./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2805566320 <...> [ 28.951115][ T3186] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.968509][ T3186] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 39.286278][ T27] kauditd_printk_skb: 37 callbacks suppressed [ 39.286295][ T27] audit: type=1400 audit(1656928601.514:73): avc: denied { transition } for pid=3406 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 39.320942][ T27] audit: type=1400 audit(1656928601.524:74): avc: denied { write } for pid=3406 comm="sh" path="pipe:[27369]" dev="pipefs" ino=27369 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.80' (ECDSA) to the list of known hosts. execve("./syz-executor2805566320", ["./syz-executor2805566320"], 0x7ffc0d89ff30 /* 10 vars */) = 0 brk(NULL) = 0x555557502000 brk(0x555557502c40) = 0x555557502c40 arch_prctl(ARCH_SET_FS, 0x555557502300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555575025d0) = 3607 set_robust_list(0x5555575025e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f6b7a026d80, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f6b7a027450}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f6b7a026e20, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f6b7a027450}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2805566320", 4096) = 28 brk(0x555557523c40) = 0x555557523c40 brk(0x555557524000) = 0x555557524000 mprotect(0x7f6b7a0e7000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f6b7a0ed3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f6b79ff7000 mprotect(0x7f6b79ff8000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7f6b7a0173f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3608], tls=0x7f6b7a017700, child_tidptr=0x7f6b7a0179d0) = 3608 futex(0x7f6b7a0ed3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7f6b7a0ed3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3608 attached [pid 3608] set_robust_list(0x7f6b7a0179e0, 24) = 0 [pid 3608] socket(AF_RXRPC, SOCK_DGRAM, AF_INET) = 3 [pid 3608] futex(0x7f6b7a0ed3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 3607] <... futex resumed>) = 0 [pid 3607] futex(0x7f6b7a0ed3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] futex(0x7f6b7a0ed3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3608] <... futex resumed>) = 1 [ 47.844848][ T27] audit: type=1400 audit(1656928610.074:75): avc: denied { execmem } for pid=3607 comm="syz-executor280" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 47.866213][ T27] audit: type=1400 audit(1656928610.084:76): avc: denied { create } for pid=3607 comm="syz-executor280" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [pid 3608] sendmsg(3, {msg_name={sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin={sin_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("172.20.20.70")}}}, msg_namelen=128, msg_iov=[{iov_base="\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x02\x00\x1c\x00\x02\x00\x4e\x22\xac\x14\x14\x46\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=17920}], msg_iovlen=1, msg_control=[{cmsg_len=24, cmsg_level=SOL_RXRPC, cmsg_type=0x1}, {cmsg_len=144, cmsg_level=SOL_SOCKET, cmsg_type=0x504 /* SCM_??? */}, {cmsg_len=4112, cmsg_level=SOL_IP, cmsg_type=0 /* IP_??? */}], msg_controllen=4280, msg_flags=MSG_DONTROUTE}, 0 [pid 3607] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3607] futex(0x7f6b7a0ed3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3607] futex(0x7f6b7a0ed3fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f6b79fd6000 [pid 3607] mprotect(0x7f6b79fd7000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3607] clone(child_stack=0x7f6b79ff63f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3609], tls=0x7f6b79ff6700, child_tidptr=0x7f6b79ff69d0) = 3609 [pid 3607] futex(0x7f6b7a0ed3f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] futex(0x7f6b7a0ed3fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3609 