./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1837510284 <...> syzkaller syzkaller login: [ 63.951834][ T26] kauditd_printk_skb: 42 callbacks suppressed [ 63.951854][ T26] audit: type=1400 audit(1688002863.697:77): avc: denied { transition } for pid=4844 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 63.980688][ T26] audit: type=1400 audit(1688002863.697:78): avc: denied { noatsecure } for pid=4844 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 64.000180][ T26] audit: type=1400 audit(1688002863.707:79): avc: denied { write } for pid=4844 comm="sh" path="pipe:[29804]" dev="pipefs" ino=29804 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 64.023002][ T26] audit: type=1400 audit(1688002863.707:80): avc: denied { rlimitinh } for pid=4844 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 64.042485][ T26] audit: type=1400 audit(1688002863.707:81): avc: denied { siginh } for pid=4844 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 65.597714][ T26] audit: type=1400 audit(1688002865.337:82): avc: denied { read } for pid=4428 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 Warning: Permanently added '10.128.1.141' (ECDSA) to the list of known hosts. execve("./syz-executor1837510284", ["./syz-executor1837510284"], 0x7fff539cabf0 /* 10 vars */) = 0 brk(NULL) = 0x55555703c000 brk(0x55555703cc40) = 0x55555703cc40 arch_prctl(ARCH_SET_FS, 0x55555703c300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1837510284", 4096) = 28 brk(0x55555705dc40) = 0x55555705dc40 brk(0x55555705e000) = 0x55555705e000 mprotect(0x7faa249f2000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 [ 84.480294][ T26] audit: type=1400 audit(1688002884.227:83): avc: denied { write } for pid=4991 comm="strace-static-x" path="pipe:[30751]" dev="pipefs" ino=30751 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 84.510252][ T26] audit: type=1400 audit(1688002884.257:84): avc: denied { execmem } for pid=4994 comm="syz-executor183" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7faa1c519000 write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 munmap(0x7faa1c519000, 2097152) = 0 [ 84.511466][ T4994] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4994 'syz-executor183' openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 [ 84.572623][ T26] audit: type=1400 audit(1688002884.317:85): avc: denied { read write } for pid=4994 comm="syz-executor183" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 84.575719][ T4994] loop0: detected capacity change from 0 to 4096 mount("/dev/loop0", "./file0", "ntfs3", 0, "discard,gid=0x0000000000000000,force,sparse,iocharset=cp855,gid=0x000000000000ee01,sparse,") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [ 84.598097][ T26] audit: type=1400 audit(1688002884.317:86): avc: denied { open } for pid=4994 comm="syz-executor183" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 84.628606][ T26] audit: type=1400 audit(1688002884.317:87): avc: denied { ioctl } for pid=4994 comm="syz-executor183" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 openat(AT_FDCWD, "./file0", O_RDONLY) = 4 ioctl(4, FS_IOC_FIEMAP, {fm_start=7, fm_length=9223372036854775807, fm_flags=FIEMAP_FLAG_SYNC, fm_extent_count=2} => {fm_flags=FIEMAP_FLAG_SYNC, fm_mapped_extents=1, ...