./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3124908279 <...> syzkaller syzkaller login: [ 60.332517][ T26] kauditd_printk_skb: 42 callbacks suppressed [ 60.332536][ T26] audit: type=1400 audit(1683519371.870:77): avc: denied { transition } for pid=4840 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 60.361487][ T26] audit: type=1400 audit(1683519371.870:78): avc: denied { noatsecure } for pid=4840 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 60.380922][ T26] audit: type=1400 audit(1683519371.880:79): avc: denied { write } for pid=4840 comm="sh" path="pipe:[29382]" dev="pipefs" ino=29382 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 60.403603][ T26] audit: type=1400 audit(1683519371.880:80): avc: denied { rlimitinh } for pid=4840 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 60.422743][ T26] audit: type=1400 audit(1683519371.880:81): avc: denied { siginh } for pid=4840 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 61.631977][ T26] audit: type=1400 audit(1683519373.170:82): avc: denied { read } for pid=4427 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. execve("./syz-executor3124908279", ["./syz-executor3124908279"], 0x7ffda9a72640 /* 10 vars */) = 0 brk(NULL) = 0x555555787000 brk(0x555555787c40) = 0x555555787c40 arch_prctl(ARCH_SET_FS, 0x555555787300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3124908279", 4096) = 28 brk(0x5555557a8c40) = 0x5555557a8c40 brk(0x5555557a9000) = 0x5555557a9000 mprotect(0x7f59f4d7c000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 [ 78.553160][ T26] audit: type=1400 audit(1683519390.090:83): avc: denied { write } for pid=4991 comm="strace-static-x" path="pipe:[29478]" dev="pipefs" ino=29478 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 78.581897][ T4994] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4994 'syz-executor312' memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f59ec8c2000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 munmap(0x7f59ec8c2000, 262144) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file1", 0777) = 0 [ 78.582644][ T26] audit: type=1400 audit(1683519390.110:84): avc: denied { execmem } for pid=4994 comm="syz-executor312" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 78.604287][ T4994] loop0: detected capacity change from 0 to 512 [ 78.611851][ T26] audit: type=1400 audit(1683519390.120:85): avc: denied { append } for pid=4427 comm="syslogd" name="messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 78.625945][ T4994] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 78.639610][ T26] audit: type=1400 audit(1683519390.120:86): avc: denied { open } for pid=4427 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 78.673251][ T26] audit: type=1400 audit(1683519390.120:87): avc: denied { getattr } for pid=4427 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 78.696278][ T26] audit: type=1400 audit(1683519390.130:88): avc: denied { read write } for pid=4994 comm="syz-executor312" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 78.705286][ T4994] EXT4-fs (loop0): 1 