./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3840959184 <...> [ 30.014916][ T3186] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.026709][ T3186] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 41.373424][ T27] kauditd_printk_skb: 37 callbacks suppressed [ 41.373440][ T27] audit: type=1400 audit(1663051899.842:73): avc: denied { transition } for pid=3435 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 41.419968][ T27] audit: type=1400 audit(1663051899.842:74): avc: denied { write } for pid=3435 comm="sh" path="pipe:[28789]" dev="pipefs" ino=28789 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts. execve("./syz-executor3840959184", ["./syz-executor3840959184"], 0x7ffe491f6100 /* 10 vars */) = 0 brk(NULL) = 0x555555601000 brk(0x555555601c40) = 0x555555601c40 arch_prctl(ARCH_SET_FS, 0x555555601300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3840959184", 4096) = 28 brk(0x555555622c40) = 0x555555622c40 brk(0x555555623000) = 0x555555623000 mprotect(0x7f2c8435f000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 ftruncate(3, 262144) = 0 pwrite64(3, "\x20\x00\x00\x00\x80\x00\x00\x00\x06\x00\x00\x00\x6a\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x40\x00\x00\x00\x40\x00\x00\x20\x00\x00\x00\xd9\xf4\x65\x5f\xd9\xf4\x65\x5f\x01\x00\xff\xff\x53\xef\x01\x00\x01\x00\x00\x00\xd9\xf4\x65\x5f\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x01\x00\x00\x28\x02\x00\x00\x02\x84", 98, 1024) = 98 pwrite64(3, "\x02\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00\x6a\x00\x0f\x00\x03\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\xbc\x0f", 32, 2048) = 32 pwrite64(3, "\xff\xff\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"..., 2048, 4096) = 2048 pwrite64(3, "\xed\x41\x00\x00\x00\x08\x00\x00\xd9\xf4\x65\x5f\xd9\xf4\x65\x5f\xd9\xf4\x65\x5f\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x08", 41, 8448) = 41 pwrite64(3, "\xed\x41\x00\x00\x3c\x00\x00\x00\xd9\xf4\x65\x5f\xd9\xf4\x65\x5f\xd9\xf4\x65\x5f\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x10\x03\x00\x00\x00\x02\x00\x00\x00\x0d\x00\x00\x00\x10\x00\x05\x01\x66\x69\x6c\x65\x30\x00\x00\x00\x0e\x00\x00\x00\x28\x00\x05\x07\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 184, 11008) = 184 pwrite64(3, "\x02\x00\x00\x00\x0c\x00\x01\x02\x2e\x00\x00\x00\x02\x00\x00\x00\x0c\x00\x02\x02\x2e\x2e\x00\x00\x0b\x00\x00\x00\x14\x00\x0a\x02\x6c\x6f\x73\x74\x2b\x66\x6f\x75\x6e\x64\x00\x00\x0c\x00\x00\x00\x10\x00\x05\x02\x66\x69\x6c\x65\x30", 57, 16384) = 57 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 51.879746][ T27] audit: type=1400 audit(1663051910.342:75): avc: denied { execmem } for pid=3606 comm="syz-executor384" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 51.899456][ T27] audit: type=1400 audit(1663051910.352:76): avc: denied { read write } for pid=3606 comm="syz-executor384" name="loop0" dev="devtmpfs" ino=644 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 51.902212][ T3606] loop0: detected capacity change from 0 to 512 ioctl(4, LOOP_SET_FD, 3) = 0 mkdir("./file0", 0777) = 0 [ 51.924422][ T27] audit: type=1400 audit(1663051910.352:77): avc: denied { open } for pid=3606 comm="syz-executor384" path="/dev/loop0" dev="devtmpfs" ino=644 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 51.954824][ T27] audit: type=1400 audit(1663051910.362:78): avc: denied { ioctl } for pid=3606 comm="syz-executor384" path="/dev/loop0" dev="devtmpfs" ino=644 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 mount("/dev/loop0", "./file0", "ext4", 0, ",errors=continue") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 