559307a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x55559307a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("\x2e\x2f\x33\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0
getdents64(3, 0x5555930726f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555593071650) = 5823
./strace-static-x86_64: Process 5823 attached
[pid 5823] set_robust_list(0x555593071660, 24) = 0
[pid 5823] chdir("./4") = 0
[pid 5823] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5823] setpgid(0, 0) = 0
[pid 5823] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5823] write(3, "1000", 4) = 4
[pid 5823] close(3) = 0
[pid 5823] symlink("/dev/binderfs", "./binderfs") = 0
executing program
[pid 5823] write(1, "executing program\n", 18) = 18
[pid 5823] memfd_create("syzkaller", 0) = 3
[pid 5823] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8826e00000
[pid 5823] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5823] munmap(0x7f8826e00000, 138412032) = 0
[pid 5823] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5823] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5823] close(3) = 0
[pid 5823] close(4) = 0
[pid 5823] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[pid 5823] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\xae\x7a\x0d\xad\xf2\x49\x84\x17\x43\x36\xc1\x9b\xd4\xf6\xeb\x98\xb0\xc5\x0f\x5a\x9b\xd5\x28\x6d\x2e\x7f\x0e\x4f\x05\x4a\x25\x41\x4a\xa3\x2f\xde\xef\x45\x06\x96\xd1\x5e\x12\x87\x04\xaf\x02\x2d\xe1\x41\x73\xeb\xb7\x60\xe3\x2e\x88\x9e\x14"...) = 0
[pid 5823] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid 5823] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid 5823] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[ 83.505479][ T5823] loop0: detected capacity change from 0 to 128
[ 83.542496][ T5823] VFS: Found a Xenix FS (block size = 1024) on device loop0
[pid 5823] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_SYNC, 000) = -1 EIO (Input/output error)
[pid 5823] exit_group(0) = ?
[pid 5823] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5823, si_uid=0, si_status=0, si_utime=0, si_stime=3 /* 0.03 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./4", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
[ 83.567975][ T5823] syz-executor423: attempt to access beyond end of device
[ 83.567975][ T5823] loop0: rw=2049, sector=6491536, nr_sectors = 2 limit=128
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555930726f0 /* 4 entries */, 32768) = 176
umount2("./4/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/binderfs") = 0
[ 83.704426][ T5817] sysv_free_block: flc_count > flc_size
[ 83.710351][ T5817] sysv_free_block: flc_count > flc_size
[ 83.716009][ T5817] sysv_free_block: flc_count > flc_size
[ 83.721603][ T5817] sysv_free_block: flc_count > flc_size
[ 83.727336][ T5817] sysv_free_block: flc_count > flc_size
[ 83.732932][ T5817] sysv_free_block: flc_count > flc_size
[ 83.738567][ T5817] sysv_free_block: flc_count > flc_size
[ 83.744244][ T5817] sysv_free_block: flc_count > flc_size
umount2("\x2e\x2f\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = 0
umount2("\x2e\x2f\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "\x2e\x2f\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("\x2e\x2f\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[ 83.749993][ T5817] sysv_free_block: flc_count > flc_size
[ 83.755598][ T5817] sysv_free_block: flc_count > flc_size
[ 83.761458][ T5817] sysv_free_inode: inode 0,1,2 or nonexistent inode