truncate cleaned up [ 78.721145][ T26] audit: type=1400 audit(1683519390.130:89): avc: denied { open } for pid=4994 comm="syz-executor312" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 mount("/dev/loop0", "./file1", "ext4", 0, "inode_readahead_blks=0x0000000000000000,nogrpid,debug_want_extra_isize=0x0000000000000066,dioread_no"...) = 0 openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 chdir("./file1") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 setxattr("./file1", "trusted.overlay.upper", "\x00\xfb\x78\x00\x00\xcd\xff\xff\xff\x5b\x8e\xf0\x8d\x43\x4b\x0b\x00\x00\xb2\x52\x00\x21\x64\x1d\x35\xee\xba\x27\x3f\xb1\x7d\x19\x03\x77\x06\xe3\x2a\xbb\xb7\x20\xe5\x4a\xb3\x74\x5b\x25\x5a\xd6\xc2\xd1\xf6\x92\xa2\xf0\x8f\x01\xa9\xce\x1d\x0e\x82\xcb\xbe\x6c\x55\x29\xb2\x55\x4f\x38\x49\xf5\x3f\x0c\x1f\x1f\x51\xad\xf5\x4a\xc8\x01\xcc\x23\xf7\xeb\xd5\x7c\x66\x6b\x5d\x6d\x62\x6d\x33\x36\xb5\x1f\x40\xb9"..., 888, 0) = 0 [ 78.726284][ T4994] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: writeback. [ 78.750905][ T26] audit: type=1400 audit(1683519390.140:90): avc: denied { ioctl } for pid=4994 comm="syz-executor312" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 78.788955][ T26] audit: type=1400 audit(1683519390.160:91): avc: denied { mounton } for pid=4994 comm="syz-executor312" path="/root/file1" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 78.789442][ T4994] [ 78.814082][ T4994] ====================================================== [ 78.821105][ T4994] WARNING: possible circular locking dependency detected [ 78.828131][ T4994] 6.3.0-syzkaller-13505-g17784de648be #0 Not tainted [ 78.834899][ T4994] ------------------------------------------------------ [ 78.842005][ T4994] syz-executor312/4994 is trying to acquire lock: [ 78.848421][ T4994] ffff8880716f5480 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x2b8/0x660 [ 78.858836][ T4994] [ 78.858836][ T4994] but task is already holding lock: [ 78.866205][ T4994] ffff8880716f42c8 (&ei->i_data_sem){++++}-{3:3}, at: ext4_setattr+0x1988/0x2880 [ 78.875393][ T4994] [ 78.875393][ T4994] which lock already depends on the new lock. [ 78.875393][ T4994] [ 78.885798][ T4994] [ 78.885798][ T4994] the existing dependency chain (in reverse order) is: [ 78.894813][ T4994] [ 78.894813][ T4994] -> #1 (&ei->i_data_sem){++++}-{3:3}: [ 78.902479][ T4994] down_write+0x92/0x200 [ 78.907272][ T4994] ext4_xattr_set_entry+0x30c5/0x39e0 [ 78.913203][ T4994] ext4_xattr_ibody_set+0x131/0x3a0 [ 78.918938][ T4994] ext4_xattr_set_handle+0x968/0x1510 [ 78.924872][ T4994] ext4_xattr_set+0x144/0x360 [ 78.930089][ T4994] __vfs_setxattr+0x173/0x1e0 [ 78.935327][ T4994] __vfs_setxattr_noperm+0x129/0x5f0 [ 78.941151][ T4994] __vfs_setxattr_locked+0x1d3/0x260 [ 78.946995][ T4994] vfs_setxattr+0x143/0x340 [ 78.952030][ T4994] do_setxattr+0x147/0x190 [ 78.956979][ T4994] setxattr+0x146/0x160 [ 78.961668][ T4994] path_setxattr+0x197/0x1c0 [ 78.966799][ T4994] __x64_sys_setxattr+0xc4/0x160 [ 78.972274][ T4994] do_syscall_64+0x39/0xb0 [ 78.977247][ T4994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.983788][ T4994] [ 78.983788][ T4994] -> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}: [ 78.992083][ T4994] __lock_acquire+0x2f21/0x5df0 [ 78.997478][ T4994] lock_acquire+0x1b1/0x520 [ 79.002528][ T4994] down_write+0x92/0x200 [ 79.007308][ T4994] ext4_xattr_inode_iget+0x2b8/0x660 [ 79.013218][ T4994] ext4_xattr_inode_get+0x162/0x830 [ 79.018954][ T4994] ext4_expand_extra_isize_ea+0xf6d/0x1880 [ 79.025299][ T4994] __ext4_expand_extra_isize+0x33e/0x470 [ 79.031481][ T4994] __ext4_mark_inode_dirty+0x51b/0x800 [ 79.037488][ T4994] ext4_setattr+0x1a02/0x2880 [ 79.042720][ T4994] notify_change+0xb2c/0x1180 [ 79.048911][ T4994] do_truncate+0x143/0x200 [ 79.053881][ T4994] path_openat+0x2083/0x2750 [ 79.059018][ T4994] do_filp_open+0x1ba/0x410 [ 79.064068][ T4994] do_sys_openat2+0x16d/0x4c0 [ 79.069277][ T4994] __x64_sys_creat+0xcd/0x120 [ 79.074501][ T4994] do_syscall_64+0x39/0xb0 [ 79.079476][ T4994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.085921][ T4994] [ 79.085921][ T4994] other info that might help us debug this: [ 79.085921][ T4994] [ 79.096152][ T4994] Possible unsafe locking scenario: [ 79.096152][ T4994] [ 79.103604][ T4994] CPU0 CPU1 [ 79.108973][ T4994] ---- ---- [ 79.114343][ T4994] lock(&ei->i_data_sem); [ 79.118778][ T4994] lock(&ea_inode->i_rwsem#7/1); [ 79.126353][ T4994] lock(&ei->i_data_sem); [ 79.133309][ T4994] lock(&ea_inode->i_rwsem#7/1); [ 79.138369][ T4994] [ 79.138369][ T4994] *** DEADLOCK *** [ 79.138369][ T4994] [ 79.146518][ T4994] 5 locks held by syz-executor312/4994: [ 79.152068][ T4994] #0: ffff888019f86460 (sb_writers#5){.+.+}-{0:0}, at: path_openat+0x19a4/0x2750 [ 79.161344][ T4994] #1: ffff8880716f4440 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x131/0x200 [ 79.171686][ T4994] #2: ffff8880716f45e0 (mapping.invalidate_lock){++++}-{3:3}, at: ext4_setattr+0x6f2/0x2880 [ 79.182010][ T4994] #3: ffff8880716f42c8 (&ei->i_data_sem){++++}-{3:3}, at: ext4_setattr+0x1988/0x2880 [ 79.191744][ T4994] #4: ffff8880716f4108 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x48f/0x800 [ 79.202087][ T4994] [ 79.202087][ T4994] stack backtrace: [ 79.207986][ T4994] CPU: 0 PID: 4994 Comm: syz-executor312 Not tainted 6.3.0-syzkaller-13505-g17784de648be #0 [ 79.218099][ T4994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 79.228442][ T4994] Call Trace: [ 79.231740][ T4994] [ 79.234683][ T4994] dump_stack_lvl+0xd9/0x150 [ 79.239299][ T4994] check_noncircular+0x25f/0x2e0 [ 79.244261][ T4994] ? print_circular_bug+0x730/0x730 [ 79.249492][ T4994] __lock_acquire+0x2f21/0x5df0 [ 79.254394][ T4994] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 79.260398][ T4994] ? do_raw_spin_unlock+0x175/0x230 [ 79.265634][ T4994] lock_acquire+0x1b1/0x520 [ 79.270171][ T4994] ? ext4_xattr_inode_iget+0x2b8/0x660 [ 79.275653][ T4994] ? lock_sync+0x190/0x190 [ 79.280096][ T4994] ? register_lock_class+0xbe/0x1120 [ 79.285415][ T4994] down_write+0x92/0x200 [ 79.289678][ T4994] ? ext4_xattr_inode_iget+0x2b8/0x660 [ 79.295157][ T4994] ? rwsem_down_write_slowpath+0x1220/0x1220 [ 79.301161][ T4994] ? fs_reclaim_acquire+0xba/0x160 [ 79.306293][ T4994] ext4_xattr_inode_iget+0x2b8/0x660 [ 79.311605][ T4994] ext4_xattr_inode_get+0x162/0x830 [ 79.316822][ T4994] ? ext4_xattr_inode_iget+0x660/0x660 [ 79.322314][ T4994] ? kvmalloc_node+0xa2/0x1a0 [ 79.327013][ T4994] ? rcu_is_watching+0x12/0xb0 [ 79.331806][ T4994] ? __kmalloc_node+0xfb/0x1a0 [ 79.336595][ T4994] ext4_expand_extra_isize_ea+0xf6d/0x1880 [ 79.342431][ T4994] ? ext4_xattr_set+0x360/0x360 [ 79.347306][ T4994] ? dquot_initialize_needed+0x18c/0x290 [ 79.352971][ T4994] ? __ext4_mark_inode_dirty+0x48f/0x800 [ 79.358642][ T4994] __ext4_expand_extra_isize+0x33e/0x470 [ 79.364304][ T4994] __ext4_mark_inode_dirty+0x51b/0x800 [ 79.369798][ T4994] ? ext4_expand_extra_isize+0x5e0/0x5e0 [ 79.375467][ T4994] ? rwsem_down_write_slowpath+0x1220/0x1220 [ 79.381475][ T4994] ? __ext4_journal_start_sb+0x1fc/0x5d0 [ 79.387141][ T4994] ? ext4_setattr+0x86a/0x2880 [ 79.391955][ T4994] ext4_setattr+0x1a02/0x2880 [ 79.396685][ T4994] ? ext4_journalled_write_end+0xfb0/0xfb0 [ 79.402526][ T4994] notify_change+0xb2c/0x1180 [ 79.407237][ T4994] ? down_write+0x14f/0x200 [ 79.411772][ T4994] ? do_truncate+0x143/0x200 [ 79.416478][ T4994] do_truncate+0x143/0x200 [ 79.420958][ T4994] ? file_open_root+0x460/0x460 [ 79.425835][ T4994] ? ext4_file_write_iter+0x1740/0x1740 [ 79.431397][ T4994] path_openat+0x2083/0x2750 [ 79.436013][ T4994] ? path_lookupat+0x840/0x840 [ 79.440804][ T4994] ? find_held_lock+0x2d/0x110 [ 79.445762][ T4994] do_filp_open+0x1ba/0x410 [ 79.450314][ T4994] ? may_open_dev+0xf0/0xf0 [ 79.454845][ T4994] ? find_held_lock+0x2d/0x110 [ 79.459630][ T4994] ? do_raw_spin_lock+0x124/0x2b0 [ 79.464680][ T4994] ? spin_bug+0x1c0/0x1c0 [ 79.469036][ T4994] ? _raw_spin_unlock+0x28/0x40 [ 79.473913][ T4994] ? alloc_fd+0x2e4/0x750 [ 79.478260][ T4994] do_sys_openat2+0x16d/0x4c0 [ 79.482954][ T4994] ? find_held_lock+0x2d/0x110 [ 79.487735][ T4994] ? build_open_flags+0x720/0x720 [ 79.492775][ T4994] ? ptrace_notify+0xfe/0x140 [ 79.497470][ T4994] ? lock_downgrade+0x690/0x690 [ 79.502354][ T4994] __x64_sys_creat+0xcd/0x120 [ 79.507059][ T4994] ? __x64_compat_sys_openat+0x1f0/0x1f0 [ 79.512716][ T4994] ? _raw_spin_unlock_irq+0x2e/0x50 [ 79.518041][ T4994] ? ptrace_notify+0xfe/0x140 [ 79.522746][ T4994] ? syscall_trace_enter.constprop.0+0xb0/0x1e0 [ 79.529042][ T4994] do_syscall_64+0x39/0xb0 [ 79.533501][ T4994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.539428][ T4994] RIP: 0033:0x7f59f4d0ec09 [ 79.543865][ T4994] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 79.563490][ T4994] RSP: 002b:00007ffe784738f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 79.571920][ T4994] RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f59f4d0ec09 [ 79.579906][ T4994] RDX: 00007f59f4d0ec09 RSI: 0000000000000000 RDI: 0000000020000400 [ 79.587894][ T4994] RBP: 00007f59f4cce210 R08: 0000000000000000 R09: 0000000000000000 [ 79.595878][ T4994] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f59f4cce2a0 creat("./file1", 000) = 4 exit_group(0) = ? +++ exited with 0 +++ [ 79.603873][ T4994] R13: 0000000000000000 R