ioctl(4, LOOP_CLR_FD) = 0 [ 51.981641][ T27] audit: type=1400 audit(1663051910.452:79): avc: denied { mounton } for pid=3606 comm="syz-executor384" path="/root/file0" dev="sda1" ino=1138 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 52.009660][ T3606] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. close(4) = 0 close(3) = 0 setxattr("./file0/file0", "trusted.overlay.upper", "\x00\xfb\x25\x00\x00\x75\xd8\xe6\x27\x56\x59\x5e\xbe\xa5\x7f\x2d\x02\xda\xa2\x11\x7f\x0e\x54\xdd\x0f\x94\x3a\xf2\x74\xd4\x6d\x3e\xac\x4b\xed\x8c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4097, 0) = 0 [ 52.019410][ T27] audit: type=1400 audit(1663051910.492:80): avc: denied { mount } for pid=3606 comm="syz-executor384" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 52.041652][ T27] audit: type=1400 audit(1663051910.492:81): avc: denied { setattr } for pid=3606 comm="syz-executor384" name="file0" dev="loop0" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 52.056142][ T3606] [ 52.066524][ T3606] ====================================================== [ 52.073535][ T3606] WARNING: possible circular locking dependency detected [ 52.080533][ T3606] 6.0.0-rc5-syzkaller-00007-g6504d82f4440 #0 Not tainted [ 52.087542][ T3606] ------------------------------------------------------ [ 52.094555][ T3606] syz-executor384/3606 is trying to acquire lock: [ 52.100957][ T3606] ffff88806d467208 (&ei->xattr_sem){++++}-{3:3}, at: ext4_xattr_get+0x14e/0x740 [ 52.110007][ T3606] [ 52.110007][ T3606] but task is already holding lock: [ 52.117356][ T3606] ffff88806d467540 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: chown_common+0x364/0x710 [ 52.126933][ T3606] [ 52.126933][ T3606] which lock already depends on the new lock. [ 52.126933][ T3606] [ 52.137344][ T3606] [ 52.137344][ T3606] the existing dependency chain (in reverse order) is: [ 52.146344][ T3606] [ 52.146344][ T3606] -> #1 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}: [ 52.154599][ T3606] down_write+0x90/0x150 [ 52.159379][ T3606] ext4_xattr_set_entry+0x2b38/0x3980 [ 52.165266][ T3606] ext4_xattr_ibody_set+0x12d/0x3a0 [ 52.170993][ T3606] ext4_xattr_set_handle+0x964/0x1500 [ 52.176895][ T3606] ext4_xattr_set+0x13a/0x340 [ 52.182100][ T3606] __vfs_setxattr+0x115/0x180 [ 52.187293][ T3606] __vfs_setxattr_noperm+0x125/0x5f0 [ 52.193094][ T3606] __vfs_setxattr_locked+0x1cf/0x260 [ 52.198913][ T3606] vfs_setxattr+0x11e/0x3c0 [ 52.203931][ T3606] setxattr+0x146/0x160 [ 52.208618][ T3606] path_setxattr+0x197/0x1c0 [ 52.213744][ T3606] __x64_sys_setxattr+0xc0/0x160 [ 52.219198][ T3606] do_syscall_64+0x35/0xb0 [ 52.224131][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.230539][ T3606] [ 52.230539][ T3606] -> #0 (&ei->xattr_sem){++++}-{3:3}: [ 52.238089][ T3606] __lock_acquire+0x2a43/0x56d0 [ 52.243454][ T3606] lock_acquire+0x1ab/0x570 [ 52.248486][ T3606] down_read+0x98/0x450 [ 52.253157][ T3606] ext4_xattr_get+0x14e/0x740 [ 52.258348][ T3606] __vfs_getxattr+0xd9/0x140 [ 52.263469][ T3606] cap_inode_need_killpriv+0x3c/0x60 [ 52.269271][ T3606] security_inode_need_killpriv+0x40/0x90 [ 52.275512][ T3606] notify_change+0x6e7/0x1440 [ 52.280706][ T3606] chown_common+0x61b/0x710 [ 52.285727][ T3606] do_fchownat+0x126/0x1e0 [ 52.290677][ T3606] __x64_sys_fchownat+0xba/0x150 [ 52.296147][ T3606] do_syscall_64+0x35/0xb0 [ 52.301114][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.307570][ T3606] [ 52.307570][ T3606] other info that might help us debug this: [ 52.307570][ T3606] [ 52.317795][ T3606] Possible unsafe locking scenario: [ 52.317795][ T3606] [ 52.325238][ T3606] CPU0 CPU1 [ 52.330609][ T3606] ---- ---- [ 52.335969][ T3606] lock(&ea_inode->i_rwsem#7/1); [ 52.341006][ T3606] lock(&ei->xattr_sem); [ 52.348059][ T3606] lock(&ea_inode->i_rwsem#7/1); [ 52.355614][ T3606] lock(&ei->xattr_sem); [ 52.359947][ T3606] [ 52.359947][ T3606] *** DEADLOCK *** [ 52.359947][ T3606] [ 52.368091][ T3606] 2 locks held by syz-executor384/3606: [ 52.373630][ T3606] #0: ffff888028a20460 (sb_writers#5){.