openat(AT_FDCWD, "\x2e\x2f\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x55559307a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x55559307a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("\x2e\x2f\x34\x2f\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38") = 0
getdents64(3, 0x5555930726f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./4") = 0
mkdir("./5", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5824 attached
, child_tidptr=0x555593071650) = 5824
[pid 5824] set_robust_list(0x555593071660, 24) = 0
[pid 5824] chdir("./5") = 0
[pid 5824] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5824] setpgid(0, 0) = 0
[pid 5824] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5824] write(3, "1000", 4) = 4
[pid 5824] close(3) = 0
[pid 5824] symlink("/dev/binderfs", "./binderfs") = 0
executing program
[pid 5824] write(1, "executing program\n", 18) = 18
[pid 5824] memfd_create("syzkaller", 0) = 3
[pid 5824] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8826e00000
[pid 5824] write(3, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5824] munmap(0x7f8826e00000, 138412032) = 0
[pid 5824] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5824] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5824] close(3) = 0
[pid 5824] close(4) = 0
[pid 5824] mkdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", 0777) = 0
[ 84.083378][ T5824] loop0: detected capacity change from 0 to 128
[pid 5824] mount("/dev/loop0", "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", "sysv", 0, "\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\xae\x7a\x0d\xad\xf2\x49\x84\x17\x43\x36\xc1\x9b\xd4\xf6\xeb\x98\xb0\xc5\x0f\x5a\x9b\xd5\x28\x6d\x2e\x7f\x0e\x4f\x05\x4a\x25\x41\x4a\xa3\x2f\xde\xef\x45\x06\x96\xd1\x5e\x12\x87\x04\xaf\x02\x2d\xe1\x41\x73\xeb\xb7\x60\xe3\x2e\x88\x9e\x14"...) = 0
[pid 5824] openat(AT_FDCWD, "\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f", O_RDONLY|O_DIRECTORY) = 3
[pid 5824] chdir("\x13\x13\x77\xc5\xfc\x35\xd4\x14\x54\xd5\xd4\x1d\x29\xad\x1a\x60\x29\x59\x81\x46\xe6\xbe\x16\x6e\x41\xad\x0d\xbd\x40\x54\x03\x3c\x9f\x33\xbb\xda\x82\x24\xa2\xf3\xd7\x72\xe7\x63\x6e\x48\xb3\x3c\xbf\x70\x83\x72\xe8\xf1\xb9\x93\x3e\xc5\x12\x77\x43\xbe\x22\x06\x20\x9e\xf0\x2d\xf9\xcb\xf2\xf6\xe8\x80\xd3\x38\x2f") = 0
[pid 5824] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy)
[ 84.126121][ T5824] VFS: Found a Xenix FS (block size = 1024) on device loop0
[ 84.138100][ T5824] ==================================================================
[ 84.146192][ T5824] BUG: KASAN: use-after-free in sysv_new_inode+0xfc7/0x1160
[ 84.153514][ T5824] Read of size 2 at addr ffff8880765f31ce by task syz-executor423/5824
[ 84.161777][ T5824]
[ 84.164126][ T5824] CPU: 1 UID: 0 PID: 5824 Comm: syz-executor423 Not tainted 6.13.0-rc4-syzkaller #0
[ 84.173495][ T5824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 84.183587][ T5824] Call Trace:
[ 84.187089][ T5824] <TASK>
[ 84.190033][ T5824] dump_stack_lvl+0x241/0x360
[ 84.194726][ T5824] ? __pfx_dump_stack_lvl+0x10/0x10
[ 84.199940][ T5824] ? __pfx__printk+0x10/0x10
[ 84.204543][ T5824] ? _printk+0xd5/0x120
[ 84.208702][ T5824] ? __virt_addr_valid+0x183/0x530
[ 84.213818][ T5824] ? __virt_addr_valid+0x183/0x530
[ 84.218944][ T5824] print_report+0x169/0x550
[ 84.223461][ T5824] ? __virt_addr_valid+0x183/0x530
[ 84.228589][ T5824] ? __virt_addr_valid+0x183/0x530
[ 84.233712][ T5824] ? __virt_addr_valid+0x45f/0x530
[ 84.238833][ T5824] ? __phys_addr+0xba/0x170
[ 84.243353][ T5824] ? sysv_new_inode+0xfc7/0x1160
[ 84.248300][ T5824] kasan_report+0x143/0x180
[ 84.252814][ T5824] ? sysv_new_inode+0xfc7/0x1160
[ 84.257771][ T5824] sysv_new_inode+0xfc7/0x1160
[ 84.262547][ T5824] ? __pfx_sysv_new_inode+0x10/0x10
