./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor743797586 <...> Warning: Permanently added '10.128.0.231' (ED25519) to the list of known hosts. execve("./syz-executor743797586", ["./syz-executor743797586"], 0x7fff98c78730 /* 10 vars */) = 0 brk(NULL) = 0x555556f50000 brk(0x555556f50d00) = 0x555556f50d00 arch_prctl(ARCH_SET_FS, 0x555556f50380) = 0 set_tid_address(0x555556f50650) = 5068 set_robust_list(0x555556f50660, 24) = 0 rseq(0x555556f50ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor743797586", 4096) = 27 getrandom("\x6f\xd9\xf1\xeb\x07\x13\xa0\x3a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556f50d00 brk(0x555556f71d00) = 0x555556f71d00 brk(0x555556f72000) = 0x555556f72000 mprotect(0x7fec8086c000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fec783bb000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 munmap(0x7fec783bb000, 138412032) = 0 [ 72.397609][ T27] audit: type=1400 audit(1703889215.507:83): avc: denied { execmem } for pid=5068 comm="syz-executor743" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 [ 72.447760][ T27] audit: type=1400 audit(1703889215.557:84): avc: denied { read write } for pid=5068 comm="syz-executor743" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 72.461159][ T5068] loop0: detected capacity change from 0 to 1024 mkdir("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 0777) = 0 mount("/dev/loop0", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "hfsplus", 0, "force") = 0 openat(AT_FDCWD, "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [ 72.472485][ T27] audit: type=1400 audit(1703889215.557:85): avc: denied { open } for pid=5068 comm="syz-executor743" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 72.502706][ T27] audit: type=1400 audit(1703889215.567:86): avc: denied { ioctl } for pid=5068 comm="syz-executor743" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 mknodat(AT_FDCWD, "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 open("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", O_RDONLY) = 4 unlink("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [ 72.528463][ T27] audit: type=1400 audit(1703889215.617:87): avc: denied { mounton } for pid=5068 comm="syz-executor743" path="/root/file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 72.572890][ T27] audit: type=1400 audit(1703889215.627:88): avc: denied { mount } for pid=5068 comm="syz-executor743" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 [ 72.606149][ T5068] [ 72.608493][ T5068] ====================================================== [ 72.615505][ T5068] WARNING: possible circular locking dependency detected [ 72.622523][ T5068] 6.7.0-rc7-syzkaller-00029-g8735c7c84d1b #0 Not tainted [ 72.629556][ T5068] ------------------------------------------------------ [ 72.636582][ T5068] syz-executor743/5068 is trying to acquire lock: [ 72.642987][ T5068] ffff88802044e0b0 (&tree->tree_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x882/0x9d0 [ 72.652805][ T5068] [ 72.652805][ T5068] but task is already holding lock: [ 72.660146][ T5068] ffff888020136188 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x204/0x9d0 [ 72.671251][ T5068] [ 72.671251][ T5068] which lock already depends on the new lock. [ 72.671251][ T5068] [ 72.681628][ T5068] [ 72.681628][ T5068] the existing dependency chain (in reverse order) is: [ 72.690616][ T5068] [ 72.690616][ T5068] -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}: [ 72.699639][ T5068] __mutex_lock+0x175/0x9d0 [ 72.704660][ T5068] hfsplus_file_extend+0x1c1/0x1090 [ 72.710356][ T5068] hfsplus_bmap_reserve+0x318/0x410 [ 72.716056][ T5068] hfsplus_rename_cat+0x2ad/0x1230 [ 72.721667][ T5068] hfsplus_unlink+0x48e/0x7f0 [ 72.726843][ T5068] vfs_unlink+0x2f1/0x900 [ 72.731676][ T5068] do_unlinkat+0x5bc/0x740 [ 72.736600][ T5068] __x64_sys_unlink+0xc8/0x110 [ 72.741871][ T5068] do_syscall_64+0x40/0x110 [ 72.746876][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.753280][ T5068] [ 72.753280][ T5068] -> #0 (&tree->tree_lock){+.+.