attached [pid 3609] set_robust_list(0x7f6b79ff69e0, 24) = 0 [ 47.886157][ T27] audit: type=1400 audit(1656928610.094:77): avc: denied { write } for pid=3607 comm="syz-executor280" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [pid 3609] sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_control=[{cmsg_len=24, cmsg_level=SOL_RXRPC, cmsg_type=0x1}, {cmsg_len=144, cmsg_level=SOL_SOCKET, cmsg_type=0x504 /* SCM_??? */}, {cmsg_len=4112, cmsg_level=SOL_IP, cmsg_type=0 /* IP_??? */}], msg_controllen=4280, msg_flags=MSG_DONTROUTE}, MSG_PEEK|MSG_DONTROUTE|MSG_EOR|MSG_WAITALL [pid 3607] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3607] exit_group(0) = ? [pid 3609] <... sendmsg resumed>) = ? [pid 3609] +++ exited with 0 +++ [ 48.093489][ T3608] [ 48.095842][ T3608] ===================================== [ 48.101363][ T3608] WARNING: bad unlock balance detected! [ 48.106889][ T3608] 5.19.0-rc5-syzkaller #0 Not tainted [ 48.112242][ T3608] ------------------------------------- [ 48.117766][ T3608] syz-executor280/3608 is trying to release lock (&call->user_mutex) at: [ 48.126172][ T3608] [] rxrpc_do_sendmsg+0xc0e/0x1350 [ 48.132852][ T3608] but there are no more locks to release! [ 48.138551][ T3608] [ 48.138551][ T3608] other info that might help us debug this: [ 48.146690][ T3608] no locks held by syz-executor280/3608. [ 48.152299][ T3608] [ 48.152299][ T3608] stack backtrace: [ 48.158173][ T3608] CPU: 0 PID: 3608 Comm: syz-executor280 Not tainted 5.19.0-rc5-syzkaller #0 [ 48.166918][ T3608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 48.176959][ T3608] Call Trace: [ 48.180225][ T3608] [ 48.183141][ T3608] dump_stack_lvl+0xcd/0x134 [ 48.187732][ T3608] lock_release.cold+0x49/0x4e [ 48.192485][ T3608] ? rxrpc_do_sendmsg+0xc0e/0x1350 [ 48.197593][ T3608] ? lock_downgrade+0x6e0/0x6e0 [ 48.202437][ T3608] ? trace_rxrpc_transmit+0x290/0x290 [ 48.207797][ T3608] __mutex_unlock_slowpath+0x99/0x5e0 [ 48.213153][ T3608] ? wait_for_completion_io_timeout+0x20/0x20 [ 48.219208][ T3608] ? wake_up_q+0xf0/0xf0 [ 48.223435][ T3608] ? rxrpc_do_sendmsg+0xef3/0x1350 [ 48.228532][ T3608] ? rxrpc_put_peer+0xd2/0x440 [ 48.233278][ T3608] rxrpc_do_sendmsg+0xc0e/0x1350 [ 48.238199][ T3608] ? rxrpc_kernel_send_data+0x450/0x450 [ 48.243726][ T3608] ? rcu_read_lock_sched_held+0x3a/0x70 [ 48.249264][ T3608] ? rxrpc_lookup_local+0x45d/0x1110 [ 48.254533][ T3608] rxrpc_sendmsg+0x429/0x640 [ 48.259104][ T3608] ? rxrpc_sock_destructor+0x170/0x170 [ 48.264545][ T3608] sock_sendmsg+0xcf/0x120 [ 48.268942][ T3608] ____sys_sendmsg+0x6eb/0x810 [ 48.273688][ T3608] ? kernel_sendmsg+0x50/0x50 [ 48.278345][ T3608] ? do_recvmmsg+0x6d0/0x6d0 [ 48.282922][ T3608] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 48.288900][ T3608] ? lockdep_hardirqs_on+0x79/0x100 [ 48.294082][ T3608] ___sys_sendmsg+0xf3/0x170 [ 48.298655][ T3608] ? sendmsg_copy_msghdr+0x160/0x160 [ 48.303922][ T3608] ? __fget_files+0x248/0x440 [ 48.308593][ T3608] ? lock_downgrade+0x6e0/0x6e0 [ 48.313433][ T3608] ? ptrace_stop.part.0+0x5ec/0xa80 [ 48.318620][ T3608] ? __fget_light+0xe5/0x270 [ 48.323190][ T3608] __x64_sys_sendmsg+0x132/0x220 [ 48.328109][ T3608] ? __sys_sendmsg+0x1b0/0x1b0 [ 48.332867][ T3608] ? _raw_spin_unlock_irq+0x2a/0x40 [ 48.338051][ T3608] ? ptrace_notify+0xfa/0x140 [ 48.342716][ T3608] do_syscall_64+0x35/0xb0 [ 48.347112][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 48.352988][ T3608] RIP: 0033:0x7f6b7a064de9 [ 48.357387][ T3608] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 48.376988][ T3608] RSP: 002b:00007f6b7a017318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 48.385385][ T3608] RAX: ffffffffffffffda RBX: 00007f6b7a0ed3e8 RCX: 00007f6b7a064de9 [pid 3608] <... sendmsg resumed>) = ? [pid 3608] +++ exited with 0 +++ +++ exited with 0 +++ [ 48.393340][