[ 84.267770][ T5824] ? _raw_spin_unlock+0x28/0x50
[ 84.272644][ T5824] ? __d_add+0x500/0x800
[ 84.276895][ T5824] sysv_mknod+0x4e/0xe0
[ 84.281053][ T5824] ? __pfx_sysv_create+0x10/0x10
[ 84.286089][ T5824] path_openat+0x1c03/0x3590
[ 84.290693][ T5824] ? __pfx_path_openat+0x10/0x10
[ 84.295640][ T5824] do_filp_open+0x27f/0x4e0
[ 84.300147][ T5824] ? __pfx_do_filp_open+0x10/0x10
[ 84.305176][ T5824] ? do_raw_spin_lock+0x14f/0x370
[ 84.310240][ T5824] do_sys_openat2+0x13e/0x1d0
[ 84.314923][ T5824] ? __pfx_do_sys_openat2+0x10/0x10
[ 84.320147][ T5824] ? lockdep_hardirqs_on+0x99/0x150
[ 84.325392][ T5824] ? _raw_spin_unlock_irq+0x2e/0x50
[ 84.330641][ T5824] ? ptrace_notify+0x279/0x380
[ 84.335422][ T5824] __x64_sys_openat+0x247/0x2a0
[ 84.340299][ T5824] ? __pfx___x64_sys_openat+0x10/0x10
[ 84.345703][ T5824] ? do_syscall_64+0x100/0x230
[ 84.350525][ T5824] do_syscall_64+0xf3/0x230
[ 84.355051][ T5824] ? clear_bhb_loop+0x35/0x90
[ 84.359740][ T5824] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.365671][ T5824] RIP: 0033:0x7f882f434129
[ 84.370137][ T5824] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 84.389755][ T5824] RSP: 002b:00007ffd20972338 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 84.398192][ T5824] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882f434129
[ 84.406167][ T5824] RDX: 0000000000101042 RSI: 0000000020000080 RDI: 00000000ffffff9c
[ 84.414160][ T5824] RBP: 00000000ffffffff R08: 0000000000009e7e R09: 0000000000000000
[ 84.422128][ T5824] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd20972380
[ 84.430130][ T5824] R13: 00007ffd209723c0 R14: 0000000000010000 R15: 0000000000000003
[ 84.438110][ T5824] </TASK>
[ 84.441126][ T5824]
[ 84.443464][ T5824] The buggy address belongs to the physical page:
[ 84.449885][ T5824] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f3dabfb6 pfn:0x765f3
[ 84.459348][ T5824] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 84.466478][ T5824] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 84.475101][ T5824] raw: 00000007f3dabfb6 0000000000000000 00000000ffffffff 0000000000000000
[ 84.483682][ T5824] page dumped because: kasan: bad access detected
[ 84.490099][ T5824] page_owner tracks the page as freed
[ 84.495464][ T5824] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5806, tgid 5806 (sshd), ts 73374937052, free_ts 73432744770
[ 84.513455][ T5824] post_alloc_hook+0x1f3/0x230
[ 84.518228][ T5824] get_page_from_freelist+0x3651/0x37a0
[ 84.523780][ T5824] __alloc_pages_noprof+0x292/0x710
[ 84.529001][ T5824] alloc_pages_mpol_noprof+0x3e8/0x680
[ 84.534473][ T5824] vma_alloc_folio_noprof+0x12e/0x230
[ 84.539868][ T5824] folio_prealloc+0x2e/0x170
[ 84.544461][ T5824] handle_pte_fault+0x2c98/0x5ed0
[ 84.549506][ T5824] handle_mm_fault+0x1053/0x1ad0
[ 84.554443][ T5824] exc_page_fault+0x459/0x8b0
[ 84.559136][ T5824] asm_exc_page_fault+0x26/0x30
[ 84.564003][ T5824] page last free pid 5806 tgid 5806 stack trace:
[ 84.570321][ T5824] free_unref_folios+0xe23/0x1890
[ 84.575384][ T5824] folios_put_refs+0x76c/0x860
[ 84.580146][ T5824] free_pages_and_swap_cache+0x2ea/0x690
[ 84.585778][ T5824] tlb_flush_mmu+0x3a3/0x680
[ 84.590388][ T5824] tlb_finish_mmu+0xd4/0x200
[ 84.594985][ T5824] vms_clear_ptes+0x437/0x530
[ 84.599664][ T5824] vms_complete_munmap_vmas+0x210/0x8f0
[ 84.605389][ T5824] do_vmi_align_munmap+0x5ef/0x6f0
[ 84.610509][ T5824] do_vmi_munmap+0x24e/0x2d0
[ 84.615103][ T5824] __vm_munmap+0x24c/0x480
[ 84.619517][ T5824] __x64_sys_munmap+0x60/0x70
[ 84.624189][ T5824] do_syscall_64+0xf3/0x230
[ 84.628706][ T5824] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.634625][ T5824]