}-{3:3}: [ 72.760989][ T5068] __lock_acquire+0x2433/0x3b20 [ 72.766348][ T5068] lock_acquire+0x1ae/0x520 [ 72.771357][ T5068] __mutex_lock+0x175/0x9d0 [ 72.776373][ T5068] hfsplus_file_truncate+0x882/0x9d0 [ 72.782158][ T5068] hfsplus_setattr+0x1eb/0x310 [ 72.787429][ T5068] notify_change+0x742/0x11c0 [ 72.792609][ T5068] do_truncate+0x15c/0x220 [ 72.797552][ T5068] path_openat+0x2597/0x2c50 [ 72.802661][ T5068] do_filp_open+0x1de/0x430 [ 72.807670][ T5068] do_sys_openat2+0x176/0x1e0 [ 72.812853][ T5068] __x64_sys_creat+0xcd/0x120 [ 72.818039][ T5068] do_syscall_64+0x40/0x110 [ 72.823048][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.829451][ T5068] [ 72.829451][ T5068] other info that might help us debug this: [ 72.829451][ T5068] [ 72.839665][ T5068] Possible unsafe locking scenario: [ 72.839665][ T5068] [ 72.847092][ T5068] CPU0 CPU1 [ 72.852430][ T5068] ---- ---- [ 72.857775][ T5068] lock(&HFSPLUS_I(inode)->extents_lock); [ 72.863569][ T5068] lock(&tree->tree_lock); [ 72.870664][ T5068] lock(&HFSPLUS_I(inode)->extents_lock); [ 72.878968][ T5068] lock(&tree->tree_lock); [ 72.883450][ T5068] [ 72.883450][ T5068] *** DEADLOCK *** [ 72.883450][ T5068] [ 72.891579][ T5068] 3 locks held by syz-executor743/5068: [ 72.897110][ T5068] #0: ffff88807ec7c418 (sb_writers#10){.+.+}-{0:0}, at: path_openat+0x2112/0x2c50 [ 72.906416][ T5068] #1: ffff888020136380 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: do_truncate+0x14b/0x220 [ 72.916760][ T5068] #2: ffff888020136188 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x204/0x9d0 [ 72.928313][ T5068] [ 72.928313][ T5068] stack backtrace: [ 72.934187][ T5068] CPU: 0 PID: 5068 Comm: syz-executor743 Not tainted 6.7.0-rc7-syzkaller-00029-g8735c7c84d1b #0 [ 72.944579][ T5068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 72.954619][ T5068] Call Trace: [ 72.957882][ T5068] [ 72.960796][ T5068] dump_stack_lvl+0xd9/0x1b0 [ 72.965377][ T5068] check_noncircular+0x317/0x400 [ 72.970313][ T5068] ? print_circular_bug+0x5c0/0x5c0 [ 72.975510][ T5068] ? register_lock_class+0xb1/0x1220 [ 72.980787][ T5068] ? lockdep_lock+0xc6/0x200 [ 72.985361][ T5068] ? hlock_class+0x130/0x130 [ 72.989951][ T5068] __lock_acquire+0x2433/0x3b20 [ 72.994798][ T5068] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 73.000769][ T5068] ? find_held_lock+0x2d/0x110 [ 73.005520][ T5068] lock_acquire+0x1ae/0x520 [ 73.010016][ T5068] ? hfsplus_file_truncate+0x882/0x9d0 [ 73.015462][ T5068] ? lock_sync+0x190/0x190 [ 73.019865][ T5068] ? __mutex_unlock_slowpath+0x165/0x650 [ 73.025485][ T5068] ? preempt_count_sub+0x160/0x160 [ 73.030579][ T5068] __mutex_lock+0x175/0x9d0 [ 73.035070][ T5068] ? hfsplus_file_truncate+0x882/0x9d0 [ 73.040511][ T5068] ? hfsplus_file_truncate+0x882/0x9d0 [ 73.045948][ T5068] ? _raw_spin_unlock+0x28/0x40 [ 73.050779][ T5068] ? mutex_trylock+0x130/0x130 [ 73.055530][ T5068] ? hfsplus_file_truncate+0x882/0x9d0 [ 73.060974][ T5068] hfsplus_file_truncate+0x882/0x9d0 [ 73.066246][ T5068] ? __up_read+0x1fc/0x760 [ 73.070646][ T5068] ? hfsplus_get_block+0x9e0/0x9e0 [ 73.075747][ T5068] ? inode_newsize_ok+0x13c/0x200 [ 73.080757][ T5068] hfsplus_setattr+0x1eb/0x310 [ 73.085523][ T5068] ? hfsplus_file_fsync+0x5d0/0x5d0 [ 73.090713][ T5068] notify_change+0x742/0x11c0 [ 73.095398][ T5068] do_truncate+0x15c/0x220 [ 73.099804][ T5068] ? file_open_root+0x450/0x450 [ 73.104644][ T5068] path_openat+0x2597/0x2c50 [ 73.109222][ T5068] ? path_lookupat+0x770/0x770 [ 73.113973][ T5068] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 73.119949][ T5068] do_filp_open+0x1de/0x430 [ 73.124440][ T5068] ? may_open_dev+0xf0/0xf0 [ 73.128928][ T5068] ? find_held_lock+0x2d/0x110 [ 73.133677][ T5068] ? _raw_spin_unlock+0x28/0x40 [ 73.138510][ T5068] ? alloc_fd+0x2da/0x6c0 [ 73.142822][ T5068] do_sys_openat2+0x176/0x1e0 [ 73.147486][ T5068] ? build_open_flags+0x690/0x690 [ 73.152499][ T5068] ? ptrace_notify+0xf4/0x130 [ 73.157162][ T5068] ? restore_fpregs_from_fpstate+0xc1/0x1d0 [ 73.163042][ T5068] __x64_sys_creat+0xcd/0x120 [ 73.167705][ T5068] ? __x64_compat_sys_openat+0x200/0x200 [ 73.173319][ T5068] ? _raw_spin_unlock_irq+0x2e/0x50 [ 73.178505][ T5068] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 73.184745][ T5068] do_syscall_64+0x40/0x110 [ 73.189233][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 73.195118][ T5068] RIP: 0033:0x7fec807f8879 [ 73.199518][ T5068] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 73.219114][ T5068] RSP: 002b:00007ffc6ec490c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 73.227514][ T5068] RAX: ffffffffffffffda RBX: 00007ffc6ec492a8 RCX: 00007fec807f8879 [ 73.235470][ T5068] RDX: 00007fec807f8879 RSI: 0000000000000000 RDI: 0000000020000200 [ 73.243425][ T5068] RBP: 00007fec8086c610 R08: 0000000000000000 R09: 0000000000000000 [ 73.251381][ T5068] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 creat("./file1", 000) = 5 exit_group(0) = ? +++ exited with 0 +++