}) = 1 [ 84.654786][ T26] audit: type=1400 audit(1688002884.357:88): avc: denied { mounton } for pid=4994 comm="syz-executor183" path="/root/file0" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 84.678800][ T26] audit: type=1400 audit(1688002884.417:89): avc: denied { mount } for pid=4994 comm="syz-executor183" name="/" dev="loop0" ino=5 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 creat("./bus", 000) = 5 ftruncate(5, 32768) = 0 open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|FASYNC, 000) = 6 [ 84.712441][ T26] audit: type=1400 audit(1688002884.457:90): avc: denied { write } for pid=4994 comm="syz-executor183" name="/" dev="loop0" ino=5 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 84.746505][ T4994] [ 84.748532][ T26] audit: type=1400 audit(1688002884.457:91): avc: denied { add_name } for pid=4994 comm="syz-executor183" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 84.748860][ T4994] ====================================================== [ 84.748870][ T4994] WARNING: possible circular locking dependency detected [ 84.770223][ T26] audit: type=1400 audit(1688002884.457:92): avc: denied { create } for pid=4994 comm="syz-executor183" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 84.776594][ T4994] 6.4.0-syzkaller-01406-ge8f75c0270d9 #0 Not tainted [ 84.810721][ T4994] ------------------------------------------------------ [ 84.817751][ T4994] syz-executor183/4994 is trying to acquire lock: [ 84.824160][ T4994] ffff888071f868a0 (&ni->ni_lock#2/4){+.+.}-{3:3}, at: attr_data_get_block+0x32c/0x19f0 [ 84.833944][ T4994] [ 84.833944][ T4994] but task is already holding lock: [ 84.841305][ T4994] ffff8880125483e8 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x158/0x3b0 [ 84.850291][ T4994] [ 84.850291][ T4994] which lock already depends on the new lock. [ 84.850291][ T4994] [ 84.860689][ T4994] [ 84.860689][ T4994] the existing dependency chain (in reverse order) is: [ 84.869698][ T4994] [ 84.869698][ T4994] -> #1 (&mm->mmap_lock){++++}-{3:3}: [ 84.877262][ T4994] __might_fault+0x115/0x190 [ 84.882386][ T4994] _copy_to_user+0x2b/0xc0 [ 84.887328][ T4994] fiemap_fill_next_extent+0x217/0x370 [ 84.893313][ T4994] ni_fiemap+0x2f9/0xc00 [ 84.898098][ T4994] ntfs_fiemap+0xcc/0x120 [ 84.902992][ T4994] do_vfs_ioctl+0x478/0x16c0 [ 84.908107][ T4994] __x64_sys_ioctl+0x10c/0x210 [ 84.913400][ T4994] do_syscall_64+0x39/0xb0 [ 84.918365][ T4994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.924794][ T4994] [ 84.924794][ T4994] -> #0 (&ni->ni_lock#2/4){+.+.}-{3:3}: [ 84.932572][ T4994] __lock_acquire+0x2fcd/0x5f30 [ 84.937977][ T4994] lock_acquire+0x1b1/0x520 [ 84.943028][ T4994] __mutex_lock+0x12f/0x1350 [ 84.948182][ T4994] attr_data_get_block+0x32c/0x19f0 [ 84.953960][ T4994] ntfs_file_mmap+0x47e/0x6a0 [ 84.959185][ T4994] mmap_region+0x6a0/0x28e0 [ 84.964239][ T4994] do_mmap+0x837/0xf60 [ 84.968841][ T4994] vm_mmap_pgoff+0x1a2/0x3b0 [ 84.974051][ T4994] ksys_mmap_pgoff+0x42b/0x5b0 [ 84.979347][ T4994] do_syscall_64+0x39/0xb0 [ 84.984311][ T4994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.990748][ T4994] [ 84.990748][ T4994] other info that might help us debug this: [ 84.990748][ T4994] [ 85.000975][ T4994] Possible unsafe locking scenario: [ 85.000975][ T4994] [ 85.008427][ T4994] CPU0 CPU1 [ 85.013791][ T4994] ---- ---- [ 85.019151][ T4994] lock(&mm->mmap_lock); [ 85.023530][ T4994] lock(&ni->ni_lock#2/4); [ 85.030570][ T4994] lock(&mm->mmap_lock); [ 85.037428][ T4994] lock(&ni->ni_lock#2/4); [ 85.041970][ T4994] [ 85.041970][ T4994] *** DEADLOCK *** [ 85.041970][ T4994] [ 85.050114][ T4994] 1 lock held by syz-executor183/4994: [ 85.055568][ T4994] #0: ffff8880125483e8 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x158/0x3b0 [ 85.065012][ T4994] [ 85.065012][ T4994] stack backtrace: [ 85.070899][ T4994] CPU: 1 PID: 4994 Comm: syz-executor183 Not tainted 6.4.0-syzkaller-01406-ge8f75c0270d9 #0 [ 85.080969][ T4994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 85.091026][ T4994] Call Trace: [ 85.094304][ T4994] [ 85.097254][ T4994] dump_stack_lvl+0xd9/0x150 [ 85.101871][ T4994] check_noncircular+0x25f/0x2e0 [ 85.106826][ T4994] ? register_lock_class+0xbe/0x1120 [ 85.112128][ T4994] ? print_circular_bug+0x730/0x730 [ 85.117344][ T4994] ? stack_trace_save+0x90/0xc0 [ 85.122213][ T4994] __lock_acquire+0x2fcd/0x5f30 [ 85.127201][ T4994] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 85.133204][ T4994] ? __lock_acquire+0x28bf/0x5f30 [ 85.138243][ T4994] lock_acquire+0x1b1/0x520 [ 85.142761][ T4994] ? attr_data_get_block+0x32c/0x19f0 [ 85.148145][ T4994] ? lock_sync+0x190/0x190 [ 85.152576][ T4994] __mutex_lock+0x12f/0x1350 [ 85.157207][ T4994] ? attr_data_get_block+0x32c/0x19f0 [ 85.162606][ T4994] ? attr_data_get_block+0x32c/0x19f0 [ 85.167988][ T4994] ? mutex_lock_io_nested+0x11a0/0x11a0 [ 85.173555][ T4994] ? __up_read+0x1fe/0x750 [ 85.177988][ T4994] ? up_write+0x520/0x520 [ 85.182324][ T4994] ? stack_trace_save+0x90/0xc0 [ 85.187366][ T4994] attr_data_get_block+0x32c/0x19f0 [ 85.192575][ T4994] ? __kasan_slab_alloc+0x1/0x90 [ 85.197535][ T4994] ? kmem_cache_alloc+0x1bd/0x3f0 [ 85.202563][ T4994] ? vm_area_alloc+0x142/0x230 [ 85.207339][ T4994] ? mmap_region+0x40d/0x28e0 [ 85.212023][ T4994] ? vm_mmap_pgoff+0x1a2/0x3b0 [ 85.216813][ T4994] ? ksys_mmap_pgoff+0x42b/0x5b0 [ 85.221761][ T4994] ? do_syscall_64+0x39/0xb0 [ 85.226367][ T4994] ? attr_set_size+0x2ac0/0x2ac0 [ 85.231312][ T4994] ? mark_lock.part.0+0xee/0x1970 [ 85.236359][ T4994] ? find_held_lock+0x2d/0x110 [ 85.241133][ T4994] ntfs_file_mmap+0x47e/0x6a0 [ 85.245828][ T4994] ? ntfs_compat_ioctl+0xf0/0xf0 [ 85.250785][ T4994] ? __raw_spin_lock_init+0x3a/0x110 [ 85.256089][ T4994] mmap_region+0x6a0/0x28e0 [ 85.260605][ T4994] ? do_munmap+0xf0/0xf0 [ 85.264858][ T4994] ? security_mmap_addr+0x77/0xa0 [ 85.269892][ T4994] ? get_unmapped_area+0x1ee/0x3d0 [ 85.275015][ T4994] do_mmap+0x837/0xf60 [ 85.279096][ T4994] vm_mmap_pgoff+0x1a2/0x3b0 [ 85.283702][ T4994] ? randomize_page+0xb0/0xb0 [ 85.288393][ T4994] ksys_mmap_pgoff+0x42b/0x5b0 [ 85.293168][ T4994] do_syscall_64+0x39/0xb0 [ 85.297610][ T4994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.303516][ T4994] RIP: 0033:0x7faa24965d19 [ 85.307936][ T4994] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 85.327557][ T4994] RSP: 002b:00007ffda0a1ef18 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 85.335974][ T4994] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007faa24965d19 [ 85.343950][ T4994] RDX: 0000000000800006 RSI: 000000000000a000 RDI: 0000000020001000 [ 85.351955][ T4994] RBP: 00007faa24925320 R08: 0000000000000006 R09: 0000000000000000 [ 85.359930][ T4994] R10: 0000000000000011 R11: 0000000000000246 R12: 00007faa249253b0 [ 85.367908][ T4994] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 mmap(0x20001000, 40960, PROT_WRITE|PROT_EXEC|0x800000, MAP_SHARED|MAP_FIXED, 6, 0) = 0x20001000 exit_group(0) = ? +++ exited with 0 +++ [ 85.375