+.+}-{0:0}, at: do_fchownat+0x101/0x1e0 [ 52.382706][ T3606] #1: ffff88806d467540 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: chown_common+0x364/0x710 [ 52.392755][ T3606] [ 52.392755][ T3606] stack backtrace: [ 52.398633][ T3606] CPU: 1 PID: 3606 Comm: syz-executor384 Not tainted 6.0.0-rc5-syzkaller-00007-g6504d82f4440 #0 [ 52.409044][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 52.419094][ T3606] Call Trace: [ 52.422382][ T3606] [ 52.425312][ T3606] dump_stack_lvl+0xcd/0x134 [ 52.429917][ T3606] check_noncircular+0x25f/0x2e0 [ 52.434857][ T3606] ? print_circular_bug+0x1e0/0x1e0 [ 52.440056][ T3606] ? __module_text_address+0xc7/0x1a0 [ 52.445428][ T3606] ? is_module_text_address+0x47/0x70 [ 52.450804][ T3606] ? __kernel_text_address+0x9/0x30 [ 52.456008][ T3606] ? unwind_get_return_address+0x51/0x90 [ 52.461644][ T3606] ? write_profile+0x4a0/0x4a0 [ 52.466411][ T3606] ? arch_stack_walk+0x93/0xe0 [ 52.471183][ T3606] __lock_acquire+0x2a43/0x56d0 [ 52.476035][ T3606] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 52.482010][ T3606] ? save_trace+0x43/0xa00 [ 52.486420][ T3606] lock_acquire+0x1ab/0x570 [ 52.490944][ T3606] ? ext4_xattr_get+0x14e/0x740 [ 52.495797][ T3606] ? lock_release+0x780/0x780 [ 52.500474][ T3606] down_read+0x98/0x450 [ 52.504648][ T3606] ? ext4_xattr_get+0x14e/0x740 [ 52.509497][ T3606] ? rwsem_down_read_slowpath+0xb10/0xb10 [ 52.515230][ T3606] ? mark_held_locks+0x9f/0xe0 [ 52.520001][ T3606] ? asm_common_interrupt+0x22/0x40 [ 52.525214][ T3606] ext4_xattr_get+0x14e/0x740 [ 52.529894][ T3606] ? ext4_xattr_ibody_get+0x4a0/0x4a0 [ 52.535267][ T3606] ? ktime_get_coarse_real_ts64+0xca/0x200 [ 52.541091][ T3606] ? xattr_resolve_name+0x26e/0x3d0 [ 52.546321][ T3606] ? ext4_xattr_security_set+0x50/0x50 [ 52.551797][ T3606] __vfs_getxattr+0xd9/0x140 [ 52.556405][ T3606] ? __vfs_setxattr+0x180/0x180 [ 52.561262][ T3606] ? file_remove_privs+0x20/0x20 [ 52.566210][ T3606] cap_inode_need_killpriv+0x3c/0x60 [ 52.571503][ T3606] security_inode_need_killpriv+0x40/0x90 [ 52.577235][ T3606] notify_change+0x6e7/0x1440 [ 52.581919][ T3606] ? chown_common+0x61b/0x710 [ 52.586597][ T3606] chown_common+0x61b/0x710 [ 52.591101][ T3606] ? __ia32_sys_chmod+0x80/0x80 [ 52.595949][ T3606] ? lock_release+0x780/0x780 [ 52.600624][ T3606] ? __mnt_want_write+0x1fa/0x2e0 [ 52.605646][ T3606] do_fchownat+0x126/0x1e0 [ 52.610068][ T3606] ? chown_common+0x710/0x710 [ 52.614760][ T3606] ? lockdep_hardirqs_on+0x79/0x100 [ 52.619966][ T3606] __x64_sys_fchownat+0xba/0x150 [ 52.624904][ T3606] do_syscall_64+0x35/0xb0 [ 52.629321][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.635225][ T3606] RIP: 0033:0x7f2c842f20e9 [ 52.639640][ T3606] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.659516][ T3606] RSP: 002b:00007ffd30187fd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000104 [ 52.667930][ T3606] RAX: ffffffffffffffda RBX: 2f30656c69662f2e RCX: 00007f2c842f20e9 [ 52.675897][ T3606] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000005 fchownat(5, "./file0/file0", 0, 60929, AT_EMPTY_PATH) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 52.68