./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2099599860 <...> syzkaller syzkaller login: [ 61.615019][ T26] kauditd_printk_skb: 42 callbacks suppressed [ 61.615039][ T26] audit: type=1400 audit(1686642721.675:77): avc: denied { transition } for pid=4832 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 61.665369][ T26] audit: type=1400 audit(1686642721.715:78): avc: denied { noatsecure } for pid=4832 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 61.705302][ T26] audit: type=1400 audit(1686642721.715:79): avc: denied { write } for pid=4832 comm="sh" path="pipe:[28490]" dev="pipefs" ino=28490 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 61.733018][ T26] audit: type=1400 audit(1686642721.725:80): avc: denied { rlimitinh } for pid=4832 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 61.775019][ T26] audit: type=1400 audit(1686642721.725:81): avc: denied { siginh } for pid=4832 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 63.009822][ T26] audit: type=1400 audit(1686642723.075:82): avc: denied { read } for pid=4427 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. [ 91.638694][ T26] audit: type=1400 audit(1686642751.705:83): avc: denied { write } for pid=4989 comm="strace-static-x" path="pipe:[29818]" dev="pipefs" ino=29818 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 execve("./syz-executor2099599860", ["./syz-executor2099599860"], 0x7fff80535310 /* 10 vars */) = 0 brk(NULL) = 0x555555946000 brk(0x555555946c40) = 0x555555946c40 arch_prctl(ARCH_SET_FS, 0x555555946300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2099599860", 4096) = 28 brk(0x555555967c40) = 0x555555967c40 brk(0x555555968000) = 0x555555968000 mprotect(0x7f0c692b3000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0c60df9000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 munmap(0x7f0c60df9000, 4194304) = 0 [ 91.706604][ T26] audit: type=1400 audit(1686642751.775:84): avc: denied { execmem } for pid=4992 comm="syz-executor209" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 91.710409][ T4992] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4992 'syz-executor209' openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 91.788947][ T26] audit: type=1400 audit(1686642751.855:85): avc: denied { read write } for pid=4992 comm="syz-executor209" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 91.793027][ T4992] loop0: detected capacity change from 0 to 8192 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 [ 91.814621][ T26] audit: type=1400 audit(1686642751.855:86): avc: denied { open } for pid=4992 comm="syz-executor209" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 91.846261][ T26] audit: type=1400 audit(1686642751.855:87): avc: denied { ioctl } for pid=4992 comm="syz-executor209" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 91.872945][ T26] audit: type=1400 audit(1686642751.915:88): avc: denied { mounton } for pid=4992 comm="syz-executor209" path="/root/file0" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 91.877556][ T4992] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 91.909525][ T4992] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 91.919199][ T4992] REISERFS (device loop0): using ordered data mode [ 91.925816][ T4992] reiserfs: using flush barriers [ 91.933286][ T4992] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 91.951274][ T4992] REISERFS (device loop0): checking transaction log (loop0) [ 91.952404][ T26] audit: type=1400 audit(1686642752.015:89): avc: denied { append } for pid=4427 comm="syslogd" name="messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 91.987500][ T2490] cfg80211: failed to load regulatory.db [ 91.987906][ T26] audit: type=1400 audit(1686642752.015:90): avc: denied { open } for pid=4427 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 92.018480][ T26] audit: type=1400 audit(1686642752.015:91): avc: denied { getattr } for pid=4427 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 mount("/dev/loop0", "./file0", "reiserfs", 0, "") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 openat(AT_FDCWD, "cpuset.effective_mems", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 openat(AT_FDCWD, "cpuset.effective_mems", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 dup2(4, 5) = 5 [ 92.073933][ T4992] REISERFS (device loop0): Using r5 hash to sort names [ 92.083033][ T4992] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 92.093620][ T26] audit: type=1400 audit(1686642752.155:92): avc: denied { mount } for pid=4992 comm="syz-executor209" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nfs_t tclass=filesystem permissive=1 [ 92.126067][ T4992] [ 92.128460][ T4992] ====================================================== [ 92.135518][ T4992] WARNING: possible circular locking dependency detected [ 92.142995][ T4992] 6.4.0-rc6-syzkaller-00006-gfd37b884003c #0 Not tainted [ 92.151246][ T4992] ------------------------------------------------------ [ 92.158269][ T4992] syz-executor209/4992 is trying to acquire lock: [ 92.165064][ T4992] ffff88807cad8460 (sb_writers#10){.