[ 84.636945][ T5824] Memory state around the buggy address:
[ 84.642567][ T5824] ffff8880765f3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.650626][ T5824] ffff8880765f3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.658691][ T5824] >ffff8880765f3180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.666748][ T5824] ^
[ 84.673152][ T5824] ffff8880765f3200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.681226][ T5824] ffff8880765f3280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.689281][ T5824] ==================================================================
[ 84.698531][ T5824] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 84.705796][ T5824] CPU: 1 UID: 0 PID: 5824 Comm: syz-executor423 Not tainted 6.13.0-rc4-syzkaller #0
[ 84.715219][ T5824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 84.725282][ T5824] Call Trace:
[ 84.728561][ T5824] <TASK>
[ 84.731494][ T5824] dump_stack_lvl+0x241/0x360
[ 84.736279][ T5824] ? __pfx_dump_stack_lvl+0x10/0x10
[ 84.741487][ T5824] ? __pfx__printk+0x10/0x10
[ 84.746082][ T5824] ? preempt_schedule+0xe1/0xf0
[ 84.750944][ T5824] ? vscnprintf+0x5d/0x90
[ 84.755299][ T5824] panic+0x349/0x880
[ 84.759198][ T5824] ? check_panic_on_warn+0x21/0xb0
[ 84.764341][ T5824] ? __pfx_panic+0x10/0x10
[ 84.768768][ T5824] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 84.774798][ T5824] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 84.781167][ T5824] ? print_report+0x502/0x550
[ 84.785878][ T5824] check_panic_on_warn+0x86/0xb0
[ 84.790863][ T5824] ? sysv_new_inode+0xfc7/0x1160
[ 84.795817][ T5824] end_report+0x77/0x160
[ 84.800076][ T5824] kasan_report+0x154/0x180
[ 84.804617][ T5824] ? sysv_new_inode+0xfc7/0x1160
[ 84.809565][ T5824] sysv_new_inode+0xfc7/0x1160
[ 84.814343][ T5824] ? __pfx_sysv_new_inode+0x10/0x10
[ 84.819560][ T5824] ? _raw_spin_unlock+0x28/0x50
[ 84.824437][ T5824] ? __d_add+0x500/0x800
[ 84.828705][ T5824] sysv_mknod+0x4e/0xe0
[ 84.832875][ T5824] ? __pfx_sysv_create+0x10/0x10
[ 84.837819][ T5824] path_openat+0x1c03/0x3590
[ 84.842435][ T5824] ? __pfx_path_openat+0x10/0x10
[ 84.847440][ T5824] do_filp_open+0x27f/0x4e0
[ 84.851965][ T5824] ? __pfx_do_filp_open+0x10/0x10
[ 84.857005][ T5824] ? do_raw_spin_lock+0x14f/0x370
[ 84.862061][ T5824] do_sys_openat2+0x13e/0x1d0
[ 84.866754][ T5824] ? __pfx_do_sys_openat2+0x10/0x10
[ 84.871959][ T5824] ? lockdep_hardirqs_on+0x99/0x150
[ 84.877175][ T5824] ? _raw_spin_unlock_irq+0x2e/0x50
[ 84.882387][ T5824] ? ptrace_notify+0x279/0x380
[ 84.887168][ T5824] __x64_sys_openat+0x247/0x2a0
[ 84.892029][ T5824] ? __pfx___x64_sys_openat+0x10/0x10
[ 84.897411][ T5824] ? do_syscall_64+0x100/0x230
[ 84.902195][ T5824] do_syscall_64+0xf3/0x230
[ 84.906716][ T5824] ? clear_bhb_loop+0x35/0x90
[ 84.911404][ T5824] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.917328][ T5824] RIP: 0033:0x7f882f434129
[ 84.921776][ T5824] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 84.941396][ T5824] RSP: 002b:00007ffd20972338 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 84.949849][ T5824] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882f434129
[ 84.957856][ T5824] RDX: 0000000000101042 RSI: 0000000020000080 RDI: 00000000ffffff9c
[ 84.965834][ T5824] RBP: 00000000ffffffff R08: 0000000000009e7e R09: 0000000000000000
[ 84.973820][ T5824] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd20972380
[ 84.981802][ T5824] R13: 00007ffd209723c0 R14: 0000000000010000 R15: 0000000000000003
[ 84.989792][ T5824] </TASK>
[ 84.993099][ T5824] Kernel Offset: disabled
[ 84.997430][ T5824] Rebooting in 86400 seconds..