+.+}-{0:0}, at: reiserfs_ioctl+0x1a2/0x330 [ 92.174159][ T4992] [ 92.174159][ T4992] but task is already holding lock: [ 92.181526][ T4992] ffff8880142a4090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock+0x79/0x100 [ 92.190789][ T4992] [ 92.190789][ T4992] which lock already depends on the new lock. [ 92.190789][ T4992] [ 92.201369][ T4992] [ 92.201369][ T4992] the existing dependency chain (in reverse order) is: [ 92.214131][ T4992] [ 92.214131][ T4992] -> #2 (&sbi->lock){+.+.}-{3:3}: [ 92.221362][ T4992] __mutex_lock+0x12f/0x1350 [ 92.226773][ T4992] reiserfs_write_lock+0x79/0x100 [ 92.232347][ T4992] reiserfs_lookup+0x175/0x610 [ 92.238792][ T4992] __lookup_slow+0x24c/0x460 [ 92.244104][ T4992] lookup_one_len+0x16e/0x1a0 [ 92.249323][ T4992] reiserfs_lookup_privroot+0x96/0x210 [ 92.255671][ T4992] reiserfs_fill_super+0x20e7/0x2eb0 [ 92.268112][ T4992] mount_bdev+0x358/0x420 [ 92.273171][ T4992] legacy_get_tree+0x109/0x220 [ 92.278575][ T4992] vfs_get_tree+0x8d/0x350 [ 92.283634][ T4992] path_mount+0x134b/0x1e40 [ 92.288692][ T4992] __x64_sys_mount+0x283/0x300 [ 92.294091][ T4992] do_syscall_64+0x39/0xb0 [ 92.299038][ T4992] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.305480][ T4992] [ 92.305480][ T4992] -> #1 (&type->i_mutex_dir_key#6){+.+.}-{3:3}: [ 92.314011][ T4992] down_write+0x92/0x200 [ 92.319052][ T4992] path_openat+0x90f/0x2750 [ 92.324185][ T4992] do_filp_open+0x1ba/0x410 [ 92.330104][ T4992] do_sys_openat2+0x16d/0x4c0 [ 92.335841][ T4992] __x64_sys_openat+0x143/0x1f0 [ 92.341481][ T4992] do_syscall_64+0x39/0xb0 [ 92.347034][ T4992] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.353469][ T4992] [ 92.353469][ T4992] -> #0 (sb_writers#10){.+.+}-{0:0}: [ 92.361063][ T4992] __lock_acquire+0x2fcd/0x5f30 [ 92.368564][ T4992] lock_acquire+0x1b1/0x520 [ 92.373710][ T4992] mnt_want_write_file+0x92/0x5d0 [ 92.379547][ T4992] reiserfs_ioctl+0x1a2/0x330 [ 92.384774][ T4992] __x64_sys_ioctl+0x197/0x210 [ 92.390093][ T4992] do_syscall_64+0x39/0xb0 [ 92.395067][ T4992] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.402987][ T4992] [ 92.402987][ T4992] other info that might help us debug this: [ 92.402987][ T4992] [ 92.420163][ T4992] Chain exists of: [ 92.420163][ T4992] sb_writers#10 --> &type->i_mutex_dir_key#6 --> &sbi->lock [ 92.420163][ T4992] [ 92.434898][ T4992] Possible unsafe locking scenario: [ 92.434898][ T4992] [ 92.443227][ T4992] CPU0 CPU1 [ 92.449313][ T4992] ---- ---- [ 92.454775][ T4992] lock(&sbi->lock); [ 92.458903][ T4992] lock(&type->i_mutex_dir_key#6); [ 92.466960][ T4992] lock(&sbi->lock); [ 92.474210][ T4992] rlock(sb_writers#10); [ 92.478556][ T4992] [ 92.478556][ T4992] *** DEADLOCK *** [ 92.478556][ T4992] [ 92.486803][ T4992] 1 lock held by syz-executor209/4992: [ 92.494288][ T4992] #0: ffff8880142a4090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock+0x79/0x100 [ 92.504085][ T4992] [ 92.504085][ T4992] stack backtrace: [ 92.510061][ T4992] CPU: 1 PID: 4992 Comm: syz-executor209 Not tainted 6.4.0-rc6-syzkaller-00006-gfd37b884003c #0 [ 92.521286][ T4992] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 92.531877][ T4992] Call Trace: [ 92.536937][ T4992] [ 92.540247][ T4992] dump_stack_lvl+0xd9/0x150 [ 92.544859][ T4992] check_noncircular+0x25f/0x2e0 [ 92.549816][ T4992] ? print_circular_bug+0x730/0x730 [ 92.555477][ T4992] ? find_held_lock+0x2d/0x110 [ 92.560403][ T4992] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 92.566418][ T4992] ? avc_has_perm_noaudit+0x10b/0x3a0 [ 92.572069][ T4992] ? lock_downgrade+0x690/0x690 [ 92.577589][ T4992] ? tomoyo_path_number_perm+0x43b/0x570 [ 92.583290][ T4992] __lock_acquire+0x2fcd/0x5f30 [ 92.588181][ T4992] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 92.594188][ T4992] ? rcu_is_watching+0x12/0xb0 [ 92.599071][ T4992] ? trace_contention_end+0xd8/0x100 [ 92.604373][ T4992] lock_acquire+0x1b1/0x520 [ 92.608897][ T4992] ? reiserfs_ioctl+0x1a2/0x330 [ 92.613764][ T4992] ? lock_sync+0x190/0x190 [ 92.620758][ T4992] ? find_held_lock+0x2d/0x110 [ 92.625627][ T4992] mnt_want_write_file+0x92/0x5d0 [ 92.630759][ T4992] ? reiserfs_ioctl+0x1a2/0x330 [ 92.635890][ T4992] reiserfs_ioctl+0x1a2/0x330 [ 92.640588][ T4992] ? reiserfs_fileattr_set+0x570/0x570 [ 92.646331][ T4992] __x64_sys_ioctl+0x197/0x210 [ 92.651122][ T4992] do_syscall_64+0x39/0xb0 [ 92.655907][ T4992] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.661846][ T4992] RIP: 0033:0x7f0c69245af9 [ 92.666287][ T4992] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 92.686003][ T4992] RSP: 002b:00007ffd50c770c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 92.694526][ T4992] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0c69245af9 [ 92.702698][ T4992] RDX: 0000000000000000 RSI: 0000000040087602 RDI: 0000000000000005 [ 92.710772][ T4992] RBP: 00007f0c69205100 R08: 0000000000000000 R09: 0000000000000000 [ 92.719286][ T4992] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c69205190 ioctl(5, FS_IOC_SETVERSION, 0) = -1 EFAULT (Bad address) exit_group(0) = ? +++ exited with 0 +++ [ 92.727278][ T4